The hackpacker guide: an in-depth look into custom run-time packers
Xu Yang Fortinet
Today's threat landscape is characterized by the utter prevalence of 'packed' malware: nearly 60% of malware in the wild
at the time of writing is encrypted by run-time packers, commercial and 'underground' (aka 'custom') ones alike. The goal
of malware authors who resort to using run-time packers is, as a matter of fact, obvious: hindering AV protection by
concealing the functionalities of their critters under an efficient, malware-independent, and relatively affordable veil
of obfuscation layers. While the prevalence of custom run-time packers in malware today is 'only' equivalent to the
prevalence of commercial (and/or common) ones, the share of the former have significantly augmented over the past two
years; moreover, the 'high-impact' threats have almost systematically resorted to custom run-time packers: Stration in
its time, the Storm worm, the infamous 'OnlineGames' family of password stealers, Waledac, Conficker, etc. The list is
non-exhaustive, and of course does not include those who might be wandering in the wild right now, unknown and uncaught.
This raises numerous questions: where do the custom packers originate from and how many of these are out there? For
malware authors, what are the 'pros' of custom packers over commercial ones? What are their key features, and do they
exhibit common behaviours? This paper will attempt to shed light on those interrogations, before presenting leads to
address the issue of custom packers in malware.
