Fighting malware and spam

The hackpacker guide: an in-depth look into custom run-time packers

Xu Yang Fortinet

Today's threat landscape is characterized by the utter prevalence of 'packed' malware: nearly 60% of malware in the wild at the time of writing is encrypted by run-time packers, commercial and 'underground' (aka 'custom') ones alike. The goal of malware authors who resort to using run-time packers is, as a matter of fact, obvious: hindering AV protection by concealing the functionalities of their critters under an efficient, malware-independent, and relatively affordable veil of obfuscation layers. While the prevalence of custom run-time packers in malware today is 'only' equivalent to the prevalence of commercial (and/or common) ones, the share of the former have significantly augmented over the past two years; moreover, the 'high-impact' threats have almost systematically resorted to custom run-time packers: Stration in its time, the Storm worm, the infamous 'OnlineGames' family of password stealers, Waledac, Conficker, etc. The list is non-exhaustive, and of course does not include those who might be wandering in the wild right now, unknown and uncaught.

This raises numerous questions: where do the custom packers originate from and how many of these are out there? For malware authors, what are the 'pros' of custom packers over commercial ones? What are their key features, and do they exhibit common behaviours? This paper will attempt to shed light on those interrogations, before presenting leads to address the issue of custom packers in malware.