Packer

System used to compress and encrypt software

Packers are wrappers put around pieces of software to compress and/or encrypt their contents. They can be used by legitimate software to minimise download times and storage space or to protect copyrighted coding, but are commonly used in malware to disguise the contents of malicious files from malware scanners.

Runtime packers essentially unpack (i.e. decrypt or decompress) executable files as they run - the first stage is the unwrapping process, and the unpacked file is then loaded into memory and run. A file can be packed numerous times with slight changes to the packing method, or with small and insignificant changes to the file inside, thus producing a final file which appears different from another identical file packed differently. A great deal of malware is regularly repacked in this way to try to beat detection, a technique known as server-side polymorphism. Anti-malware software can get around this by unpacking some packers as part of the scanning process; some software even alerts on any file packed with certain types of packer which are commonly used in malware but rare in legitimate software.