Standards and policies on packer use
Samir Mody Sophos
Igor Muttik McAfee
Peter Ferrie Microsoft
download slides (PDF)
Packers, whether third-party or bespoke, are still widely used by malware authors in an attempt to evade detection.
Conficker, FakeAV, Bredolab and TDSS are but a few examples of malware which make extensive use of packing technology.
The wide variety of packers used for both legitimate and malicious purposes pose a challenge for the anti-virus industry.
The anti-virus community has decided, within the framework of the Malware Working Group within the Industry Connections
Working Group, to address the issue of packers with a common voice.
One of the fruits of the collaborative sessions involving representatives from across the anti-virus industry is a
document describing various packer properties and standards for their use. This document is meant to provide a yardstick
for the formulation of policy on how to treat different packers and a potential set of best practice guidelines for packer
It is hoped that the guidelines can be used to improve end-user security through the concerted efforts of the anti-virus
industry when dealing with packers, and via cooperation and information exchange with packer vendors. Thus, it is
expected to facilitate a more robust approach to the generic static flagging of suspicious packed files for the benefit of
all (apart from the malware authors, of course).