This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Revealing Packed Malware
September/October 2008 (vol. 6 no. 5)
pp. 65-69
Wei Yan, Trend Micro
Zheng Zhang, McAfee
Nirwan Ansari, New Jersey Institute of Technology
In concert with the ever-growing network applications, a significant increase in the spread of malware over the Internet has been observed. In cases where malware are the zero-day threats, generating their signatures for detection via anti-virus (AV) scan engines becomes an important reactive security function. However, modern malware can easily bypass AV scanners using packers, which can hide malicious file contents from detection. This article describes how packers work, and the three most commonly used unpacking methods. The authors describe the logic flow and behavior of Upack, a popular packer, as an example of a software packer.

1. T. Brosch and M. Morgenstern, "Runtime Packers: The Hidden Problem?" keynotes from Black Hat USA 2006 Briefings and Training, www.blackhat.com/presentations/bh-usa-06 BH-US-06-Morgenstern.pdf.
2. G. Szappanos, "Exepacker Blacklisting: Theory and Experiences," Proc. 2nd Int'l Computer AntiVirus Researchers Organization Workshop, (CARO), 2008; www.datasecurity-event.com/uploadsgszappanos.ppt .
3. M. Pietrek, "Peering Inside the PE: A Tour of the Win32 Portable Executable File Format," Microsoft Systems J., Mar. 1994, pp. 15–34.
4. T. Graf, "Generic Unpacking—How to Handle Modified or Unknown PE Compression Engines," Proc. 2005 Virus Bulletin Conf., Virus Bulletin, 2005.

Index Terms:
malware, packer, anti-virus, basic training
Citation:
Wei Yan, Zheng Zhang, Nirwan Ansari, "Revealing Packed Malware," IEEE Security & Privacy, vol. 6, no. 5, pp. 65-69, Sept.-Oct. 2008, doi:10.1109/MSP.2008.126
Usage of this product signifies your acceptance of the Terms of Use.