Packers

Packed Malware

Packers are software tools used to compress PE files, thus reducing their size. As an added bonus, the compression will impede static analysis efforts.

When it comes to malware, merely compressing a PE file won't do you much good ; try and run it and the computer will just scream at you.

Packers will wrap the compressed data into an actually working PE file, and at runtime, said file decompress it into memory and execute it. The packed binary will be recognizable since it will bear a "decompression stub" whose role will be to depack everything at runtime.

In the sample below, we'll infer from the following indicators that it is a packed malware ;

• The "UPX0" and "UPX1" image section headers and sections, characteristic of the UPX packing tool

• The null value of our "Size of Raw Data" header

• The minuscule, barebones import table.