Standards and policies on packer use

Samir Mody Sophos
Igor Muttik McAfee
Peter Ferrie Microsoft

  download slides (PDF)

Packers, whether third-party or bespoke, are still widely used by malware authors in an attempt to evade detection. Conficker, FakeAV, Bredolab and TDSS are but a few examples of malware which make extensive use of packing technology.

The wide variety of packers used for both legitimate and malicious purposes pose a challenge for the anti-virus industry. The anti-virus community has decided, within the framework of the Malware Working Group within the Industry Connections Working Group, to address the issue of packers with a common voice.

One of the fruits of the collaborative sessions involving representatives from across the anti-virus industry is a document describing various packer properties and standards for their use. This document is meant to provide a yardstick for the formulation of policy on how to treat different packers and a potential set of best practice guidelines for packer vendors.

It is hoped that the guidelines can be used to improve end-user security through the concerted efforts of the anti-virus industry when dealing with packers, and via cooperation and information exchange with packer vendors. Thus, it is expected to facilitate a more robust approach to the generic static flagging of suspicious packed files for the benefit of all (apart from the malware authors, of course).