[MART] - Daily Diary #442 - Trojan Techniques - Packers

CTAS-MAT ctas-mat at appgate.com
Mon Jan 31 22:38:28 UTC 2022


Hello,
I hope everyone is doing well!

Below is the entry for today.

31/01/2021 - Diary entry #442

Following the thread started in our Daily Diary #420, today we will cover a type of tool heavily used by malware in the wild: Packers.

Packers are legitimate tools used, among other things, to protect and compress binary code. Packers like UPX allows developers to make the application smaller. After executing it on a pre-compiled binary, it will compress the binary code and change the program execution code, adding a stub to decompress and execute the binary in memory. Some types of packers, like Themida and VMProtect, also change the binary opcodes to execute in a virtual processor. This makes it harder to reverse engineer the program and is used in the industry to protect intellectual property.

In the cybersecurity world, packers are used to hide malicious code from analysts and static analysis tools. If the binary code is compressed, it's almost impossible to identify the malicious behavior without unpacking it. Packers with virtualization capabilities also impose a great challenge during dynamic analysis, as if correctly used can make the debugging task much harder.

Lots of malware nowadays also implement custom packers, hiding the malicious code using encryption algorithms until it's necessary to execute. For that reason, the ability to identify and reverse engineer packers is a must when it comes to modern malware analysis.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220131/1af83fce/attachment.htm>


More information about the MART mailing list