Security: What businesses need to understand about 'packing'

This is a contributed piece by Dr. Giovanni Vigna, Founder and CTO of Lastline


Executable compression, aka “packing,” is a means of compressing an executable file and combining the compressed data with decompression code into a single executable.

Throughout the years anti-malware vendors have educated their users about polymorphic malware that repackages itself every time it gets distributed to a victim, so that anti-malware solutions become useless. For this reason, unpacking emulators were introduced by anti-virus vendors. These emulators perform the initial operations required to unpack the actual program code and then perform their static analysis of the unpacked code.

Cybercriminals soon took notice of packing emulators and started introducing anti-emulator mechanisms. These approaches made it necessary to use of full-blown sandboxes for the analysis: only by running the actual program in a realistic environment was it possible to extract the actual behavior of the code. So, cyber-criminals promptly started introducing anti-sandbox mechanisms into their packers.

The use of increasingly sophisticated anti-analysis techniques in packers suggests a logical question: why not detect malware by detecting packers? One could decide to simply block executables that appear to be packed, forcing the malware writers to resort to more subtle (and expensive) mechanisms to avoid detection.

However, a substantial portion of benign software is packed as well. In a recent test, we found that 37 percent of malware had some form of packing and six percent of benign software used packing. This shows that rejecting a program just because it’s packed is not an effective malware defense strategy. However, there are some ways that security teams can use packing behavior to detect malware.

Digital signatures –An invalid or missing signature combined with unpacking behavior seems promising given that 97 percent of malicious samples shared this characteristic. However, many benign samples (40 percent) did this too. Therefore, using this as the only signal would result in a large amount of false positives.

How executables are packed – Many packers (usually ad hoc programs) use a number of techniques to prevent reverse engineering. For example, they use multiple levels of packing – that is, the unpacked executable is actually another packed program – or they employ sophisticated anti-debugging techniques.

Compressing packers and Encrypting packers – Compressing packers try to reduce the size of the original program using compression techniques. As a result, the compressed data can still retain some of the statistical properties of the original program. Encrypting packers, instead, perform full encryption of the program, and consequently, the encrypted data tends to be more “random” (more formally, it has a higher entropy).


You’ll notice that all of these techniques also are used by developers of benign applications on a regular basis. While information about packing is not a suitable approach for effective malware detection, a critical question remains: Is the industry nevertheless using packing as a signal?

A study conducted in 2013 by researchers at the University of California in Santa Barbara took almost 8,000 system files from various versions of the Windows operating system and uploaded them to VirusTotal, obtaining an unsurprising “all OK” from all of the anti-malware tools.

Then, we encrypted the same files using four packers (UPX, Upack, NsPack, and BEP), resulting in 16,000 verified samples (some of the packed files did not appear to be functional and had to be eliminated from the data set). These samples were then submitted to VirusTotal again, and the results, this time, were surprising: while the samples packed with UPX were not flagged as malicious, 96.7% of the samples packed with the remaining three packers were labeled as malicious by more than 10 anti-virus products.

The results clearly show that many anti-virus tools use the identification of packing behavior as a signal for classification as malware.

In order to verify the state of art today, we reproduced, on a smaller scale, the 2013 experiment. We took 10 benign samples and we packed them with Obsidium, a commercial packer tool, and then we submitted the samples to VirusTotal.

First of all, an important disclaimer: the engines on VirusTotal are not configured in the most effective way, and, therefore, the results must be taken with a grain of salt. For this reason, we do not single out any specific vendor, and instead we show only the aggregate results.

Our findings were that packing is still used as a signal, as many vendors, including top players in the AV industry, identified benign programs as malicious only because they were packed. Of the 64 AV tools used, an average of 25 percent identified each benign sample as malicious.



# of AV tools that

analysed the sample

# of AV tools that categorised the sample as malicious

Benign Sample 1



Benign Sample 2



Benign Sample 3



Benign Sample 4



Benign Sample 5



Benign Sample 6



Benign Sample 7



Benign Sample 8



Benign Sample 9



Benign Sample 10




The lesson learned is that packers are not a reliable way to determine the nature of an executable. Instead, it is necessary to run the sample, trigger the unpacking, observe how the unpacking is performed, and combine this information with the actual behavior of the program.

Of course, this requires more resource than a simple static analysis, but, nowadays, it’s either that or inundating security teams with false positives.


« Five blockchain uses that create networks & reinvent economies


News Roundup: Are we about to start mining the ocean for raw smartphone materials? »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?