Differences between packers (protectors, encryption tools) and archiving utilities.
There are a large number of utilities on the Internet that compress, encrypt and protect various files. Naturally, these programs were developed for good reason, but unfortunately, they are also successfully used by virus writers to hide malicious code from analysis and detection.
Below we discuss the following program types:
Archivers
This is the most commonly used type of utility, which includes ZIP, RAR, CAB, etc. A special program (archiver) needs to be installed on the computer to make it possible to archive and extract files. For a file in an archive to be accessed (read, executed, etc.), it needs, first, to be unpacked by the archiver and saved to a temporary folder on the hard drive.
In this case, a real-time antivirus scanner will protect the computer from infection even if it is unable to scan (and disinfect) archives, since it will scan the file when the archiving utility saves it to the temporary folder.
Even self-extracting archives, which do not require an installed archiving utility to extract the files, always unpacks files to a temporary folder on the hard drive.
Packers
Packing tools are not as commonly used by average users. Representatives of this group include UPX, ASPack, etc. These programs work only with certain types of file, mostly, executable files and DLLs. As with archivers, it takes a program installed on the computer to pack a file. However, a special program is not needed for running a packed executable file.
Figure 1: The packing process
Moreover, unpacking and the execution of the file is performed without accessing the hard drive, unlike extracting files from an archive.
The upshot of this is that, if an antivirus program does not recognize a packer’s format, the protection (real-time scanner) will be useless, because malicious code will be loaded into RAM in its compressed form, then unpacked and executed in RAM without accessing the hard drive. There will be no alert from the antivirus program.
Protection / Encryptions tool
These programs are often used by software developers to protect software. They are similar to packers, but they encrypt programs in addition to compressing them. The loader of an encryption tool (see Figure 1) also uses a large number of other methods to protect the program from being hacked and its code from being analyzed.
Recent comments
49 weeks 1 day ago
2 years 1 week ago
2 years 2 weeks ago
2 years 5 weeks ago
2 years 15 weeks ago
2 years 19 weeks ago
2 years 19 weeks ago
2 years 19 weeks ago
2 years 34 weeks ago
2 years 45 weeks ago