Differences between packers and archiving utilities
Differences between packers (protectors, encryption tools) and archiving utilities.
There are a large number of utilities on the Internet that compress, encrypt and protect various files. Naturally, these programs were developed for good reason, but unfortunately, they are also successfully used by virus writers to hide malicious code from analysis and detection.
Below we discuss the following program types:
- Archiving utilities (archivers).
- Compression utilities (packers).
- Protectors and encrypters.
Archivers
This is the most commonly used type of utility, which includes ZIP, RAR, CAB, etc. A special program (archiver) needs to be installed on the computer to make it possible to archive and extract files. For a file in an archive to be accessed (read, executed, etc.), it needs, first, to be unpacked by the archiver and saved to a temporary folder on the hard drive.
In this case, a real-time antivirus scanner will protect the computer from infection even if it is unable to scan (and disinfect) archives, since it will scan the file when the archiving utility saves it to the temporary folder.
Even self-extracting archives, which do not require an installed archiving utility to extract the files, always unpacks files to a temporary folder on the hard drive.
Packers
Packing tools are not as commonly used by average users. Representatives of this group include UPX, ASPack, etc. These programs work only with certain types of file, mostly, executable files and DLLs. As with archivers, it takes a program installed on the computer to pack a file. However, a special program is not needed for running a packed executable file.
Figure 1: The packing process
Moreover, unpacking and the execution of the file is performed without accessing the hard drive, unlike extracting files from an archive.
The upshot of this is that, if an antivirus program does not recognize a packer’s format, the protection (real-time scanner) will be useless, because malicious code will be loaded into RAM in its compressed form, then unpacked and executed in RAM without accessing the hard drive. There will be no alert from the antivirus program.
Protection / Encryptions tool
These programs are often used by software developers to protect software. They are similar to packers, but they encrypt programs in addition to compressing them. The loader of an encryption tool (see Figure 1) also uses a large number of other methods to protect the program from being hacked and its code from being analyzed.
Search
User login
Poll
Recent blog posts
- Russian antivirus market continues to grow
- VoIP hackers strike Perth business
- Will EDoS be the next DDoS?
- Why you should not use ‘OR 1=1’ when testing for SQL injection
- 12 security suites tested and 12 security suites fail
- I lost my login, and we are starting a new company too
- Turbo-charged wireless hacks threaten networks
- Russia’s antivirus market doubles in size
- Eset vs. Anti-Malware.ru
- Regarding rumors about my affiliation with antivirus vendors
Strategic partners
Recent comments
49 weeks 1 day ago
2 years 1 week ago
2 years 2 weeks ago
2 years 5 weeks ago
2 years 15 weeks ago
2 years 19 weeks ago
2 years 19 weeks ago
2 years 19 weeks ago
2 years 34 weeks ago
2 years 45 weeks ago