Differences between packers and archiving utilities

Differences between packers (protectors, encryption tools) and archiving utilities.

There are a large number of utilities on the Internet that compress, encrypt and protect various files. Naturally, these programs were developed for good reason, but unfortunately, they are also successfully used by virus writers to hide malicious code from analysis and detection.

Below we discuss the following program types:

  1. Archiving utilities (archivers).
  2. Compression utilities (packers).
  3. Protectors and encrypters. 

Archivers

This is the most commonly used type of utility, which includes ZIP, RAR, CAB, etc. A special program (archiver) needs to be installed on the computer to make it possible to archive and extract files. For a file in an archive to be accessed (read, executed, etc.), it needs, first, to be unpacked by the archiver and saved to a temporary folder on the hard drive.

In this case, a real-time antivirus scanner will protect the computer from infection even if it is unable to scan (and disinfect) archives, since it will scan the file when the archiving utility saves it to the temporary folder.

Even self-extracting archives, which do not require an installed archiving utility to extract the files, always unpacks files to a temporary folder on the hard drive.

Packers

Packing tools are not as commonly used by average users. Representatives of this group include UPX, ASPack, etc. These programs work only with certain types of file, mostly, executable files and DLLs. As with archivers, it takes a program installed on the computer to pack a file. However, a special program is not needed for running a packed executable file.
 
Figure 1: The packing process

 

Moreover, unpacking and the execution of the file is performed without accessing the hard drive, unlike extracting files from an archive.
The upshot of this is that, if an antivirus program does not recognize a packer’s format, the protection (real-time scanner) will be useless, because malicious code will be loaded into RAM in its compressed form, then unpacked and executed in RAM without accessing the hard drive. There will be no alert from the antivirus program.

Protection / Encryptions tool

These programs are often used by software developers to protect software. They are similar to packers, but they encrypt programs in addition to compressing them. The loader of an encryption tool (see Figure 1) also uses a large number of other methods to protect the program from being hacked and its code from being analyzed.