Standards and Policies on Packer Use

Packers, whether third-party or bespoke, are still widely used by malware authors in an attempt to evade detection. Conficker, FakeAV, Bredolab and TDSS are but a few examples of malware which make extensive use of packers. The wide variety of packers used for both legitimate and malicious purposes pose a challenge for the anti-virus industry. The anti-virus community has decided, within the framework of the Malware Working Group (MWG) within the Industry Connections Security Group (IEEE ICSG http://standards.ieee.org/prod-serv/indconn/icsg), to address the issue of packers with a common voice.

In addition, the stigma and the anti-virus detections associated with the use of legitimate packers by malware, along with the performance impact related to scanning benign packed files, are likely to lead to an impact on both the reputation and revenue of the packer vendors involved. Therefore it is in the best interests of both parties to work together to identify and implement solutions to the core issues associated with packers.

One of the fruits of the collaborative IEEE ICSG sessions, involving representatives from across the anti-virus industry, is a document describing various packer properties and standards for their use. This document is intended to provide a yardstick for the formulation of policy on how to treat different packers and a potential set of best practice guidelines for packer vendors. The specific contents of the document are subject to the outcome of negotiations with packer vendors.

It is hoped that the guidelines can be used to improve end-user security through the concerted efforts of the anti-virus industry when dealing with packers, and via cooperation and information exchange with packer vendors. Thus it is expected to facilitate a more robust approach to the generic static flagging of suspicious packed files for the beneffit of all (other than the malware authors, of course).