An early step when analyzing malware is to recognize that it is packed. We have covered techniques for detecting if malware is packed in earlier chapters. Here, we’ll provide a review and also introduce a new technique.
The following list summarizes signs to look for when determining whether malware is packed.
The program has few imports, and particularly if the only imports are LoadLibrary
and GetProcAddress
.
When the program is opened in IDA Pro, only a small amount of code is recognized by the automatic analysis.
When the program is opened in OllyDbg, there is a warning that the program may be packed.
The program shows section names that indicate a particular packer (such as UPX0
).
The program has abnormal section sizes, such as a .text
section with a Size of Raw Data of 0 and Virtual Size of nonzero.
Packer-detection tools such as PEiD can also be used to determine if an executable is packed.
Packed executables can also be detected via a technique known as entropy calculation. Entropy is a measure of the disorder in a system or program, and while there is not a well-defined standard mathematical formula for calculating entropy, there are many well-formed measures of entropy for digital data.
Compressed or encrypted data more closely resembles random data, and therefore has high entropy; executables that are not encrypted or compressed have lower entropy.
Automated tools for detecting packed programs often use heuristics like entropy. One such free automated tool is Mandiant Red Curtain, which calculates a threat score for any executable using measures such as entropy. Red Curtain can scan a filesystem for suspected packed binaries.