Exepacker blacklisting: theory and experiences

Gabor Szappanos, Virusbuster Ltd., Hungary

Almost all contemporary malware uses one or another exepacker or cryptor. So it is natural to consider the packedness as a sign of malicious intent. Unfortunately, legacy programs also use packers, so a more granular approach is required.

In this presentation I will cover the possible approaches to exepackers blacklisting, starting from ignoring this attribute ending with definite detections. Are packers like Themida or Armadillo indeed untouchable, unable to blacklist? Not necessarily. There may be differences in malicious and legacy uses of exepackers - but more is required other than simple file scanning.

The presentation will also cover the experiences gained after putting blacklisting in practice - beneficial effects on malware detection and the not-so-wanted false positive effects.