While catching up on an old but excellent post by jason geffner on reconstructing import tables I remembered that I've been wanting to study the real impact of packers on the latest malware received at our labs. Many of us AV companies are now more proactively detecting packers as malicious. Although this issue was discussed at length at the International Antivirus Testing Workshop 2007 in Iceland earlier this month, no real conclusion was reached as there is still a major unknown which is the use of packers in goodware and the negative impact on false positives this approach might have.

When it comes to the use of packers in malware here are some stats on the new unique sample submissions we received during the last month (samples seen in previous months were discarded for the study). Using PEid with a customized database of packing signatures (available here), a purpose built emulator and some generic unpacking routines, we found that 79% of new malware is using some type of packing technique or other.

For the study I've grouped together different versions and modified routines of packers, as its common for malware writers to slightly modify known packing algorithms to evade detection. So for example all different versions of UPX plus all modified (or private) UPX routines are grouped under the common "UPX" term. The same applies to the rest of the detected routines.

For those interested in the detailed data-set you can find it here.