One major objective of malware is to evade antivirus software. Malware can be obfuscated using packers and protectors. A packer compresses the data in malware, making it easier transmit over the network. Obfuscation is a by-product of a packer because the compressed data is far different from the original data. The compressed malicious code is far different from the original code. Hence it is hidden from plain sight as well as the antivirus software . A malware researcher has to reverse engineer the packed code to extract the malicious code. Antivirus researchers write code that can do the same for antivirus engines. A packer can use several algorithms to compress the data. LZMA, APLib, LZSS, and ZLib are popular compression algorithms.

When a packer compresses the executable, it adds a decompression stub at the entry point of the exe and then adds the compressed data to the exe. A decompression stub is a code or function used to decompress the compressed data. It knows the location and size of the compressed data. When a packed executable is executed, the code in decompression stub is first executed, which decrypts the compressed malicious code in memory. After this, the malicious code takes control:

Packers come with additional code to make malware analysis harder.

There are several packers that can be used to pack and protect both genuine software and malware. Here are a few popular ones:

• UPX
• Aspack
• Asprotect
• PECompact

Researchers came up with generic methods to unpack the known packer (UPX is a well-known packer that is unpacked with ESP trick). Also, antiviruses came up with code that can unpack many of the known packers. Malware then moved on to custom packers to prevent inexperienced researchers from unpacking them. Also, the number of custom packers increased over time, which made the work of security researchers harder.