How to Tell If Malware Is Packed

Every computer user has to deal with malware at some point. While most packed malware is created to disrupt a computer or steal information, the underlying motive behind malware creators is to make money illegally. If you are surprised and wondering why someone would go so far as to attack a computer or a mobile device.

Let’s take a moment to consider their motives, including what packed malware is, how to identify it, and also give tips on the types of malicious malware that could put a computer at risk.

First, let’s try to understand what packed malware is.

What is packed malware?

Packed malware is a type of malware that is difficult to detect and analyze because it is compressed or encrypted. The encryption makes it difficult for antivirus software to detect and remove it from a system. This malware is often used by cybercriminals to distribute packed code without being detectedmaking it a serious threat to computer systems.

How to tell if malware is packed

Malware has been a growing threat over the past couple of decades. Security specialists and analysts have found that malware has been on the rise since the early 2000s. However, malware can be tricky to find while they hide in plain sight. But with technology making strides, the fight against cyber vandals and criminals is getting easier.

Here are some tips to tell if malware is packed.

Network Traffic

Malicious packets can crash or control network devices. On a home device, malicious packets attack can compromise an entire network with a simple message. If packets are being sent out of a network from an infected machine, the best way to tell is to look at the traffic going through the router. 

If any suspicious activity is detected, take a closer look at the packets themselves to see if there is anything unusual about them. For instance, If I suspected that the packets were malicious, I would take steps to block them from leaving the network. I’d disconnect the infected device from the network immediately. 

Unusual system logs

Cyber campaigns are discovered utilizing a malicious technique for planting packed malware on target machines. This technique involves injecting a never-before-seen shellcode into OS event logs. To detect an unusual system log in a machine could indicate that an operating system was compromised.

Use anti-malware software

Malicious programs often try to hide their activities inside legitimate applications. A good way to tell whether a program is packed with malware is to open it up in a disassembler. This program allows one to see all the code in an executable program, including any code that normally wouldn’t be visible when running a program.

 Disable unused services

Some malicious packed malware uses services that aren’t normally enabled on a computer. This can allow the malware to gain access to sensitive information or perform other malicious actions. To protect your computer from this type of malware, you should only enable the services that you need. To prevent these services from running at startup, disable them. There are instructions online for how to do this. If I need to use the service later, I’ll re-enable it.

What are the characteristics of packed malware?

Packed malware is designed to steal information, sabotage operations, or cause financial loss. This malware may attack computers individually or collectively (e.g., via botnets) over a network. The best way to stay safe online is to avoid downloading anything from untrustworthy websites. Additionally, you can use common sense when visiting a website – if it looks suspicious or if you don’t know much about it, it’s probably best to avoid it.

What to look out for in packed malware?

If you are worried about malware, it’s important to know how to identify them beforehand. First, look for a non-standard icon. If an icon looks different from others, or if it’s blurry, it could be malware. These features are often warning signs that an icon has been changed by a virus.

If an icon appears to be different from others, or if it appears blurry, it’s good to double-check the file type and extension to make sure the icon hasn’t been changed by a virus. If I don’t recognize the icon, or it just looks strange, there’s a chance it’s been changed. Sure, icons may be a small detail, but their presence can signify the safety of my computer.

Another thing to look for is a random address bar. If the address bar is random and there’s no real website at the URL, it could be that the malware has changed the site’s original address. Malware can be very dangerous.

If the URL address bar is replaced with a meaningless series of characters, but there is a website present, the malware may be hacking into and altering the page. Additionally, the malware may redirect all of the website’s visitors to a phishing page that tries to get login information and credit card details.

It’s important to look at several indicators when it comes to malware. Here are more indicators that I’d normally look out for in packed malware:

  • Examine the filename. If a filename is strange and doesn’t look like any normal file I would use, or if the file extension is different than usual, I’d rather be suspicious. 
  • I will also check the registry entries. Look for anything that doesn’t belong or is out of the ordinary.
  • The file content is another area that will be my concern. It should have a base, not an executable. This base will tell me if it’s packed or not.
  • Finally, if the malware has modified a .dll file, it will be difficult to remove.

A .dll is a library of code that controls the program’s use of hardware. It helps software communicate with other programs, as well as hardware devices. The operating system also relies on .dlls to run. So, when a malicious program corrupts a .dll, it can cause severe consequences. 

How to unpack malware

If we download a packed file and want to know what’s inside it, we can use a program called a “debugger”. A debugger allows us to see the code inside any packed program, including the code that unpacks the program and its original files. Some debuggers also allow us to “single-step” through the code and pause the debugger at any point to examine the contents of any variable.

Even if I can’t unpack a packed program, I don’t assume it’s safe. Malware authors sometimes deliberately add extra code to make their programs harder to unpack. If I can’t open a packed program in a disassembler or debugger, there’s a chance that it’s packed malware.

Steps to unpack malware


Backtracking is using the previous steps from the point of infection to determine what happened before and after it. There are 2 ways to do this; manually or automatically. To manually backtrack, we need to identify all of the infected files and directories.

Unpacking Malware

Unpacking malware is the reverse of packing malware. Instead of using a packer to encrypt data, it decrypts it. This is done by finding the encryption keys that were used. Malware writers use various methods to hide their keys from being discovered.


Once we have identified the hidden keys, we can move forward and fix the problem. This involves making changes to software or websites to remove the decryption keys so they cannot be used again.

What does it mean if malware is packed?

Packed malware is a type of malware that gets downloaded onto a victim’s PC without them knowing about it. This happens when someone sends an attachment via email, downloads a file from a website, or opens a file sent from somebody else. Packed malware infects a device by attaching itself to legitimate software or services. The malware then makes changes to the program that allows it to behave differently than before. 

Usually, these changes cause damage to the device, sometimes causing serious problems. For example, if a user downloads a package that contains malware, the antivirus program might not detect the virus. Or, if there is a problem with the user’s Internet connection, the packed malware could alter the DNS configuration or add unwanted advertisements to the browser.

Packed malware comes disguised as something else. For example, some popular examples include:

  • PDF document attachments
  • Word documents
  • Zip archives
  • Rich text format (RTF) files
  • Powerpoint presentations (PPT)
  • Flash files
  • Java applets
  • JAR files
  • Macromedia page components

What are malware packing techniques?

Malware packing techniques involve hiding malicious code inside legitimate software applications. The most common way for hackers to hide malware in legitimate apps is to insert harmful code directly into the app’s executable file (the file that contains instructions to run the program) or to modify the binary code to encode a hidden message. 

Users who are enticed to download and install a modified app may not realize that their device has been infected. Making it easy for hackers to sidestep traditional signature-based security and forensics tools. 

Here are 3 techniques used by hackers when creating packed malware

Trojan horse Technique

Hackers have created several different types of malware-packing techniques. One popular method is called a trojan horse. In this technique, a hacker creates an application that looks similar to a legitimate app. He then inserts his malicious code into the app’s executable or data files. When users download and install the application, the operating system automatically loads the malicious code into memory. Since the application appears to the user to be legitimate, it gets installed without raising any suspicion. Once the malware runs, it can access and control the victim’s computer.

Polymorphic Trojan Technique

Another common technique is known as a polymorphic Trojan. A polymorphic Trojan hides its malicious payload in a piece of legitimate code that can change its appearance at runtime. For example, when the malware loads, a user might notice something odd about the app – a strange font, an unusual screen layout, or a weird icon. But each time the app runs, the malicious code changes its appearance to look normal again. For instance, when the user clicks a button, the malware launches whatever payload it contains instead of just displaying an error message.

Self-Replicating Technique 

The third type of malware-packing technique comes via self-replicating viruses. Self-replicating viruses are relatively rare; only a few exist today. However, once a self-replicating virus gains root privileges on a host machine, it goes hunting for other machines on the network to infect. If it successfully replicates, all those affected computers become zombies, meaning they cannot be trusted.

These days, many cybercriminals use social engineering to drive targets to a legitimate website and entice the target to download compressed malware. Social engineers work to gain trust to get potential victims to click links or open attachments. To avoid falling prey to these attacks, don’t click on links or attachments you are unsure of. 

How much malware is packed?

92% of malware was packed executable in 2006. Of course, there exists that usage of packers for protection of commercial programs from malicious reverse engineering, but this normal usage is less than 2% (in fact, there is no study about normal usage of packers).

What does it mean if a file is packed?

When a file is packed with malware, it means that the file has been maliciously modified to include code that is harmful and rarely used for benign purposes, like delivering advertising with trackers, installing software that accesses your webcam and/or microphone, password stealing, remote access, and control, and worse. There are many ways to get malicious software onto your computer and many ways to clean it off.

Unpacking a malware-packed file means you’re opening that file so it can be opened and become usable again.

What is the difference between packed malware and unpacked malware?

In computing, packed malware is a type of malicious software that is compressed or “packed” to evade detection by antivirus software. Packed malware is often distributed as a “Trojan horse” or “drive-by download” and can be unpacked and installed on a victim’s computer without their knowledge or consent.

Unpacked malware, on the other hand, is malware that has not been compressed or packed. This type of malware is more easily detected by antivirus software and is typically less sophisticated than packed malware. However, unpacked malware can still be dangerous and should be removed from a computer as soon as possible.

Packing and unpacking are types of protection used by hackers. Hackers can hide malicious programs from antivirus programs by compressing and encrypting the code. Decompressing and decrypting the code is sometimes necessary to fully examine the code. Some viruses and malicious programs can technically be considered packed malware because they are compressed or encrypted.


Packed malware is a serious threat to any computer user. The best way to protect from malware is to be cautious about which programs we download and install from the internet. If a program seems suspicious, we should avoid installing it. If we do download an infected program, we can use a disassembler or debugger to unpack the program. Once the packed program is unpacked, we can analyze it more carefully to identify any malicious code inside it.

Recommended Reading