We shall attempt to define the terms packer, crypter, and protector in the context of how malware uses them in this post. Keep in mind that there are exceptions to the principles, all of these categories have overlap, and no definitions for them are absolute. But I think this categorisation makes the most sense.
Packers
This is a common abbreviation for “runtime packers,” also referred to as “self-extracting archives.” When the “packed file” is executed, the software unpacks itself in memory. This method is sometimes referred to as “executable compression” on occasion. In order to make files smaller, this kind of compression was developed so that users wouldn’t have to manually unpack them before they could be used. However, the demand for smaller files is no longer as pressing considering the size of portable media and internet speeds today. Therefore, it is virtually always for bad intentions when you see certain packers being used today. essentially to make it more challenging to reverse engineer, with the added advantage of leaving a smaller footprint on the infected machine.
Crypters
Obfuscation is what crypters refer to as their most basic approach. In scripts like javascripts and vbscripts, obfuscation is also frequently utilized. However, most of the time it’s not that difficult to go around or decipher these. More sophisticated techniques employ true encryption. Most crypters provide users a variety of other options in addition to file encryption, making it as difficult for security companies to find the concealed executable as feasible. For certain packers, the same is true. For malware developers, being able to avoid detection by any security vendor is the main objective. However, if they can simply update their files after they are discovered and remain undetected for a time, they will be content with that.
Protectors
Software designed to stop program tampering and reverse engineering is referred to in this sense as a protector. Both packing and encrypting may be utilized, as is typically the case. What is commonly referred to as a protector is made up of that combination and a few extra functions. Because of the protective layers surrounding the payload, reverse engineering will be challenging.
Code virtualization is a totally distinct strategy that also falls under the category of protectors; it employs a unique and separate virtual instruction set each time you use it to protect your program. Professional versions of these protectors are employed in the gaming industry to combat piracy. The method, however, has also been incorporated into malware, more notably ransomware. This enables ransomware that can transfer the encryption key without a C&C server. The encryption key can be hardcoded into the ransomware because the security is so effective. A project that leverages open-source code virtualization is Locky Bart, as an example.
This article has been able to distinguish between each tool to avoid confusion regarding their capabilities and functions as well as to help researchers understand that although a piece of software may seem legitimate, it may actually be encrypted and call for a deeper investigation.