Don't use packers
Following its use in a successful XSS worm that infected 600,000 users of a social networking site, many other hacker groups have begun using it, too. They are taking advantage of the fact that it has been whitelisted as a "legitimate" (non-underground) tool and, until now, not blocked.
There is simply no good way to tell if the packed code is benign or malicious. Given recent events, there is a much larger chance today than in the past of it being malicious. There, more anti-virus, web filtering, IDS/IPS, and firewall vendors will begin blocking it.
Have the bad guys won, then? No!
The biggest drawback is execution time. By a wide margin, whatever gains are made in load time are lost in execution time. Some benchmarks I ran show these packers adding significant overhead to the code -- enough to impact the user experience negatively. On my test systems, four different publicly available packers added an average of 600 ms to execution time for each script. IE7 is by far the worst. The String maniplulation done by the unpacking code, fo some reason, executes very slowly in IE7, adding between 3 and 12 seconds!
This happens every time, because the packed version is what's stored in the cache.
While use of these packers is usually well-intentioned, it doesn't generally have the desired benefits for end users.
With no real-world advantages today, these scripts are primarily used to prevent casual ripping of copyrighted script, offers a layer of security through obscurity, and provide camouflage for hackers' exploits and malware.
I think we should urge developers way from the use of packers. I think more security companies should proactively protect their clients from packed scripts instead of waiting to write a signature based on every attack already underway.
Bravo, CA, for taking the initiative. Clients of companies that are too conservative in blocking packed scripts, just because some people use them with good intentions, are sitting ducks for the next XSS worm or 0-day exploit and whatever payload it delivers.
Oh, happy new year!