Ultimate Packer for Executables (UPX) is an open-source packer that can reduce the file size of an executable drastically (better than Zip files), and it is compatible with a large range of executable formats, like Windows DLLs, macOS apps, or Linux ELF.
Vendors sometimes use packing to prevent basic reverse engineering or illegal redistribution. Packers basically take the original executable and add a small piece of code called a “stub” to the newly created executable. The stub will then be used to unpack the file and “restore” the executable to its original state.
While some packers like UPX only compress the file, others can also encrypt it.
Attackers can use compression to hide malware inside seemingly harmless and legitimate files, which can fool signature-based detection and even advanced artificial intelligence (AI)-based antivirus solutions. Here’s how hackers can use UPX to render malware undetectable.
Also read: How Hackers Evade Detection
How UPX-Based Evasion Works
UPX can pack a malicious executable and modify its bytes to generate an undetectable version of malware.
Through a self-extracting archive executable, a packer can unpack itself in memory when a packed file is executed.
The packed file is usually smaller on disk but bigger in memory. If you inspect a suspicious file, you might see typical sections like the following:
- UPX0: An empty section that contains no actual raw data but with a huge virtual memory size
- UPX1: The stub and the compressed executable
There are other sections, but we’ll keep it simple here.
When the UPX-packed file is executed, all packed sections are unpacked in memory, including any malicious code a hacker might have stored in it, and the program jumps to the original entry point (OEP) to execute the executable.
Compression Is a Classic Evasion Technique
While UPX-based evasion might seem a bit hard to understand at first glance, compression is a classic approach to avoid antivirus detection.
A simple test you can practice consists of uploading the original and the packed version of a malware sample to your favorite platform — for example, VirusTotal. The packed version is usually caught significantly fewer times compared to the original version of the malware, and many antivirus tools may simply miss the packed version.
There aren’t many statistics about the frequency of UPX use in malware deployment, but MITRE enumerates various “packing-based” procedures adversaries can leverage to conceal their code. Many cases seem to involve UPX.
Detecting UPX-Packed Files
You can try a simple UPX command to spot UPX-packed files:
upx -l {suspicious_binary}
Of course, it’s limited and won’t work all the time. Another limited but still valid option is to dump hex code and search for specific strings like UPX:
hexdump -C {suspicious_binary} | grep "UPX"
You may also leverage portable executable (PE) analyzers to detect UPX-packed files.
Defeating UPX Mangling and Corrupted Files
Many exploits observed in the wild do not rely on UPX itself to unpack the malicious code, generating corrupted packed files on purpose.
The basic example we looked at earlier had very recognizable sections, but it’s possible to alter bytes or insert strings with a hexadecimal editor or another tool to make the file significantly harder to detect.
While such an operation will likely break classic unpacking with the upx -d command and throw errors, the binary will still execute.
Tools like upxdump.py, recommended by Akamai, might be able to fix intentionally corrupted UPX packed files, as it repairs corrupted headers that are frequently used to obfuscate UPX-packed malware.
Be careful, though, as the author warns that some variants simply strip UPX headers or inject null bytes, which would make the tool fail.
Packer Analysis and Anti-UPX Unpacking Techniques
Reversers and malware analysts may use tools like ollydbg, radar2, or even the popular Ghydra to analyze packed files. The critical step is to determine whether the binary uses anti-UPX unpacking techniques or not before proceeding.
While many malware types like Mirai use anti-UPX unpacking techniques such as zero-padded files to slow down security researchers, it does not mean you can’t unpack them. Tools like upx-mod can help you.
That said, the most sophisticated actors could make their files “unpackable” for standard UPX implementations, but that seems pretty rare.
Best Practices for Mitigating UPX-Packed Malware
The use of malicious UPX-packed files shows that you cannot solely rely on antivirus software and other signature-based solutions to catch malware, no matter how sophisticated these tools market themselves.
Without these tools, you’d be even more vulnerable, but attackers will always look for ways to divert legitimate utilities and bypass detection.
UPX is a universal format that can be used to target various platforms, and anti-UPX unpacking techniques can be used to jam reverse engineering and malware analysis.
A good practice is to disable execution, such as tmp and downloads, in some directories when not needed by users, especially in corporate environments, which can be achieved with security policies.
Ensure the system does not hide file extensions, but even if it’s not the case, that does not guarantee that no one will click unwisely, especially with targeted campaigns. You need to log suspicious activities and behaviors.
Read next: