Packers are tools that compress an executable and combine it with decompression code. When this new executable is run, the decompression code re-creates the original executable from the compressed code before executing it. This usually happens transparently so the compressed executable can be used in exactly the same way as the original. The result of the packing process is a smaller executable that retains all the functionality of the original.
As with msfencode, packers change the structure of an executable. However, unlike the msfencode encoding process, which often increases the size of an executable, a carefully chosen packer will use various algorithms to both compress and encrypt an executable. Next, we use the popular UPX packer with Back|Track to compress and encode our payload3.exe payload in attempt to evade antivirus software detection.
root@bt:/#apt-get install upx
. . . SNIP . . .root@bt:/#upxUltimate Packer for eXecutables Copyright (C) 1996 - 2009 UPX 3.04 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 27th 2009 Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..
. . . SNIP . . .Type 'upx--help' for more detailed help. UPX comes with ABSOLUTELY NO WARRANTY; for details visit http://upx.sf.net root@bt:/#upx −5 /var/www/payload3.exeUltimate Packer for eXecutables Copyright (C) 1996 - 2009 UPX 3.04 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 27th 2009 File size Ratio Format Name -------------------- ------ ----------- ----------- 37888 -> 22528 59.46%
win32/pe payload3.exe Packed 1 file.
At we install UPX, and then at we run UPX with no arguments to view its command line options. Then at we use the −5 option to compress and pack our executable. You can see at that UPX compresses our payload 59.46 percent.
In our tests, only 9 of 42 antivirus vendors detected the UPX-packed binaries.
Note
The PolyPack project (http://jon.oberheide.org/files/woot09-polypack.pdf) shows the results of packing known malicious binaries with various packers and the effectiveness of antivirus detection before and after the packing process.