Malware Packers

What is a Packer?

A packer is a tool designed to compress files using a specific algorithm, such as ZIP or RAR. Some packers, like UPX, are created to compress executable files while simultaneously obfuscating the code. This method is often employed by malware to avoid detection.

Packers come in various forms, including legitimate utilities such as VMprotect, ASpack, and Enigma Protector, as well as custom-built versions crafted by hackers.

Types of Packers:

Categories of Packers:

• Group 1 – ZIP and SFX: These are known as archivers. They compress files into an archive that can be attached to emails. The difference between ZIP and SFX is that SFX archives also contain an installer that can extract and initiate the installation of the contents without needing an external tool.
• Group 2 – UPX: This is a full packer. It directly compresses executable files, encrypting and obfuscating their contents. The resulting file can then be further compressed into an archive using tools from Group 1 before being sent to the target.

ZIP Archives:

Unlike true packers, ZIP archives do not encrypt the code. They are used to distribute malware by hiding malicious files within seemingly legitimate content or by password-protecting archives. This helps bypass email security measures that would otherwise block executable attachments.

SFX Archives:

A Self-Extracting Archive (SFX) contains a compressed payload and a built-in extractor (often an installer) to decompress and install the contents. Unlike ZIP, which requires external decompression software, SFX files can extract and execute the malware automatically when opened.

• Bundles both compressed malware and an extractor.
• Initiates installation upon user interaction.
• Operates without needing a separate decompression utility.

UPX (Ultimate Packer for Executables):

UPX is an open-source tool, available under the GNU GPL license, that has been in use since 1998. It compresses executables and encrypts the contents. When executed, the UPX-packed file decompresses in memory and runs as a normal executable.

A challenge with UPX is that hackers often modify the packed files to make analysis more difficult. For example, corrupted UPX files may become unreadable by standard UPX versions, preventing security researchers from unpacking them to view the contents, though the malicious payload remains intact.

Hackers can make files difficult to unpack by:

• Using unreleased versions of UPX to pack the archive.
• Modifying the l_info and p_info structures in the packed file.

These actions prevent standard UPX tools from unpacking the file, complicating both analysis by security professionals and detection by security systems.

Solutions for UPX Files:

To recover and unpack corrupted UPX files, tools such as UPX Recovery Tool can be used.

For analyzing SFX and UPX files, several tools can help determine the type of the archive based on its header:

• "file" command (Linux): Run the command with the file path to determine the file type.
• TrID: Available for both Windows and Linux, TrID provides detailed file information. After installing, it can be run from the terminal using the trid command followed by the file path.

Hex Editors: Tools like xxd and hexdump allow you to inspect the hex magic bytes of a file manually.