background image

108

Chapter 7

root@bt:/# 

upx -5 /var/www/payload3.exe

 

                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2009
UPX 3.04

 Markus Oberhumer, Laszlo Molnar & John Reiser 

Sep 27th 2009

 File size         

Ratio   

Format      

Name

   --------------------   ------   

-----------   -----------

37888 ->     22528   

59.46%    win32/pe      payload3.exe

Packed 1 file.

At   we install 

UPX

, and then at   we run 

UPX

 with no arguments to 

view its command line options. Then at   we use the 

-5

 option to compress 

and pack our executable. You can see at   that 

UPX

 compresses our payload 

59.46 percent.

In our tests, only 9 of 42 antivirus vendors detected the 

UPX

-packed binaries.

NOTE

The PolyPack project 

(http://jon.oberheide.org/files/woot09-polypack.pdf) 

shows the results of packing known malicious binaries with various packers and the 
effectiveness of antivirus detection before and after the packing process.

A Final Note on Antivirus Software Evasion

The world of antivirus software moves very quickly, even by Internet stan-
dards. As of this writing, the methods and processes documented in this 
chapter work successfully; however, experience has shown that even a few 
months can bring major changes in how antivirus evasion is accomplished. 
Although the Metasploit team is constantly tweaking its payloads and attempts 
to stay one step ahead of detection algorithms, don’t be surprised if by 
the time you work through these examples, some work and some do not. 
When you’re attempting antivirus evasion, consider using multiple packers 
or encoders, as mentioned, or write your own. Antivirus evasion, like all pen-
etration testing skills, needs to be practiced and requires dedicated research 
to help you ensure success in your engagements.

M S F V E N O M

In this chapter we cover only the 

msfpayload

 and 

msfencode

 utilities, but there is an 

additional tool called 

msfvenom

 that combines the functionalities of 

msfpayload

 and 

msfencode

 in a simpler-to-use interface. 

Msfvenom

 is not covered in detail in this book 

(see Appendix B), but it should be very easy to use after you become familiar with 

msfpayload

 and 

msfencode

.