Identifying UPX packed ELF, decompressing, fixing, and analysing Linux malware
Last updated
Was this helpful?
Last updated
Was this helpful?
We'll take a look at analysing a piece of Linux malware. This sample is an ELF file, containing a UPX packed binary, capable of port scanning, SSH bruteforcing, deploying XMRig, and self replicating.
Download the sample here;
We'll first look at the header of the file to see what it's identified as;
Using a hex editor, we can have a quick look at the header.
This indicates that this ELF binary contains UPX packed binary data. What is UPX?
UPX is a free, secure, portable, extendable, high-performance executable packer for several executable formats.
Ok, so we're going to have to unpack the file. We can use upx, which is already installed in Kali.
Ok, seems simple enough, let's unpack this UPX file.
Before we continue, let's have a look at this file (in its compressed form) using strings and IDA.
strings
Fairly useless, other than giving us an indication that the file is packed with UPX (confirming what we already identified above)
Loading the binary into IDA provides more of an indication that something isn't right. sp-analysis, red markers, lack of sub-routines, sometimes indicates that there's either not a whole lot happening (which we know isn't the case, given the nature of the sample) or that IDA can't decompile/reassemble these routines.
In summary; there are two sections in the original binary which we can use to repair the p_info header so that it isn't corrupt. We'll start with the footer, which we know is 8 bytes prior to the end of the file.
Then we go back to the top of the file, find the UPX! header. We notice that the section after the UPX! marker is empty.
8 bytes after the end of the UPX! header, we need to insert our file size value (F8 BF 7B 00) which we recovered above. We take that value, insert it twice, 8 bytes after the end of the UPX! marker.
Save this file and then use UPX to unpack it
Now we can open it in IDA (or ghidra). We can see there are a lot more unpacked functions, some with some interesting names, and there's obviously a lot of data here to analyse.
.. then you can go from there, analyse the file, understand what the file does, and maybe even write detection rules..
Of course it wouldn't be that easy
Back to our corrupt UPX archive. I came across this article which was helpful