T1027.002: Software Packing
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.
Positive Technologies products that cover the technique
Detection
PT NAD can detect popular executable packers, like UPX, using special rules. Packers can also be used for legitimate purposes, like compressing an executable to reduce its size. That is why the corresponding detection rules are usually disabled by default.
Example of PT NAD detection rules
- ET MALWARE UPX compressed file download possible malware (sid 2001046)
Detection
| ID | DS0022 | Data source and component | File: File Metadata | Description | Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code. |
|---|
Mitigation
| ID | M1049 | Name | Antivirus/Antimalware | Description | Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware. |
|---|