Author Topic: Urban Myths: UPX is flagged by Anti-Virus  (Read 693 times)

AW

  • Member
  • *****
  • Posts: 2508
  • Let's Make ASM Great Again!
Urban Myths: UPX is flagged by Anti-Virus
« on: May 02, 2019, 08:19:40 PM »
It is not anymore, and it was stupid because all antivirus know how to decompress UPX compressed files.
I made a few tests with a 64-bit file (yes, UPX is one of a small number of 64-bit executable compressors, and the only one able to compress this file) and tested in VirusTotal.

Uncompressed:
https://www.virustotal.com/#/file/4512c69de93f5958d828828bad79b9b77a457f40250b3118d539e66ee93f43cf/detection
UPX compressed
https://www.virustotal.com/#/file/0e4a43f2679f2f2de12a10b04a7a970f82d8899e303818e7c3f674e519be0398/detection

jj2007

  • Member
  • *****
  • Posts: 9912
  • Assembler is fun ;-)
    • MasmBasic
Re: Urban Myths: UPX is flagged by Anti-Virus
« Reply #1 on: May 02, 2019, 08:40:52 PM »
Interesting. In fact, the UPXed versions of RichMasm usually had many more positives than the uncompressed ones. Now it's equal, both score 8/69: RM Upx vs RM full.

It took them an awful long time, though, to come to this brilliant conclusion :bgrin:

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 6857
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Urban Myths: UPX is flagged by Anti-Virus
« Reply #2 on: May 04, 2019, 02:14:55 PM »
The problem with UPX was its capacity to decompress a file then recompress it which is exactly what the virus idiot fringe needed and they did use it. Last I looked they still have the GPL (we own your code) licence where if you use it they claim to control of what licence you can use with it. Marcus and Laslo were flogging GPL back in the late 1990s and for that reason I have never used it since.
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :skrewy:

AW

  • Member
  • *****
  • Posts: 2508
  • Let's Make ASM Great Again!
Re: Urban Myths: UPX is flagged by Anti-Virus
« Reply #3 on: May 04, 2019, 04:01:44 PM »
I just read the agreement, and they allow use of the unmodified UPX in commercial software. However, I have never used it as well. I tried now because I could not find a 64-bit compressor for the 64-bit code produced by Free Pascal. UPX worked very well without a hitch reducing the size to around 1/3 - it also compresses executables for other OS without needing us to specify which they are. Pretty intelligent.

jj2007

  • Member
  • *****
  • Posts: 9912
  • Assembler is fun ;-)
    • MasmBasic
Re: Urban Myths: UPX is flagged by Anti-Virus
« Reply #4 on: May 04, 2019, 06:39:32 PM »
The problem with UPX was its capacity to decompress a file then recompress it which is exactly what the virus idiot fringe needed and they did use it.

That ceased to be a problem in the very moment when AV software learned how to use UPX to decompress UPX'ed files. Which took the AV idiot fringe an awful long time to learn :P

Vortex

  • Member
  • *****
  • Posts: 2056
Re: Urban Myths: UPX is flagged by Anti-Virus
« Reply #5 on: May 04, 2019, 06:50:28 PM »
An old but good compressor, Anakin's PEPack, pepack10.zip

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 6857
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: Urban Myths: UPX is flagged by Anti-Virus
« Reply #6 on: May 04, 2019, 11:05:21 PM »
It was very easy to bypass the unpack option after an executable was compressed with UPX but as it was so well known by the AV companies, they could also identify a UPX compressed executable that had been modified. I remember reading an article from a Microsoft AV researcher on methods of identifying a hidden UPX compressed exe with a trojan built into it.

This leaves you with two choices, either the trojan writer can compress a trojan into an uncompressed exe and re-compress it or the exe gets flagged by an AV company.

Don't touch UPX with a barge pole.
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :skrewy: