0 ShellExecuteAUSER32.DLL
0 CharUpperBuffAWININET.DLL
0 InternetOpenAWS2_32.DLL
0 bindSummary3000 .rsrc
9000 UPX0
2000 UPX1Listing 8.1 (continued)
This output exhibits several unusual properties regarding the executable.
First of all, there are quite a few DLLs that only have a single import entry—
that is highly irregular and really makes no sense. What would the program be
able to do with the Winsock 2 binary WS2_32.DLLif it only called the bind
API? Not much. The same goes for CRTDLL.DLL, ADVAPI32.DLL, and the
rest of the DLLs listed in the import table. The revealing detail here is the Sum-
mary section near the end of the listing. One would expect a section called
.textthat would contain the program code, but there is no such section.
Instead there is the traditional .rsrcresource section, and two unrecognized
sections called UPX0and UPX1.
A quick online search reveals that UPX is an open-source executable packer.
An executable packer is a program that compresses or encrypts an executable
program in place, meaning that the transformation is transparent to the end
user—the program is automatically restored to its original state in memory as
soon as it is launched. Some packers are designed as antireversing tools that
encrypt the program and try to fend off debuggers and disassemblers. Others
simply compress the program for the purpose of decreasing the binary file
size. UPX belongs to the second group, and is not designed as an antireversing
tool, but simply as a compression tool. It makes sense for this type of Tro-
jan/Backdoor to employ UPX in order to keep its file size as small as possible.
You can verify this assumption by downloading the latest beta version of
UPX for Windows (note that the Backdoor uses the latest UPX beta, and that
the most recent public release at the time of writing, version 1.25, could not
identify the file). You can run UPX on the Backdoor executable with the –l
switch so that UPX displays compression information for the Backdoor file.
Reversing Malware 287