Handling Malware Samples
I often have to analyze malware samples on Windows machines.That is not always by choice. Sometimes I have no other option.
But this can cause problems. First of all: most malware targets Windows. If I make a mistake handling samples on a Windows machine, I infect the machine by accident. Not good, even in a VM.
Second: many Windows machines have anti-virus, and it can interfere with the analysis.
Here are some of the precautions I take with malware samples (not only on Windows, also on Linux and OSX):
I set the extension of the sample to .vir. So sample.exe becomes sample.exe.vir (I don't replace the original extension, I just append a new extension). Since .vir is not associated with any application on Windows, I can not launch it. If I double-click or press return by mistake, it will not execute the sample. If I type the name by mistake (because of tab-completion) in the command-line, it will not execute.
If I have control over the AV settings on the Windows machine, I will add an exclusion rule for the extension .vir. This will prevent the AV from scanning the sample.
I contain the sample in a password-protected ZIP file. I use the "old" ZIP format (not ZIPX). The password I use is infected (BTW, if you know where this tradition comes from, post a comment), and I use the ZipCrypto encryption (not the newer AES). Putting the sample in a password-protected ZIP file helps me preventing interference from the anti-virus, especially when I have no control over the anti-virus settings.
Each samples gets its own ZIP file. I don't put 2 samples in the same ZIP file.
The reason why I use the "old" ZIP format and the "old" ZipCrypto encryption, is that this format (and encryption method) is supported natively by Python. Many of my (malware) analysis tools written in Python support the analysis of samples stored in password-protected ZIP files. Like a tool I mentioned here several times: oledump.py. To start analyzing a malicious document file you can type "oledump.py trojan.doc". But you can also store the sample trojan.doc in a password-protected ZIP file and analyze it with oledump directly: "oledump.py trojan.doc.zip". This saves you from the hassle of extracting the sample first.
My tools also support piping: taking the output of one tool and feed it as input to the next tool. This preserves you from having to write malware to disk. Like I showed in my previous diary entry: extracting a VBE script from a document and decode it "oledump.py -s 15 -d trojan.doc.zip | vbe-decode.py".
Of course most tools (excluding mine) do not support password-protected ZIP files as input. That's one of the reasons I developed yet another tool :-) . zipdump.py. Take for example the strings command. If I want to look at the strings found in a sample contained in a password-protect ZIP file, I use zipdump to dump the content of the sample and pipe it into strings, like this: "zipdump.py -s 1 -d sample.exe.zip | strings".
This can also work with some GUI applications, not only command-line tools. For example I can copy the hexdump of a trojan to the clipboard and then paste this in my favorite hex editor: "zipdump.py -s 1 -x sample.exe.zip | clip". And then I use paste-from-hex in my hex editor. And now I can look at the EXE in my hex editor without having to extract it to disk.
You can find my tools here.
Please post comments with your tips on how to handle malware samples on Windows machines.
Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago