Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!


Published: 2020-05-03
Last Updated: 2020-05-03 11:10:41 UTC
by Didier Stevens (Version: 1)
3 comment(s)

A comment on my diary entry "MALWARE Bazaar" mentioned problems with the ZIP password of downloaded samples (MALWARE Bazaar is a free service were you can download malware samples).

When you download a sample from MALWARE Bazaar, it is stored in a password protected ZIP file. As mentioned on the download page, the password is infected.

But you can still have issues when extracting the sample, because AES is used as encryption method. Not all ZIP utilities support AES as encryption method, and so you'll have to use a utility that not only supports ZipCrypto, but also AES.

Python's module zipfile does not support AES, only ZipCrypto. So many of my analysis tools (oledump, pdf tools, ...) that can analyse samples inside a password protected ZIP file, will not work directly with MALWARE Bazaar samples.

But I found a solution, and implemented it first in my utility: there is an open-source drop-in replacement for the zipfile module, that supports AES encrytpion. This module is pyzipper.

When pyzipper is installed, my tool will use it in stead of zipfile, and thus provide AES encryption support. If it is not installed, it will use built-in module zipfile.

I will gradually update my other tools using zipfile, to include support for pyzipper.



Didier Stevens
Senior handler
Microsoft MVP

Keywords: aes zip
3 comment(s)
Diary Archives