Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
| Artifact ID: | 41465541f474215b4a122383d37d04e88c6bfd13 |
|---|---|
| Page Name: | Email EXEs and free tools |
| Date: | 2012-03-18 01:41:50 |
| Original User: | adric |
| Parent: | c2d63c800211284e8d4c45056f8886a5ad66316c |
Since I don't really want someone else's pictures and didn't order anything from FedEx this week so I could safely ignore the odd emails coming in with subjects like "Re:" and "Your package is available for pickup" and zip file attachments. But I'm a curious sort ...
These mail campaigns have been running for awhile and I've actually looked at them a little bit earlier this year. As you can quickly see the zip files in these contain only one file, an executable named the same as the zip: FedEx_Invoice.zip contains FedEx_Invoice.exe and My_summer_photos_in_Egypt_2011.zip contains My_summer_photos_in_Egypt_2011.exe, but before we go any further...
Warning!
These files are dangerous and should be handled with due care by trained professionals or the local equivalent in a safe lab environment. Don't run suspicious files or documents normally! Don't get infected!
There, now that that's out of the way I can explain how I poked at these things on my Mac and Linux machines with some regard for my safety and free tools, and what I found out about them.
is it bad? clam AV, virustotal
Since we have a suspicious file the first thing to check is "is it a virus?" Unfortunately that's a notoriously difficult question to answer, so we'll start with an easier one: "What do anti-virus programs think of this file?". We can start with Clam AV a freely available, cross platform virus scanner:
bsk@bebo-bt5:~/mar2012$ sudo freshclam
bsk@bebo-bt5:~/mar2012$ clamscan My_summer_photos_in_Egypt_2011.zip
LibClamAV Warning: ***********************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
My_summer_photos_in_Egypt_2011.zip: OK
----------- SCAN SUMMARY -----------
Known viruses: 1168645
Engine version: 0.96.5
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.67 MB
Data read: 0.32 MB (ratio 2.06:1)
Time: 4.956 sec (0 m 4 s)
Clam AV doesn't find anything bad about this file... By the way, clamscan can look inside zip files without you needing to tell it to these days and you can configure that and many other options for file types and scan settings on the command line. Run clamscan --help to see.
Clam AV is one of dozens of scanners available, some free and some expensive. Maybe we should try a couple more? How many do you already have installed? Thankfully, there's virustotal a very cool site that runs samples against a large set of anti-virus engines. Let's give that a try instead of downloading and installing another AV:
File already analysed
This file was already analysed by VirusTotal on 2012-03-15 18:19:23.
Detection ratio: 21/43
You can take a look at the last analysis or analyse it again now.
21/43 may sound like a lot but it's only half. ClamAV (still) doesn't detect this one (or the other). More interesting is that when I first submitted that file to VT yesterday it only registered in 6 or so. Virus scanner makers have agreements with VT (and others) to feed them new samples so they can keep improving their engines and signatures. Just remember that scan results like this are time specific and will change. So it's definitely a malicious file, very interesting. What else can we find out with the tools we have?
static basics: file, unzip, strings
On Unixy systems the built in command for "what is this thing?" is file. file(1) compares the first few bytes of the file to a list of file types (mime magic) it keeps. It's easily fooled but still very handy to get some idea what you might be dealing with:
bsk@bebo-bt5:~/mar2012$ file My_summer_photos_in_Egypt_2011.zip
My_summer_photos_in_Egypt_2011.zip: Zip archive data, at least v2.0 to extractSince it's a zip archive we can take a peek with another standard utility, unzip from the Infozip project:
bsk@bebo-bt5:~/mar2012$ unzip -l My_summer_photos_in_Egypt_2011.zip
Archive: My_summer_photos_in_Egypt_2011.zip
Length Date Time Name
--------- ---------- ----- ----
360448 2012-03-14 11:18 My_summer_photos_in_Egypt_2011.exe
--------- -------
360448 1 file
As noted above each zip has an exe in it. Exe is the file format for Windows programs. We can look at the files with a couple more tools before getting help with the analysis. Open 'er up with unzip and file what we get out:
bsk@bebo-bt5:~/mar2012$ unzip My_summer_photos_in_Egypt_2011.zip
bsk@bebo-bt5:~/mar2012$ file My_summer_photos_in_Egypt_2011.exe
My_summer_photos_in_Egypt_2011.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Yep, file says it is a Windows program. That matches up with the exe name and evidence is mounting that this is a Windows program they mailed me. Let's look at the strings in the executable for hints:
bsk@bebo-bt5:~/mar2012$ strings -n8 My_summer_photos_in_Egypt_2011.exe | grep http
bsk@bebo-bt5:~/mar2012$ strings -n8 My_summer_photos_in_Egypt_2011.exe | head -5
xhP*yhQ>
o_a rKY=2O
GetStdHandle
CreateEventA
LoadLibraryExA
bsk@bebo-bt5:~/mar2012$ strings -n8 My_summer_photos_in_Egypt_2011.exe | tail -5
MSASN1.dll
MessageBoxA
USER32.dll
jhertauiklservnmiasads.dll
lxndertlopuytxca
Strings looks for character sequences in the file of the specified length. Although we didn't get any URLs (drat!) we definitely see some Windows system stuff which supports file's finding that this is a Windows program.
... which is about all I can get out of this file without a lot more software and skills (debuggers, dynamic malware analysis) than I have handy. Enter Anubis..
Anubis: Analyzing Unknown Binaries
Anubis is a "is a service for analyzing malware. Submit your Windows executable and receive an analysis report telling you what it does. Alternatively, submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL. "I loaded one of the suspicious Windows executables we found into Anubis and went back to my homework for a bit. Anubis gives me the following status and a nice animated progress bar that moves along (better if you let them run JavaScript):
Task Overview
Task ID: 195dcac886fea4bd4393f7775147c7179 File Name: My_summer_photos_in_Egypt_2011.exe MD5: e196d5ad2f241998dfb1dafad6a4ebc6 Analysis Submitted: 2012-03-15 19:34:13 Analysis Started: 2012-03-15 19:34:13 Time Remaining: 7 minutes and 39 seconds (0 jobs in queue)
They autorefresh you to the status page after your submission is processed in and the URL includes a cookie so that you can get back if you need to. After a few minutes pass the report is ready and we autorefresh to the report summary which offers us the report in several friendly formats and a packet capture. Very cool! The reports are an interesting read to be sure, detailing all of the activity the program attempted when executed including its network communication (the packet capture).