Handling Malware Samples

Published: 2016-04-10. Last Updated: 2016-04-10 21:11:48 UTC
by Didier Stevens (Version: 1)
2 comment(s)

I often have to analyze malware samples on Windows machines.That is not always by choice. Sometimes I have no other option.

But this can cause problems. First of all: most malware targets Windows. If I make a mistake handling samples on a Windows machine, I infect the machine by accident. Not good, even in a VM.

Second: many Windows machines have anti-virus, and it can interfere with the analysis.

Here are some of the precautions I take with malware samples (not only on Windows, also on Linux and OSX):

I set the extension of the sample to .vir. So sample.exe becomes sample.exe.vir (I don't replace the original extension, I just append a new extension). Since .vir is not associated with any application on Windows, I can not launch it. If I double-click or press return by mistake, it will not execute the sample. If I type the name by mistake (because of tab-completion) in the command-line, it will not execute.

If I have control over the AV settings on the Windows machine, I will add an exclusion rule for the extension .vir. This will prevent the AV from scanning the sample.

I contain the sample in a password-protected ZIP file. I use the "old" ZIP format (not ZIPX). The password I use is infected (BTW, if you know where this tradition comes from, post a comment), and I use the ZipCrypto encryption (not the newer AES). Putting the sample in a password-protected ZIP file helps me preventing interference from the anti-virus, especially when I have no control over the anti-virus settings.

Each samples gets its own ZIP file. I don't put 2 samples in the same ZIP file.

The reason why I use the "old" ZIP format and the "old" ZipCrypto encryption, is that this format (and encryption method) is supported natively by Python. Many of my (malware) analysis tools written in Python support the analysis of samples stored in password-protected ZIP files. Like a tool I mentioned here several times: oledump.py. To start analyzing a malicious document file you can type "oledump.py trojan.doc". But you can also store the sample trojan.doc in a password-protected ZIP file and analyze it with oledump directly: "oledump.py trojan.doc.zip". This saves you from the hassle of extracting the sample first.

My tools also support piping: taking the output of one tool and feed it as input to the next tool. This preserves you from having to write malware to disk. Like I showed in my previous diary entry: extracting a VBE script from a document and decode it "oledump.py -s 15 -d trojan.doc.zip | vbe-decode.py".

Of course most tools (excluding mine) do not support password-protected ZIP files as input. That's one of the reasons I developed yet another tool :-) . zipdump.py. Take for example the strings command. If I want to look at the strings found in a sample contained in a password-protect ZIP file, I use zipdump to dump the content of the sample and pipe it into strings, like this: "zipdump.py -s 1 -d sample.exe.zip | strings".

This can also work with some GUI applications, not only command-line tools. For example I can copy the hexdump of a trojan to the clipboard and then paste this in my favorite hex editor: "zipdump.py -s 1 -x sample.exe.zip | clip". And then I use paste-from-hex in my hex editor. And now I can look at the EXE in my hex editor without having to extract it to disk.

You can find my tools here.

Please post comments with your tips on how to handle malware samples on Windows machines.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

Keywords: malware samples
2 comment(s)

Comments

"Not good, even in a VM".

I would like to knkw: what are your concerns for running a dynamic analysis of a sample in a VM?
If static analysis only gets me so far and I wish to "see the malware in action" - what precautions should I take before running it in a VM?
I was thinking of the following example: the sample connects to a C&C server but you don't want the criminals to know you're looking at the sample.
I that case you can block your VM from accessing the Internet, as a precaution.

Diary Archives