Didier Stevens

There was another virus run today, it inspired me to make a Season’s Greetings video.

The movie is hosted here on YouTube, and you can find a hires version (XviD) here.

XORSearch is a new tool.

Happy New Year!

While downloading a malware this evening, I realized I never blogged about my Virus lab.

How do I download a malicious file from an (infected) website without infecting my Windows box?

I use a hosted shell account on a FreeBSD system to download the file. There are not many viruses that will infect a FreeBSD system. Connecting to my shell account requires SSH, so how do I browse the Internet in a text-only shell? With Links! Links is like Lynx, a text-only browser I used in the early 1990s (I started on the Internet with Gopher, mailx and tin on a Unix box 😉 )

But when I have the exact URL of the file I want to download, I can use wget instead of Links.

Once I have the file on my shell account, I want to transfer it to my virus lab for analysis. To avoid infecting my Windows box or deletion of the file by my AV software when I transfer the file, I encrypt it first with Ncrypt (I chose Ncrypt because it ‘s one small executable that doesn’t require installation, it encrypts and decrypts and it compiles for Windows, Linux and FreeBSD).

BTW, I had a problem compiling Ncrypt on my FreeBSD account (error: elements of array `long_options’ have incomplete type). I solved this by including the line #include “getopt.h” in file ncrypt.c.

Some anti-virus software has a feature to customize the alert message when a virus is detected. The administrator can use this feature to instruct the user to contact the help-desk.

But most of the time, you cannot customize the message to the extend that it changes according to the type of alert. For example, an alert in the Temporary Internet Files folder is generated when a user browses a malicious website with IE. You want the custom message to tell him to “get the hell out of there”, in a politically correct way.

I wrote a quick C# PoC program that monitors the event log for virus alerts and displays customized messages for the user. Monitoring the event log is really easy with .NET:

   EventLog myLog = new EventLog("Application");
   myLog.EntryWritten += new EntryWrittenEventHandler(OnEventAdded);
   myLog.EnableRaisingEvents = true;

The OnEventAdded function will be called each time an event is added to the Application event log.

   private void OnEventAdded(object source, EntryWrittenEventArgs e)
   {
      if (e.Entry.Source == "Alert Manager Event Interface")
      {
         Regex regexVirus = new Regex(@"VirusScan Enterprise\: The file (.+) is infected with the (.+)\. ");
         Match matchVirus = regexVirus.Match(e.Entry.Message);

         if (matchVirus.Success)
         {
            String fileName = matchVirus.Groups[1].Value;
            String virusName = matchVirus.Groups[2].Value.Substring(0, matchVirus.Groups[2].Value.IndexOf(". "));
            // the rest of the code comes here
         }
      }
   }

I test if the source is “Alert Manager Event Interface” (this is the case when you use McAfee VirusScan Enterprise), and then I parse the event message with regular expression to extract relevant data.

Example of a customized alert:

Example of a customized alert for IE:

PoC source code available here.