Didier Stevens

Friday 15 December 2006

My Virus lab part 1: downloading a malicious file

Filed under: Malware — Didier Stevens @ 7:55

While downloading a malware this evening, I realized I never blogged about my Virus lab.

How do I download a malicious file from an (infected) website without infecting my Windows box?

I use a hosted shell account on a FreeBSD system to download the file. There are not many viruses that will infect a FreeBSD system. Connecting to my shell account requires SSH, so how do I browse the Internet in a text-only shell? With Links! Links is like Lynx, a text-only browser I used in the early 1990s (I started on the Internet with Gopher, mailx and tin on a Unix box 😉 )

But when I have the exact URL of the file I want to download, I can use wget instead of Links.

Once I have the file on my shell account, I want to transfer it to my virus lab for analysis. To avoid infecting my Windows box or deletion of the file by my AV software when I transfer the file, I encrypt it first with Ncrypt (I chose Ncrypt because it ‘s one small executable that doesn’t require installation, it encrypts and decrypts and it compiles for Windows, Linux and FreeBSD).

BTW, I had a problem compiling Ncrypt on my FreeBSD account (error: elements of array `long_options’ have incomplete type). I solved this by including the line #include “getopt.h” in file ncrypt.c.


  1. hi didier,
    i’ve been curious about how some of the malware works (and it was going to do to my system) that was sent to me by means of spam so i’ve created a testing lab as well. i’m interested so read how you set up your testing environment; here’s what i’ve been using:
    i’m running vmware on my linux box and have multiple instances of windoze set up so that they can communicate & wreck havok on each other, but not reach the outside network nor the parent OS. then i can simply copy & paste a new instance of the OS when it’s been wrecked.
    what i haven’t found is a program that can monitor for all changes on the win OS and report what registry changes have been made, root kit installed, etc.. have you found anything of this sort?

    Comment by jim — Wednesday 27 December 2006 @ 15:15

  2. I will blog about this, but in a nutshell:
    – use Rootkitrevealer by Sysinternals (now MS) to detect rootkits
    – you can export the registry before installation and after, and then check for differences
    – a tool to automate this is regshot
    – afick allows you to detect changes to the filesystem
    – and then you have process monitor (also by Sysinternals)

    Comment by Didier Stevens — Thursday 28 December 2006 @ 13:41

  3. regshot & afick huh? cool i’ll have to check that out! thanks for the info! i’ll be checking back for your blog
    jim b

    Comment by jim — Thursday 4 January 2007 @ 21:36

  4. Thanks for the tip – afik and regshot sound extremely useful.

    Comment by Luke — Tuesday 23 January 2007 @ 16:02

  5. sysinternals’ procmon also monitors windoze activity very well

    yet another honeypot tool is honeynet

    hope this helps

    Comment by insecure — Tuesday 30 January 2007 @ 14:57

  6. Why exactly would you wan’t to install malware on your computer ?

    Comment by freebsd — Monday 26 November 2007 @ 20:44

  7. I don’t want to install malware on my computer.

    Comment by Didier Stevens — Wednesday 28 November 2007 @ 22:44

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.