Fake CNN alerts galore!
I seize the opportunity to publish a new video (warning: 8 minutes of command-line staring) (hires XviD version here) showing you how to use my tools to retrieve malware samples hosted on a website. If you just visit an infected website with Internet Explorer, you run the risk of infecting your machine. The safe way to retrieve samples is to work in a low-risk environment (e.g. non-root account on a Linux VM) and use tools that are unlikely to be the target of exploits hosted on said website.
The following tools are featured in the video:
- wget -U ‘Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)’
- extractscripts.py
- a modified SpiderMonkey
- pecheck.py (just some glue for pefile)
- Virustotal
The file numbering trick (01., 02., 03., …) allows me to document exactly how I obtained the sample.
Since I recorded the video, the malware seems to have been removed from the site. But be careful, it’s not uncommon that compromised websites get reinfected.
Didier Stevens 
Thank you for such a fascinating tour of what you do, and how to do it safely. I must admit that I don’t use Linux much but you’ve certainly stimulated me into investigating.
I have used wget.exe to download .html files then I’ve opened them into Notepad (or Notepad++). I’ve resorted to putting in the line breaks etc. manually and eventually come across the file name of the malicious executable(s) within the JavaScript. Your way is much more elegant!
I’ll be on the lookout for malicious sites and investigate further. I get a number of spam e-mails from banking sites (which I see via my webmail) so I think that one of these will be the topic for my investigation.
Comment by Dave — Monday 11 August 2008 @ 16:42
Thanks for the video! It’s always nice to see how other professionals conduct their work for a self check.
I’ve been conducting analysis with basically the same methodology as you show here and it works great. What I wasn’t doing was automating stuff with the use of extractscripts and your modified spidermonkey. You can bet that I will be now though! Much nicer than writing a Perl or ruby script to deobfuscate the JavaScript. 😉
One added step I like to do is use the sandbox at Sunbelt Software to see what file/registry/network activity an executable causes. Helps when manually verifying if a system is truly infected or not. [http://research.sunbelt-software.com/Submit.aspx]
Keep up the great posts!
Comment by randy — Tuesday 12 August 2008 @ 13:38
[…] Pocket Virus Lab Filed under: Hardware, Malware, nslu2 — Didier Stevens @ 18:57 Slugs are versatile little machines. I installed Slugos on my NSLU2, followed by the tools I used in my sampling video. […]
Pingback by Pocket Virus Lab « Didier Stevens — Thursday 4 September 2008 @ 18:57
[…] Sampling a Malicious Site « Didi&…a nice little video showing the extraction of malware from a malicious site… […]
Pingback by suggested reading | VistaSpyware.com — Saturday 20 September 2008 @ 1:44