With most of my tools, I try to support input via STDIN.
It’s also possible to provide JavaScript scripts for parsing to SpiderMonkey via STDIN. You can pass filename – to js for processing STDIN input:
I often store malware in password protected ZIP files, these files can be analyzed too provided you use zipdump.py:
And with option -e, it’s also possible to change output type via the command line:
I sometimes retrieve malware over Tor, just as a simple trick to use another IP address than my own. I don’t do anything particular to be anonymous, just use Tor in its default configuration.
On Linux, its easy: I install tor and torsocks packages, then start tor, and use wget or curl with torsocks, like this:
torsocks wget URL torsocks curl URL
On Windows, its a bit more difficult, because the torsocks trick doesn’t work.
I run Tor (Windows Expert Bundle) without any configuration:
This will give me a Socks listener, that curl can use:
curl --socks5-hostname 127.0.0.1:9050 http://www.didierstevens.com
option –socks5-hostname makes curl use the Socks listener provided by Tor to make connections and perform DNS requests (option –socks5 does not use the Socks listener for DNS request, just for connections).
wget has no option to use a Socks listener, but it can use an HTTP(S) proxy.
Privoxy is a filtering proxy that I can use to help wget to talk to Tor like this.
I make 2 changes to Privoxy’s configuration config.txt:
1) I change line 811 from “toggle 1” to “toggle 0” to configure Privoxy as a normal proxy, without filtering.
2) I add this line 1363: “forward-socks5t / 127.0.0.1:9050 .”, this makes Privoxy use Tor.
Then I launch Privoxy:
And then I can use wget like this:
wget -e use_proxy=yes -e http_proxy=127.0.0.1:8118 -e https_proxy=127.0.0.1:8118 URL
Port 8118 is Privoxy’s port. If you want, you can also put these options in a configuration file.
Often, my wget command will be a bit more complex (I’ll explain this in another blog post, but it’s based on this ISC diary entry):
wget -d -o 01.log -U "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" -e use_proxy=yes -e http_proxy=127.0.0.1:8118 -e https_proxy=127.0.0.1:8118 --no-check-certificate URL
I can also use Tor browser in stead of Tor, but then I need to connect to port 9150.
@futex90 shared a sample with me detected by many anti-virus programs on VirusTotal but, according to oledump.py, without VBA macros:
I’ve seen this once before: this is a malicious document that has been cleaned by an anti-virus program. The macros have been disabled by orphaning the streams containing macros, just like when a file is deleted from a filesystem, it’s the index that is deleted but not the content. FYI: olevba will find macros.
Using the raw option, it’s possible to extract the macros:
I was able to find back the original malicious document: f52ea8f238e57e49bfae304bd656ad98 (this sample was analyzed by Talos).
The anti-virus that cleaned this file, just changed 13 bytes in total to orphan the macro streams and change the storage names:
This can be clearly seen using oledir:
This is how I deploy and configure ClamAV on Windows:
I download the portable Windows x64 version in a ZIP file (clamav-0.99.2-x64.zip).
I extract the content of this ZIP file to folder c:\portable\, this will create a subfolder ClamAV-x64 containing ClamAV.
Then I copy the 2 samples for the config files:
copy c:\portable\ClamAV-x64\conf_examples\clamd.conf.sample c:\portable\ClamAV-x64\clamd.conf
copy c:\portable\ClamAV-x64\conf_examples\freshclam.conf.sample c:\portable\ClamAV-x64\freshclam.conf
I create a database folder (to contain the signature files):
mkdir c:\portable\ClamAV-x64\database
I edit file c:\portable\ClamAV-x64\freshclam.conf:
Line 8: #example
Line 13: DatabaseDirectory c:\portable\ClamAV-x64\database
Now I can run freshclam.exe to download the latest signatures:
Then I edit file c:\portable\ClamAV-x64\clamd.conf:
Line 8: #example
Line 74: DatabaseDirectory c:\portable\ClamAV-x64\database
And now I can run clamscan.exe to scan a sample:
I was asked if malware authors can abuse autorun.inf files in .ISO files: no, nothing will execute automatically when you open an .ISO file with autorun.inf file in Windows 8 or 10.
I have videos to illustrate this:
You probably know that I like to pipe commands together when I analyze malware …
Are you familiar with Windows’ clip command? It’s a very simple command that I use often: it reads input from stdin and copies it to the Windows clipboard.
Here is an example where I use it to copy all the VBA code of a malicious Word document to the clipboard, so that I can paste it into a text editor without having to write it to disk.
An .iso file downloaded from the Internet (thus with a Zone.Identifier ADS) opened in Windows 10 will not propagate this “mark-of-the-web” to the contained files.
Here is an example with file demo.iso, marked as downloaded from the Internet:
When this file is opened (double-clicked), it is mounted as a drive (E: in this example), and we see the content (a Word document: demo.docx):
This file is not marked as downloaded from the Internet:
Word does not open it in Protected View:
Searching through VirusTotal Intelligence, I found a couple of .iso files (CD & DVD images) containing a malicious EXE spammed via email like this one. Here is the attached .iso file (from May 25th 2017) on VirusTotal, with name “REQUEST FOR QUOTATION,DOC.iso”.
Recent versions of Windows will open ISO files like a folder, and give you access to the contained files.
I found Python library isoparser to help me analyze .iso files.
Here is how I use it interactively to look into the ISO file. I create an iso object from an .iso file, and then I list the children of the root object:
The root folder contains one file: DIALOG42.EXE.
Looking into the content of file DIALOG42.EXE, I see the header is MZ (very likely a PE file):
And I can also retrieve all the content to calculate the MD5 hash:
This is a quick & dirty Python script to dump the first file in an ISO image to stdout:
import isoparser
import sys
import os
oIsoparser = isoparser.parse(sys.argv[1])
if sys.platform == 'win32':
import msvcrt
msvcrt.setmode(sys.stdout.fileno(), os.O_BINARY)
sys.stdout.write(oIsoparser.root.children[0].content)
This allows me to pipe the content into other programs, like pecheck.py:
Here is a great tip from @PintAndClick: you can pipe the output of sigtool –find-sigs into sigtool –decode-sigs to get a nice breakdown of the signatures:
My previous blog post “Analyzing ClamAV Signatures” is incorrect. Here is a better explanation.
I wrongly assumed that the signature printed in the debug statement would be the actual signature in the ClamAV database. That is not always the case.
So here is a better method.
First I update the signatures (yup, that’s ClamAV on Windows):
This is a standard scan:
The signature is Win.Trojan.Mimikatz-6331391-0.
Then I do a search with sigtool in the database, providing a regular expression (Mimikatz-6331391) to match signature names (this matching process is case sensitive):
And this signature is more interesting. This is an extended signature. It is composed of several fields (: is the separator). Here I have each field on a separate line:
Field 1 is the name of the signature.
Field 2 is the type of file to scan: 1 is for PE files
Field 3 is the part of the file to scan: SE1 is the second section of the PE file.
Field 4 is the hex signature: the sequence of bytes to search for in the section, expressed as hexadecimal data. {-10} is a wildcard for 0 to 10 arbitrary bytes.
Field 5 is the minimum version of the ClamAV engine that supports this type of signature.
The bytes represent strings (UNICODE and ASCII):
This signature does not trigger on the genuine mimikatz binaries:
