feed on feeds - 2016/04/10 - items 0 to 15

I often have to analyze malware samples on Windows machines.That is not always by choice. Sometimes I have no other option.

But this can cause problems. First of all: most malware targets Windows. If I make a mistake handling samples on a Windows machine, I infect the machine by accident. Not good, even in a VM.

Second: many Windows machines have anti-virus, and it can interfere with the analysis.

Here are some of the precautions I take with malware samples (not only on Windows, also on Linux and OSX):

I set the extension of the sample to .vir. So sample.exe becomes sample.exe.vir (I dont replace the original extension, I just append a new extension). Since .vir is not associated with any application on Windows, I can not launch it. If I double-click or press return by mistake, it will not execute the sample. If I type the name by mistake (because of tab-completion) in the command-line, it will not execute.

If I have control over the AV settings on the Windows machine, I will add an exclusion rule for the extension .vir. This will prevent the AV from scanning the sample.

I contain the sample in a password-protected ZIP file. I use the old ZIP format (not ZIPX). The password I use is infected (BTW, if you know where this tradition comes from, post a comment), and I use the ZipCrypto encryption (not the newer AES). Putting the sample in a password-protected ZIP file helps me preventing interference from the anti-virus, especially when I have no control over the anti-virus settings.

Each samples gets its own ZIP file. I dont put 2 samples in the same ZIP file.

The reason why I use the old ZIP format and the old ZipCrypto encryption, is that this format (and encryption method) is supported natively by Python. Many of my (malware) analysis tools written in Python support the analysis of samples stored in password-protected ZIP files. Like a tool I mentioned here several times: oledump.py. To start analyzing a malicious document file you can type oledump.py trojan.doc. But you can also store the sample trojan.doc in a password-protected ZIP file and analyze it with oledump directly: oledump.py trojan.doc.zip. This saves you from the hassle of extracting the sample first.

My tools also support piping: taking the output of one tool and feed it as input to the next tool. This preserves you from having to write malware to disk. Like I showed in my previous diary entry: extracting a VBE script from a document and decode it oledump.py -s 15 -d trojan.doc.zip | vbe-decode.py.

Of course most tools (excluding mine) do not support password-protected ZIP files as input. Thats one of the reasons I developed yet another tool :-) . zipdump.py. Take for example the strings command. If I want to look at the strings found in a sample contained in a password-protect ZIP file, I use zipdump to dump the content of the sample and pipe it into strings, like this: zipdump.py -s 1 -d sample.exe.zip | strings.

This can also work with some GUI applications, not only command-line tools. For example I can copy the hexdump of a trojan to the clipboard and then paste this in my favorite hex editor: zipdump.py -s 1 -x sample.exe.zip | clip. And then I use paste-from-hex in my hex editor. And now I can look at the EXE in my hex editor without having to extract it to disk.

You can find my tools here.

Please post comments with your tips on how to handle malware samples on Windows machines.

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

An anonymous reader writers: A Japanese company is using a 3D printer to generate unique rings shaped like the sound wave of each customer's voice. They generate the digital designs from three-second recordings that customers upload to their web site, and can print out the $300 rings in different colors and sizes, using either silver, gold, or 14K rose paint. 3Ders.org points out that another jeweler can now actually print a ring shaped like a customer's face, while a fashion designer in Sri Lanka teamed up with a 3D printing company for an even romantic product: a wedding dress. "The ultimate result of this was a super excited bride that not only had an especially memorable day but walked down the aisle with the only dress of its kind in the country."

On using other people’s code

Brian Gerstle asks:

@brentsimmons is it fair to say your only criticism of Reactive is that—in this case—its 3rd party code? If it was Apple, you'd use it?

I’m cautious with third-party code. I do use some: FMDB, for example, appears in every app I’ve started from scratch in the last decade or so.

I like FMDB because the code is available (which is an obvious must-have); it’s relatively small; it does one job — providing an Objective-C wrapper for SQLite — and does it well; and it’s used in just one small section of my apps and has no impact otherwise.

Another example: recently I looked at at Fletcher Penney’s MultiMarkdown parser, which I might use in an app I’m working on — and I like it for the same reasons I like FMDB.

I don’t have hard-and-fast rules about when to use other people’s code and when not to. But I’m most likely to say yes when the code is essentially a library that performs one conceptual function (database access, Markdown parsing, etc.).

I ask myself: what if something goes wrong and I can’t use Framework X anymore? Can I replace it somehow? Some amount of effort is fine, but rewriting and re-testing vast portions of the app is not acceptable.

I could write my own SQLite wrapper if I had to, and I could write my own Markdown parser. (Or find replacements written by other people.)

What if Apple made RxSwift?

Were Apple to provide reactive UIKit and AppKit and say, “Here’s how you make apps in the future,” I would expect that the tools would support this new style, and I’d expect it to play well with accessibility and AppleScript support and everything else. It would be well-integrated.

I’ve spent decades following Apple’s lead. People who don’t follow along end up in tight places — wishing for 64-bit Carbon, for instance.

That’s not say it always works out. Garbage collection, for example, was a dead-end (but with ARC it had a great replacement).

But, yes, I’d follow Apple’s lead into the reactive future in that case.

Not my only criticism

I wouldn’t be that happy about following Apple’s lead into the reactive future — if, that is, their implementation looked much like current versions.

So, no, not-being-Apple-code is not my only criticism. Another of my criticisms is that it’s difficult to read.

I’ve had a number of conversations with other developers on the subject, over many months, and almost every single developer that I talked to uses strong and inflammatory language about its unreadability.

If you’re a fan of this style, you might think that developers shouldn’t feel this way. My point is that, like it or not, they do.

You might not remember what it was like to look at this code before you understood it. Or you might be the kind of person who naturally takes to this particular style, and maybe it never seemed alien to you at all. Totally fine, of course, but remember that you’re not typical.

The revolution

I agree strongly with reactive proponents who say that the current standard ways of writing apps are broken. Too much state, for sure, and not enough ways to specify flow.

The less state we have to manage, and the more declarative code we can write, the better. I’m totally on board.

But if the revolution is about using this specific set of APIs, then I’m not on board.

My hope is that we’re using this specific set of APIs as a stepping-stone on the path to something better, something that appeals to a broader set of developers.

In the meantime, you could insist that there’s no readability issue, but I think that if you do then you’re potentially holding back the larger goal.

You could say, instead, “Yes, I know it sometimes looks like Perl in a blender. But we’re making the future here, and it doesn’t always start out pretty and it certainly doesn’t start out universally liked. This is step one. This is how we get from here to there.”

If so, then you’re taking one for the team, and I’m not — and I thank you.

PS Attribution note: the Perl-in-a-blender bit comes from Martin Pilkington:

I’ve yet to see reactive code that didn’t look like Perl shoved in a blender, even though I like the idea in theory

PPS I may not have this story entirely right, but it went something like this: Picasso invents Cubism, and people think it’s ugly. Because it is. Then Braque, or Derain, or both (I forget) come along and do a prettier version. Picasso remarks that it takes a genius to do the first ugly version, and the people who make it nice don’t have to be geniuses.

(Or maybe it was Stravinsky, and it was some musical thing. Whatever. I like the honesty about the first genius version being ugly.)