How to find malware in installation files?

Discussion in 'other anti-malware software' started by MrKingston, Sep 18, 2010.

Thread Status:
Not open for further replies.
  1. MrKingston

    MrKingston Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    11
    How do I find malware in large installation files?

    Lets say I have a 300MB installation file which I know has a rootkit hidden in the installation somewhere. Lets also assume the rootkit is obfuscated and no anti-malware scanner is detecting it.

    Would I have to install the application in vmware and use some kind of cloud scanner to find it?
     
    MrKingston, Sep 18, 2010
    #1
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I use Prevx in my virtual machines for this purpose.
     
    MrBrian, Sep 18, 2010
    #2
  3. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Install into a VM then use the below search utility to find all created files in last 5, 10 or 20 minutes.

    *.* will find all files or if you want specific files then just use .exe, .sys or .dll etc.

    Nirsoft Search My Files

    If you find a suspected undetected rootkit you could grab and upload the sample to kernelmode and ask if one of the experts over there can take a look at it.
     
    Franklin, Sep 18, 2010
    #3
  4. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,995
    would some rootkits be able to recognize the virtualized environment and remain stealth?
     
    acr1965, Sep 19, 2010
    #4
  5. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    646
    Location:
    Sydney Australia
    There are a lot of installers that you can use something like 7-Zip and open as archive.
     
    stackz, Sep 19, 2010
    #5
  6. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,898
    Location:
    localhost
    Yes, they could. But if you already have doubts of this kind on a installer then I would stay miles away from it anyway. :)
     
    fax, Sep 19, 2010
    #6
  7. pajenn

    pajenn Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    930
    You could try to install the program into an empty Sandbox by running the installer using Sanboxie (it's a tiny program with a very free version available). If the installation is successful, scan the Sandbox with your preferred AV. Even if the installation fails partially, in the sense that the program won't run inside the Sandbox, it may still be possible to scan the files for viruses. I think there are specialized add-on programs available for Sandboxie to analyze installations, but they take some effort to learn.

    You can also try Universal Extractor (free program) to try to extract the installer and then scan the files.

    Installing the program inside a virtual machine is the best way, but VMs take a lot of space.
     
    pajenn, Sep 19, 2010
    #7
  8. guest

    guest Guest

    300MB is to much but with little installers you can try this:
    http://camas.comodo.com/
    http://www.sunbeltsecurity.com/sandbox/
    http://www.joebox.org/ (very detailed)
    http://anubis.iseclab.org/index.php (very detailed)
     
    guest, Sep 19, 2010
    #8
  9. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    976
    I usually extract installers with Universal Extractor or run them in a sandbox and grab/check the contents from there.
     
    Espresso, Sep 19, 2010
    #9
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...