How to find malware in installation files?

Discussion in 'other anti-malware software' started by MrKingston, Sep 18, 2010.

Thread Status:
Not open for further replies.
  1. MrKingston

    MrKingston Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    11
    How do I find malware in large installation files?

    Lets say I have a 300MB installation file which I know has a rootkit hidden in the installation somewhere. Lets also assume the rootkit is obfuscated and no anti-malware scanner is detecting it.

    Would I have to install the application in vmware and use some kind of cloud scanner to find it?
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I use Prevx in my virtual machines for this purpose.
     
  3. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Install into a VM then use the below search utility to find all created files in last 5, 10 or 20 minutes.

    *.* will find all files or if you want specific files then just use .exe, .sys or .dll etc.

    Nirsoft Search My Files

    If you find a suspected undetected rootkit you could grab and upload the sample to kernelmode and ask if one of the experts over there can take a look at it.
     
  4. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    would some rootkits be able to recognize the virtualized environment and remain stealth?
     
  5. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    There are a lot of installers that you can use something like 7-Zip and open as archive.
     
  6. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,729
    Location:
    localhost
    Yes, they could. But if you already have doubts of this kind on a installer then I would stay miles away from it anyway. :)
     
  7. pajenn

    pajenn Registered Member

    Joined:
    Oct 26, 2009
    Posts:
    930
    You could try to install the program into an empty Sandbox by running the installer using Sanboxie (it's a tiny program with a very free version available). If the installation is successful, scan the Sandbox with your preferred AV. Even if the installation fails partially, in the sense that the program won't run inside the Sandbox, it may still be possible to scan the files for viruses. I think there are specialized add-on programs available for Sandboxie to analyze installations, but they take some effort to learn.

    You can also try Universal Extractor (free program) to try to extract the installer and then scan the files.

    Installing the program inside a virtual machine is the best way, but VMs take a lot of space.
     
  8. lordraiden

    lordraiden Registered Member

    Joined:
    Jan 30, 2006
    Posts:
    3,075
    300MB is to much but with little installers you can try this:
    http://camas.comodo.com/
    http://www.sunbeltsecurity.com/sandbox/
    http://www.joebox.org/ (very detailed)
    http://anubis.iseclab.org/index.php (very detailed)
     
  9. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    I usually extract installers with Universal Extractor or run them in a sandbox and grab/check the contents from there.
     
Loading...
Thread Status:
Not open for further replies.