mzreveal shows disguised executables

Discussion in 'other anti-malware software' started by flatfly, Nov 4, 2014.

  1. flatfly

    flatfly Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    66
    I thought this little tool was unique enough to share it here: MZreveal

    It will show any files that are x32/x64 executables but don't have the usual .exe or .dll extension. I bet you'll be surprised at what it turns up. This is why you should NEVER exclude any filetypes from your malware scans.

    Untitled.png
     
    Last edited: Nov 9, 2014
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Thanx, could be Very useful ! I'm wondering if malware might be able to make use of this type of disguising, to evade normal .EXE etc detection ?
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,053
    I ran it and had no hidden executables.
     
  4. flatfly

    flatfly Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    66
    Actually, this would be very unusual. It should at least detect some TLB files in the system32 directory.

    I think the explanation for your results is that the search starts from the current working directory. If this happens to be your desktop folder, it probably won't find much. What you could try is to first open a CMD window, cd to c:\Windows or c:\ and then launch MZreveal. And it can even run as a limited user account!

    Note: I'm not the developer of this tool but one of the early testers.
     
    Last edited: Nov 5, 2014
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ flatfly

    Yeah, i discovered that once i ran it in my drive c:\ it found Lots of files. Some with extentions i had never heard of !

    It would be useful if a simple .TXT Log file could be auto saved after the scan. Could you pass this suggestion to the coder please
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  7. flatfly

    flatfly Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    66
    @CloneRanger: I've passed on your suggestion :)

    @MrBrian: Didn't know about those tools, thanks. It would be interesting to see if they give the same results.

    EDIT: it seems OSForensics is $499.00 for a single-user license!? Wow.
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    OSForensics has a free edition too.
     
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Sure there may be executable code in other filetypes, but exploiting them is far from common these days. In fact, I need a recent example to refresh myself of their existence.
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ flatfly

    Thanx !
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The Sality malware is still around as of last year. It uses a .dll file with the .tmp file extension:

    Virus Profile: W32/Sality.gen.z!9BF70049F128
    http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1892081#none
    One of the variants is described by Trend Micro:

    PE_PARITE.A-O
    http://about-threats.trendmicro.com/Malware.aspx?language=au&name=PE_PARITE.A-O
    The Stuxnet exploit also uses .dll files with the .tmp file extension:

    W32.Stuxnet Installation Details
    Created: 21 Jul 2010 02:39:04 GMT
    • Updated: 23 Jan 2014 18:26:20 GMT
    http://www.symantec.com/connect/blogs/w32stuxnet-installation-details
    Both of the above exploited CVE 2010-2658, which allowed “remote code execution if the icon of a specially crafted shortcut is displayed.

    EDIT: Stuxnet malware is still being used world-wide:

    Ancient Stuxnet flaw still being used to attack millions of Windows XP PCs
    XP popularity and poor patching revealed
    By John E. Dunn | Techworld | Published: 14:52, 14 August 2014
    http://news.techworld.com/security/...ng-used-to-attack-millions-of-windows-xp-pcs/
    Finally, the Right-to-Left method of disguising file extensions is still being used. Here is an article by Wilders own Spyware Veteran, Pieter Arntz, explaining the trick:

    The RTLO method
    January 9, 2014 | BY Pieter Arntz
    https://blog.malwarebytes.org/online-security/2014/01/the-rtlo-method/

    And a recent attack this year:

    PLEAD Targeted Attacks Against Taiwanese Government Agencies
    May 23, 2014
    http://blog.trendmicro.com/trendlab...acks-against-taiwanese-government-agencies-2/


    ----
    rich
     
    Last edited: Nov 8, 2014
  12. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Excuse my brief skimming, but do any of them execute just by opening that disguised executable? Other than RTLO of course, does that work when extensions aren't hidden?
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The Sality and Stuxnet exploits trigger by Remote Code Execution. The RTLO exploit depends on the user being tricked to opening the disguised executable file.
    In the past, when I tested exploits with other than .exe file extensions, they worked with extensions not hidden.

    ----
    rich
     
  14. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Oh yeah, the infamous .LNK vulnerabilty, how did I miss that? Still not quite sure how Sality works though, how would you execute those .tmp files?

    Well that is quite scary. Do you have an example you can PM?
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Sality and Stuxnet both exploited CVE-2010-2568, the Windows .LNK vulnerability. See:

    http://www.cvedetails.com/cve-details.php?t=1&cve_id=СVE-2010-2568

    Kaspersky has a brief timeline (PDF):

    https://securelist.com/files/2014/08/Kaspersky_Lab_KSN_report_windows_usage_eng.pdf
    Both exploits use .dll files with .tmp file extensions.

    In these exploits, the .tmp file is not meant to be clicked. It wouldn't open anyway, since the .tmp file extension is not registered with any Windows program, so would result in an error.

    Using Shellcode and a Script, however, doesn't depend on file extensions. If the file type is correct for the particular program, calling the program to open the file will work.

    As an example, you can use a Control Panel dll file (.cpl) which is opened by the Control Panel Program (control.exe)

    Here, I call control.exe to open main.cpl, which is Mouse Properties (.cpl files are in the /system32 directory):

    sality_main-cpl.jpg

    Now, I make a copy of main.cpl and rename to main.tmp:

    sality_main-tmp.jpg

    I could rename main.cpl to main.abc and control.exe would still recognize it as a .cpl file. This what the Conficker worm did: the .dll file had the extension vmx . The exploit was triggered via an Autorun.inf file with this code, which calls rundll32.exe which executes .dll files:
    Code:
    autorun.inf
    
    shelLExECUte
    =RuNdLl32.EXE      .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
    The basics:
    Code:
    rundll32.exe jwgkvsq.vmx
    So, it is easy for malware exploits to trigger any type of file no matter the file extension.

    Some have asked about testing the .LNK exploit. Unless you can get the actual exploit on a USB stick, you can't really test how it works in-the-wild, because the .lnk (shortcut) files are coded specifically for the particular USB stick. The coding uses what is referred to as the "long path." Eset describes it in its analysis(PDF):

    http://www.eset.com/resources/white-papers/Stuxnet_Under_the_Microscope.pdf
    There was a Proof of Concept that circulated a few years ago. Perhaps you can find that.

    Meanwhile, if your system is up to date, there should be no danger of either a .LNK exploit or Autorun.inf exploit doing any damage!

    regards,

    -rich
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,085
  18. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    so the not normally executable file types still need to be called by an executable file types?
     
  19. flatfly

    flatfly Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    66
    Actually, no. Try this:
    cd windows
    cd system32
    copy calc.exe calc.htm
    calc.htm

    Result: execution!
    Which is surprising and scary, IMHO.
     
  20. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    i copied calc.exe to the desktop and it never ran untainted suggesting that calc.exe is not a self sufficient program and only a shortcut in the exe format? is that correct?

    is there an exploit link or malware i can download and run which will bypass my executable filter?
     
  21. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    how does the malware exploit run in the first place? if someone has a download or exploit link where me visiting or running the link/file results in the malware using a non standard executable which bypasses an executable filter then please PM me
     
  22. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    @Rmus: So basically on an up-to-date system, you still have to be social engineered into executing something that will execute a non-executable filetype.

    Then my only concern would be RTLO, which seems the easiest to fall for. Do you have an example of that I can study? Please PM me if you do.
     
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    On Win 7 x64, I did two tests of an .exe renamed to .jpg, in a folder where my AppLocker configuration shouldn't allow execution:
    Test 1: Double-clicked the .jpg in Windows Explorer. Result: My picture viewer program opened and tried to open the .jpg as a picture, and failed.
    Test 2: Typed the name of the .jpg in a command prompt: Result: "This program is blocked by group policy."
     
  24. flatfly

    flatfly Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    66
    I was able to replicate these results here (Win 7, x64 as well). So thankfully, AppLocker is not fooled by this technique. The real issue, though, is with folders that are not protected by AppLocker.

    It would take a bit of social engineering to succeed, but I can think of a couple of ways to easily persuade a typical (non-savvy) user into executing malicious code.
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    As I mentioned earlier, these .LNK exploits come on USB drives. So there aren't exploit links in the traditional sense. At least that is my understanding. See this article:

    LNK Exploits
    http://www.lavasoft.com/mylavasoft/securitycenter/whitepapers/lnk-exploits
    I can't imagine this exploit getting past an executable filter. To test, I renamed a trojan.exe file to .tmp and placed it on my USB drive and attempted to copy it to my C:\ hard drive:

    lnk_tmp.jpg

    It is still an executable file, even though it looks like a .tmp file.

    ----
    rich
     
Loading...