When we download and run programs from trusted sources like products official sites or trusted sites like softpedia.com or download.com there is not an infecting danger(–maybe sometimes like in that famous Sony rootkit), but when we are downloading software from blogs or forums so called warez ? The chances to get infected with trojans, backdoors are massive. In our example we have for example an installer(setup) and a keygen(serial code generator) or a so called crack.
-It’s always a good idea to submit suspect programs to Anubis up to 8 MB size limit. Anubis is a service for analyzing malware, and you will receive a report with what your application does in your computer. Also you can submit an URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL. Anubis is a Virtual Environment , must be said here that there is malware that checks if they runs in a virtual Environment and if detect a sandbox, they kill their own process(suicide like). But Anubis has also a virus scanner so it can give us a good idea about the executable submitted.
- We have an installer from an untrusted source. Always check the File Properties, check if there is Digital Signatures and if these are signed by a Certificate Authority(CA). A CA is a trusted third party that issues and signs the certificate and vouches for the authenticity of the file. Symantec warned these days about fake digital signatures that malware writers add to their malware for adding an air of legitimacy to them and increase the probability of execution. Using this technique the malware authors could, for example, penetrate an environment where only signed files are allowed but the authenticity of the signature is not checked.
Although the files are signed, they are signed using an unauthenticated CA (Certificate Authority) which is masquerading as Verisign for example.
See here an example :
Not all legitime programs has a digital signature anyway. If that it’s the case check closely in File properties(right-click menu) the Author, Company, File Version and so on if these matces what we know about the program. Very often the hackers bind the trojans or other malware with the original legitime installers.
Now I will tell you a secret, there is a free little applications that can help us a lot : Universal Extractor from here. It supports a lot file type extractions including archives or installers so what it mainly does is unpack, extract all the files from an archive or installer. When a file is passed to UniExtract, it begins by scanning the file with TrID. If the file format matches one of the supported non-executable formats listed below, it immediately begins extraction from the archive. If it’s an executable file, it calls PEiD to analyze the file signature. If the signature indicates that it’s a supported format, then it attempts to begin extraction. If it is not a recognized signature, it will try running it through 7-Zip and UnZip as default cases. If 7-Zip or UnZip recognizes it, it will be extracted; otherwise, UniExtract displays an error message and exits. Enough with this, you can read more at their site.
So, an hacker can with an installers building program to create a new installer, where both the trojan and the legitime-original program can run in the same time. The hacker-build installer try to drop the trojan in Temporary directory or in System32 directory and run from there and the legitimate setup also, giving for the normal user no clue about what is happening. For the normal user it seems the installer works normally and even if the AntiVirus triggers alarms, the user will approve the execution of the program. I suppose of course it’s about a NEW trojan with an unknown signature for AntiViruses how is many in fact.
Here Uniextract come in our help. We can right-click>Uniextract here and if the installer is infected we will see two directories -app- directory and -temp- directory where you will see the trojan. It’s not executed because Uniextract only will extract the components without to run them.
If Uniextract can not extract the files but we will see in PEid(fired-up by Uniextract) a Visual Basic 5/6 signature we know also the installer is infected and the files were binded with another methods using a files binder coded in Visual Basic 6. Legitimate programs does not use for a long time Visual Basic 6 to write applications.
These simple procedures can save us from the headaches to be infected.
Here is a video describing the procedure :
Always is recommended to scan the suspect files with a Multi-Engine Online Virus Scanner this will scan the files with multiple AntiViruses scanners providing more accurate results.
Often, running the files in a Online Sandbox can reveal for us all the actions done by a running executable in the computer, all the changes in file system or registry, all the files accesed or created and saved in your computer, all the Network activity or processes started by the scanned executable. It’s a preventing measure we can take more for protecting our computer, however it’s not infallible, because some viruses has a “sandbox environment check”, they check by different methods if they run in a sandbox and if they detect the sandbox, kill immediately their own process.
The links for the Multi-Engine Online Virus Scanners or Online Sandboxes are shown on the Home page of this site.