Handling Unknown Binaries: A Quick How-To

You check your email and receive a suspicious file and your antiviral scanner didn’t throw any flags so you wonder, is it safe to open? There are some things you can do when you get a possible virus that not only helps you, but the entire security community as well.

1. Surf to http://www.virustotal.com and upload the possible virus. VirusTotal then scans the file using numerous antivirus programs to determine which ones detect the file as a virus and which do not.

Now if none of them detect it as a virus, this doesn’t necessarily mean its safe to open, but at least you’ll know for sure if VirusTotal does detect it. Another site that offers a similar service is http://virusscan.jotti.org

2. Review the binary with your favorite “strings” type program, which grabs any text out of a binary for you to view. You might use strings from Unix/Linux or BinText for Windows, or even some editors. Be very careful not to execute the file, but examine it for strings. Keep on the look out for things like registry keys that execute commands, networking calls, URLS, etc. This isn’t 100% effective, since some information could be encoded or encrypted inside the binary code. Note that you might also need to use an unpacker on the binary to do this. Try this before hand with known good tools and get some practice with both unpackers and strings-type utilities.

3. Lastly, if both of the previous steps show nothing, you might also consider setting up a test machine or a virtual VM image and run the possible virus in that test environment, but this is not recommended for the faint of heart or techinically unsavvy. For the average user, uploading it to VirusTotal and then deleting it would be enough. Tools like wireshark that capture incoming and outgoing packets would provide valuable insight in an investigation of this sort. Some malware is smart and won’t immediately begin sending data as soon as it starts, but will delay its actions to fool investigators into thinking it is benign, so be aware.

4. For those of you who are more advanced with code and development, or those looking to become more advanced, you could also investigate the use of a debugger or other reverse engineering tools. If so, it is beyond the scope of this article, but check around the Net – there are many articles dedicated to these tools and techniques.

These are merely basic steps and ideas. Each step requires skills and additional practice that new users or less advanced users may not have. When in doubt, simply delete. If the file was sent to you by someone you know personally, play it safe and call them.

So, try these at your own risk. Your mileage and paranoia may vary…

This entry was posted in General InfoSec by Troy Vennon. Bookmark the permalink.

About Troy Vennon

I recently separated from the U.S. Marine Corps after 8 years. I spent the first 3 1/2 years building classified and unclassified networks all over the world. There was a natural progression from building those networks to securing those networks. My last 4 1/2 years in the Marine Corps took me to Quantico, Va where I was stationed with the Marine Corps Network Operations and Security Command (MCNOSC). While with the MCNOSC, I was a member of the Security section, which was responsible for the installation and daily maintainance of the 34 Points-of-Presence that made up the Marine Corps 270,000+ user network. After a period of time with Security, I moved over to the Marine Corps Computer Emergency Response Team (MARCERT). There I was the Staff Non-Commissioned Officer of the MARCERT, which was responsible for the 24x7 monitoring of network traffic across the Marine Corps. Specifically, we monitored network traffic for malicious intent and investigated any network incidents as they occurred. While with the MCNOSC, I attained my CISSP, CCNA, and OPST (OSSTMM Professional Security Tester). I have been with MicroSolved for the past 4 months as the Senior Security Engineer, Technical Lead, and Project Manager.

Leave a Reply