How to discover a new virus or malware

[Total: 0    Average: 0/5]

What do you do when you receive an email that looks like this?

Warning: what follows is pretty technical. Click “Read more” only if you are a computer geek or want to become one! 😉

Here is what to do with it.

1) Does booking.com even exist and did I ever book anything from them? Booking.com does indeed exist, but I don’t recall having booked anything recently from them. This is the first red flag.

2) The email comes with an attachment. It is a ZIP file. Strange, I would expect a booking confirmation to be a PDF or some sort of document, but not a ZIP file. This is the second red flag.

3) By looking inside the ZIP file (with an utility that does not launch its content), I see an EXE file. This is the third red flag and all alarms should go on. This is either a virus or a malware, like a trojan horse. There is no danger however if you do not execute the content of the ZIP file. More than that, I am on a Mac and an EXE only runs on Windows, so no immediate danger for me at least. My provider runs an Antivirus service on every email. If this one is indeed a virus/malware and has not been detected, it might be something new. How exciting! Let’s move on.

4) Is the email indeed coming from the supposed sender? The way to find out is to investigate the header. On Mac Mail, with the message open in its own window, select View –> Message –> All Headers. Here is what it looks like:

By looking at the part within the red box, it is clear that this email came from an address in the BA domain directly to my mail server. The part below it seems to refer indeed to booking.com, but does not show any public internet address, only private ones (10.x.x.x). It is probably fake, but to confirm it we need to track down the sender further.

This is the interesting part of the header that requires some more investigation:

Received: from 3.dslam.mlt.bih.net.ba (unknown [80.65.91.194])

5) Where does this email come actually from? Who is 3.dslam.mlt.bin.net.ba and who owns the IP address 80.65.91.194? It is time for a reverse IP lookup. Let’s open a web browser window and ask ip-lookup.net. Here is the result:

Did not know that booking.com has operations in Bosnia and Herzegovina… sounds really strange. The hypothesis of a virus/malware seems more and more realistic.

6) Let’s see if the content of the EXE is somehow already known. Let’s calculate its MD5 and look it up on Google. Open a Terminal window, extract the content of the ZIP file and run the following command on the EXE (remember I am on a Mac, so there is no way I can execute the EXE, even accidentally – If you are on a Windows machine, pay particular attention to not run the EXE while analyzing it):

MD5 filename.exe

The result in my case is: f5d7f624ddeba66db6cdc89db615f049

Yours could be different in case the virus/malware is able to mutate or is a new version.

7) Let’s lookup the MD5 on Google… no hit! Is it something new? Probably it is. At this point it is better to submit it to an antivirus/malware lab (or to many of them). This can be done by ZIPping the EXE into a password protected ZIP file. The password should be “infected”. The ZIP file and the password prevent others from accidentally running the infected content.

8) Wait for the results. Bingo! This is indeed a new variant of a known backdoor/malware.

Here some emails I got back from the analysis.

KASPERSKI
Hello,
This notification is generated by automatic letter processing system.
Booking_Confirmation_07312012.exe – Backdoor.Win32.Androm.dw
New malicious software was found in this file. It’s detection will be included in the next update. Thank you for your help.
Best Regards, Kaspersky Lab

ESET
Dear Marco Ghislanzoni,
Thank you for your submission.
The detection for this threat will be included in our next signature update.
Booking_Confirmation_07312012.exe – Win32/Kryptik.AJEH trojan
Regards,
ESET Malware Response Team

DR.WEB (well, they knew it already!)
Dear Marco Ghislanzoni,
Your submission has been processed by Automatic System. This threat is already familiar to us. A corresponding record exists in the Dr.Web virus database.
Threat: BackDoor.Andromeda.22
Thank you for the cooperation.
Yours sincerely,
Virus Monitoring Service
Doctor Web Ltd.

9) Pat yourself on the shoulders and get a beer. We saved the (IT) world today! 😉

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.