|
I love work with information security. That’s a fact.:) I also really like to play with malware analysis, and from some time now, thats what I do for living :). And guess what I do in my free time??:) Yes, play with malware analysis too :).
I would like to share with you a situation that may occur when you are doing malware analysis. I use pine to read some of my personal email, and last week I saved one spam that had something attached to it. While analyzing the saved email, I saw that there was a file attached on it, that was base64 encoded. The first sign it on the body: ------=_Part_75367_15338122.1181350292468 Content-Type: application/octet-stream; name="badfile.exe" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="badfile.exe" X-Attachment-Id: f_f2pdfmt5 ... Can you notice the: Content-Transfer-Encoding: base64 Yes, that means that it is base64 encoded!:) Now, how to handle it? That’s what I want to share with you malware analysts enthusiastics today :) As we can see with the GNU File utility, the saved-email.txt is a text file: [lab3:~/mail# file saved-email.txt saved-email.txt: ASCII text I like perl, and it offers a really simple way to decode that file: [lab3:~/mail# perl -MMIME::Base64 -e 'print decode_base64(join("", <>))' <saved-email.txt >badfile.exe.file Done! Now,did it work?? Easy, lets use the File utility again: [lab3:~/mail# file badfile.exe.file badfile.exe.file: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit Done!:) Now it is just to go ahaed an analyze the file, but thats another history...;) ------------------------------------------------------------------------------------------- Handlers on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org) |
Pedro 155 Posts ISC Handler |
| Subscribe |
Jun 10th 2007 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
