Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Malware Delivered via Windows Installer Files

Published: 2018-02-17
Last Updated: 2018-02-17 09:06:35 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

For some days, I collected a few samples of malicious MSI files. MSI files are Windows installer files that users can execute to install software on a Microsoft Windows system. Of course, you can replace “software” with “malware”. MSI files look less suspicious and they could bypass simple filters based on file extensions like “(com|exe|dll|js|vbs|…)”. They also look less dangerous because they are Composite Document Files:

$ file sample.msi
sample.msi: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, \
Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, \
Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: \
{C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0

Just based on the information returned by the 'file' command, we can expect a suspicious file: The tool used to create the MSI file is MSI Wrapper[1]. This tool is not malicious but it looks like being used by bad guys. In fact, MSI files are little databases laid out in a structured storage file. The content of an MSI file can be extracted using tools like 7z. The structure is always the same and contains the following files:

!AdminExecuteSequence:                    data
!AdvtExecuteSequence:                     data
!Binary:                                  data
!Component:                               data
!CustomAction:                            data
!Directory:                               data
!Feature:                                 data
!FeatureComponents:                       data
!InstallExecuteSequence:                  data
!Property:                                data
!_Columns:                                data
!_StringData:                             ASCII text, with very long lines, with no line terminators
!_StringPool:                             data
!_Tables:                                 data
Binary._D7D112F049BA1A655B5D9A1D0702DEE5: PE32 executable (GUI) Intel 80386, for MS Windows
[5]SummaryInformation:                    data

Files with their name starting with an exclamation point are the database tables. It is possible to read them with the COM-based API for working with MSI[2]:

Function GetMSIGenerator(ByVal file)
  Const msiOpenDatabaseModeReadOnly = 0
  Dim msi, db, view
  Set msi = CreateObject("WindowsInstaller.Installer")
  Set db = msi.OpenDataBase(file, msiOpenDatabaseModeReadOnly)
  Set view = db.OpenView("SELECT `Value` FROM `Property` WHERE `Property` = 'ProductName'")
  Call view.Execute()
  GetMSIGenerator = view.Fetch().StringData(1)
End Function
WScript.Echo(GetMSIGenerator("sample.msi")

The script returns:

PS C:\Users\REM\Malicious> cscript.exe msi.vbs
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

Exe to msi converter free

But this technique is not easy to process the complete set of database fields. Let’s search for another tool. The Wix[3] toolset is perfect to achieve this. It contains a tool to easily convert an MSI file into an XML file:

C:\Users\REM\Malicious> dark.exe -swall -x . sample.msi
dark.exe : warning DARK1108 : The command line switch 'swall' is deprecated. Please use 'sw' instead.
Windows Installer XML Toolset Decompiler version 3.11.1.2318
Copyright (c) .NET Foundation and contributors. All rights reserved.

sample.msi

The ‘-x .’ parameter specifies that the tools must dump binaries from cabinets and embedded binaries to the specified directory (the current one in the example above).
A WXS file is created. It is a regular XML file that you can open with your favourite tool:

Here is a sample of the converted file:

<?xml version="1.0" encoding="utf-8"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
    <Product Id="{29EF7317-DCA1-4159-97B2-C883AD400AC6}" Language="1033" Manufacturer="www.exetomsi.com" Name="Exe to msi converter free" UpgradeCode="{1630D902-D790-41C1-AE26-9D5E5D17566F}" Version="2.0.0">
        <Package InstallerVersion="100" Languages="0" Manufacturer="www.exetomsi.com" ReadOnly="no" />
        <Binary Id="_D7D112F049BA1A655B5D9A1D0702DEE5" SourceFile=".\Binary\_D7D112F049BA1A655B5D9A1D0702DEE5" />
        <CustomAction Id="DIRCA_TARGETDIR" Property="TARGETDIR" Value="[WindowsFolder]\Temp" Execute="firstSequence" />
        <CustomAction Id="_B3D13F97_1369_417D_A477_B4C42B829328" BinaryKey="_D7D112F049BA1A655B5D9A1D0702DEE5" ExeCommand="" Execute="deferred" Impersonate="no" />
        <Directory Id="TARGETDIR" Name="SourceDir">
            <Component Id="C_DefaultComponent" Guid="{4C231858-2B39-11D3-8E0D-00C04F6837D0}" KeyPath="yes">
                <Condition>0</Condition>
            </Component>
        </Directory>
        <Feature Id="DefaultFeature" ConfigurableDirectory="TARGETDIR" Level="1">
            <ComponentRef Id="C_DefaultComponent" />
        </Feature>
        <Property Id="ARPCONTACT" Value="www.exetomsi.com" />
        <Property Id="ARPNOMODIFY" Value="1" />
        <Property Id="LIMITUI" Value="1" />
        <InstallExecuteSequence>

You can see that the malicious binary file will be installed in [WindowsFolder]\Temp. This is another sign of a malicious file!

Basically, we can extract interesting information from an MSI file without executing it. Here is a simple YARA rule to catch this kind of file:

rule SuspiciousMSIFile
{
  meta:
    author = "Xavier Mertens <xmertens@isc.sans.edu>"
    info = "Search for malicious MSI installing  containing malware"

  strings:
    $s1 = "Exe to msi converter free"
    $s2 = { 54 41 52 47 45 54 44 49 52 30 43 75 73 74 6f 6d 41 63 74 69 6f 6e 53 6f 75 72 63 65 54 61 72 67 65 74 5b 57 69 6e 64 6f 77 73 46 6f 6c 64 65 72 5d 5c 54 65 6d 70 }

  condition:
    all of them
}

[1] http://www.exemsi.com/download
[2] https://msdn.microsoft.com/en-us/library/aa367810(VS.85).aspx
[3] https://github.com/wixtoolset/wix3/releases/tag/wix3111rtm

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

February 2018 Microsoft (and Adobe) Patch Tuesday
Feb 13th 2018
4 days ago by Johannes (8 comments)

Analyzing compressed shellcode
Feb 12th 2018
5 days ago by DidierStevens (2 comments)

Finding VBA signatures in Word documents
Feb 11th 2018
6 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Work logs for hunting
created Jan 18th 2018
1 month ago by Anonymous (0 replies)

What is airbnb doing?
created Jan 9th 2018
1 month ago by Mike (0 replies)

Convert OST Emails to PST Files
created Jan 4th 2018
1 month ago by Anonymous (0 replies)

Windows Client what the hell is this?
created Jan 2nd 2018
1 month ago by Anonymous (0 replies)

My log Reports not displaying reported entries
created Dec 22nd 2017
1 month ago by Tony (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
7 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
6 months ago by Johannes (13 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
2 months ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
5 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
6 months ago by Xme (2 comments)