Malware Delivered via Windows Installer Files
For some days, I collected a few samples of malicious MSI files. MSI files are Windows installer files that users can execute to install software on a Microsoft Windows system. Of course, you can replace “software” with “malware”. MSI files look less suspicious and they could bypass simple filters based on file extensions like “(com|exe|dll|js|vbs|…)”. They also look less dangerous because they are Composite Document Files:
$ file sample.msi sample.msi: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, \ Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, \ Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: \ {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
Just based on the information returned by the 'file' command, we can expect a suspicious file: The tool used to create the MSI file is MSI Wrapper[1]. This tool is not malicious but it looks like being used by bad guys. In fact, MSI files are little databases laid out in a structured storage file. The content of an MSI file can be extracted using tools like 7z. The structure is always the same and contains the following files:
!AdminExecuteSequence: data !AdvtExecuteSequence: data !Binary: data !Component: data !CustomAction: data !Directory: data !Feature: data !FeatureComponents: data !InstallExecuteSequence: data !Property: data !_Columns: data !_StringData: ASCII text, with very long lines, with no line terminators !_StringPool: data !_Tables: data Binary._D7D112F049BA1A655B5D9A1D0702DEE5: PE32 executable (GUI) Intel 80386, for MS Windows [5]SummaryInformation: data
Files with their name starting with an exclamation point are the database tables. It is possible to read them with the COM-based API for working with MSI[2]:
Function GetMSIGenerator(ByVal file) Const msiOpenDatabaseModeReadOnly = 0 Dim msi, db, view Set msi = CreateObject("WindowsInstaller.Installer") Set db = msi.OpenDataBase(file, msiOpenDatabaseModeReadOnly) Set view = db.OpenView("SELECT `Value` FROM `Property` WHERE `Property` = 'ProductName'") Call view.Execute() GetMSIGenerator = view.Fetch().StringData(1) End Function WScript.Echo(GetMSIGenerator("sample.msi")
The script returns:
PS C:\Users\REM\Malicious> cscript.exe msi.vbs Microsoft (R) Windows Script Host Version 5.812 Copyright (C) Microsoft Corporation. All rights reserved. Exe to msi converter free
But this technique is not easy to process the complete set of database fields. Let’s search for another tool. The Wix[3] toolset is perfect to achieve this. It contains a tool to easily convert an MSI file into an XML file:
C:\Users\REM\Malicious> dark.exe -swall -x . sample.msi dark.exe : warning DARK1108 : The command line switch 'swall' is deprecated. Please use 'sw' instead. Windows Installer XML Toolset Decompiler version 3.11.1.2318 Copyright (c) .NET Foundation and contributors. All rights reserved. sample.msi
The ‘-x .’ parameter specifies that the tools must dump binaries from cabinets and embedded binaries to the specified directory (the current one in the example above).
A WXS file is created. It is a regular XML file that you can open with your favourite tool:
Here is a sample of the converted file:
<?xml version="1.0" encoding="utf-8"?> <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi"> <Product Id="{29EF7317-DCA1-4159-97B2-C883AD400AC6}" Language="1033" Manufacturer="www.exetomsi.com" Name="Exe to msi converter free" UpgradeCode="{1630D902-D790-41C1-AE26-9D5E5D17566F}" Version="2.0.0"> <Package InstallerVersion="100" Languages="0" Manufacturer="www.exetomsi.com" ReadOnly="no" /> <Binary Id="_D7D112F049BA1A655B5D9A1D0702DEE5" SourceFile=".\Binary\_D7D112F049BA1A655B5D9A1D0702DEE5" /> <CustomAction Id="DIRCA_TARGETDIR" Property="TARGETDIR" Value="[WindowsFolder]\Temp" Execute="firstSequence" /> <CustomAction Id="_B3D13F97_1369_417D_A477_B4C42B829328" BinaryKey="_D7D112F049BA1A655B5D9A1D0702DEE5" ExeCommand="" Execute="deferred" Impersonate="no" /> <Directory Id="TARGETDIR" Name="SourceDir"> <Component Id="C_DefaultComponent" Guid="{4C231858-2B39-11D3-8E0D-00C04F6837D0}" KeyPath="yes"> <Condition>0</Condition> </Component> </Directory> <Feature Id="DefaultFeature" ConfigurableDirectory="TARGETDIR" Level="1"> <ComponentRef Id="C_DefaultComponent" /> </Feature> <Property Id="ARPCONTACT" Value="www.exetomsi.com" /> <Property Id="ARPNOMODIFY" Value="1" /> <Property Id="LIMITUI" Value="1" /> <InstallExecuteSequence>
You can see that the malicious binary file will be installed in [WindowsFolder]\Temp. This is another sign of a malicious file!
Basically, we can extract interesting information from an MSI file without executing it. Here is a simple YARA rule to catch this kind of file:
rule SuspiciousMSIFile { meta: author = "Xavier Mertens <xmertens@isc.sans.edu>" info = "Search for malicious MSI installing containing malware" strings: $s1 = "Exe to msi converter free" $s2 = { 54 41 52 47 45 54 44 49 52 30 43 75 73 74 6f 6d 41 63 74 69 6f 6e 53 6f 75 72 63 65 54 61 72 67 65 74 5b 57 69 6e 64 6f 77 73 46 6f 6c 64 65 72 5d 5c 54 65 6d 70 } condition: all of them }
[1] http://www.exemsi.com/download
[2] https://msdn.microsoft.com/en-us/library/aa367810(VS.85).aspx
[3] https://github.com/wixtoolset/wix3/releases/tag/wix3111rtm
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments