Malware Delivered via Windows Installer Files

Published: 2018-02-17
Last Updated: 2018-02-17 09:06:35 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

For some days, I collected a few samples of malicious MSI files. MSI files are Windows installer files that users can execute to install software on a Microsoft Windows system. Of course, you can replace “software” with “malware”. MSI files look less suspicious and they could bypass simple filters based on file extensions like “(com|exe|dll|js|vbs|…)”. They also look less dangerous because they are Composite Document Files:

$ file sample.msi
sample.msi: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, \
Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, \
Title: Exe to msi converter free, Author:, Template: ;0, Last Saved By: devuser, Revision Number: \
{C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0

Just based on the information returned by the 'file' command, we can expect a suspicious file: The tool used to create the MSI file is MSI Wrapper[1]. This tool is not malicious but it looks like being used by bad guys. In fact, MSI files are little databases laid out in a structured storage file. The content of an MSI file can be extracted using tools like 7z. The structure is always the same and contains the following files:

!AdminExecuteSequence:                    data
!AdvtExecuteSequence:                     data
!Binary:                                  data
!Component:                               data
!CustomAction:                            data
!Directory:                               data
!Feature:                                 data
!FeatureComponents:                       data
!InstallExecuteSequence:                  data
!Property:                                data
!_Columns:                                data
!_StringData:                             ASCII text, with very long lines, with no line terminators
!_StringPool:                             data
!_Tables:                                 data
Binary._D7D112F049BA1A655B5D9A1D0702DEE5: PE32 executable (GUI) Intel 80386, for MS Windows
[5]SummaryInformation:                    data

Files with their name starting with an exclamation point are the database tables. It is possible to read them with the COM-based API for working with MSI[2]:

Function GetMSIGenerator(ByVal file)
  Const msiOpenDatabaseModeReadOnly = 0
  Dim msi, db, view
  Set msi = CreateObject("WindowsInstaller.Installer")
  Set db = msi.OpenDataBase(file, msiOpenDatabaseModeReadOnly)
  Set view = db.OpenView("SELECT `Value` FROM `Property` WHERE `Property` = 'ProductName'")
  Call view.Execute()
  GetMSIGenerator = view.Fetch().StringData(1)
End Function

The script returns:

PS C:\Users\REM\Malicious> cscript.exe msi.vbs
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

Exe to msi converter free

But this technique is not easy to process the complete set of database fields. Let’s search for another tool. The Wix[3] toolset is perfect to achieve this. It contains a tool to easily convert an MSI file into an XML file:

C:\Users\REM\Malicious> dark.exe -swall -x . sample.msi
dark.exe : warning DARK1108 : The command line switch 'swall' is deprecated. Please use 'sw' instead.
Windows Installer XML Toolset Decompiler version
Copyright (c) .NET Foundation and contributors. All rights reserved.


The ‘-x .’ parameter specifies that the tools must dump binaries from cabinets and embedded binaries to the specified directory (the current one in the example above).
A WXS file is created. It is a regular XML file that you can open with your favourite tool:

Here is a sample of the converted file:

<?xml version="1.0" encoding="utf-8"?>
<Wix xmlns="">
    <Product Id="{29EF7317-DCA1-4159-97B2-C883AD400AC6}" Language="1033" Manufacturer="" Name="Exe to msi converter free" UpgradeCode="{1630D902-D790-41C1-AE26-9D5E5D17566F}" Version="2.0.0">
        <Package InstallerVersion="100" Languages="0" Manufacturer="" ReadOnly="no" />
        <Binary Id="_D7D112F049BA1A655B5D9A1D0702DEE5" SourceFile=".\Binary\_D7D112F049BA1A655B5D9A1D0702DEE5" />
        <CustomAction Id="DIRCA_TARGETDIR" Property="TARGETDIR" Value="[WindowsFolder]\Temp" Execute="firstSequence" />
        <CustomAction Id="_B3D13F97_1369_417D_A477_B4C42B829328" BinaryKey="_D7D112F049BA1A655B5D9A1D0702DEE5" ExeCommand="" Execute="deferred" Impersonate="no" />
        <Directory Id="TARGETDIR" Name="SourceDir">
            <Component Id="C_DefaultComponent" Guid="{4C231858-2B39-11D3-8E0D-00C04F6837D0}" KeyPath="yes">
        <Feature Id="DefaultFeature" ConfigurableDirectory="TARGETDIR" Level="1">
            <ComponentRef Id="C_DefaultComponent" />
        <Property Id="ARPCONTACT" Value="" />
        <Property Id="ARPNOMODIFY" Value="1" />
        <Property Id="LIMITUI" Value="1" />

You can see that the malicious binary file will be installed in [WindowsFolder]\Temp. This is another sign of a malicious file!

Basically, we can extract interesting information from an MSI file without executing it. Here is a simple YARA rule to catch this kind of file:

rule SuspiciousMSIFile
    author = "Xavier Mertens <>"
    info = "Search for malicious MSI installing  containing malware"

    $s1 = "Exe to msi converter free"
    $s2 = { 54 41 52 47 45 54 44 49 52 30 43 75 73 74 6f 6d 41 63 74 69 6f 6e 53 6f 75 72 63 65 54 61 72 67 65 74 5b 57 69 6e 64 6f 77 73 46 6f 6c 64 65 72 5d 5c 54 65 6d 70 }

    all of them


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

0 comment(s)


Diary Archives