Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Malicious Or Not? You decide... - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malicious Or Not? You decide...

On of the hardest tasks in security, and probably fundamentally an impossible task is to figure out if something is not malicious. Even the code you wrote yourself, once it exceeds a certain complexity, could include backdoors that you as the author missed. They may come in the form of vulnerabilities, or maybe it was bad advice that you followed (ever copied code from Stackoverflow?). Never mind malicious libraries or compilers.

Earlier today, a reader sent me a file asking just that question. Carlos received an anti-malware warning flagging a file as malicious. According to Virustotal, ESET-NOD32 flags it as "a variant of Win32/KingSoft.D potentially unwanted". This is a pretty weak signature. Virustotal also stated that the file is "Probably harmless" and that "There are strong indicators suggesting that this file is safe to use."

Next, I uploaded it to hybrid-analysis. Hybrid-Analysis returned the following risk assessment:

This looks quite a bit more malicious.

Some additional Google searches revealed that the file is likely part of "WPS Office," a free Chinese office suite that appears to be included for free with some HP Laptops.

My advice to Carlos was that the file is likely not malicious, but as long as he doesn't need WPS Office, he is probably better off deleting it to save some disk space. In short: bloatware. 

What would your advice be? Here are the links to the results from Hybrid Analysis and Virustotal:

https://www.hybrid-analysis.com/sample/e3d74b6eb7f941125c35ae0ab2c5bd8d7116e6794f38b3879bddeb4b1570a433?environmentId=100

https://virustotal.com/en/file/e3d74b6eb7f941125c35ae0ab2c5bd8d7116e6794f38b3879bddeb4b1570a433/analysis/

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3537 Posts
ISC Handler
I'm looking through the suspicious network communication and I see curl in there... but do we know what this file was originally supposed to do? I think that would go a long way to helping the determination.
Frank

1 Posts
The fact the file is at least a year old according to virustotal (First submission 2016-01-22 09:32:50 UTC ( 1 year ago )) and still has only 1 detection would be good evidence it is NOT malicious. Fresh malicious samples, less than a day old, I can see having low detection scores, but a year old and only 1 vendor detects it, no.

A valid signature isn't proof it is non-malicious, but valid signed executables that are malicious are uncommon. And if a stolen cert is caught being used to sign malicious, it gets revoked rather quickly. This is a year old again and the signature is still valid.

Those two facts alone would have me say non-malicious.
R

34 Posts
thank you :)
you are the best :)
great work
Netmanzim

35 Posts
i removed all strange software from the assus a540L endpoint, and now it is great, no strange chinese software running in the background
Netmanzim

35 Posts
If it is something you use, or, if something you use depends on it, you have to access the need of that piece of code.
If it is NOT something you need/use is inherently a security risk (one more attack vector).
TMF

2 Posts
While the executable may not be particularly dangerous; its operations are more complex than I would expect for this kind of software. In a nation whose people are highly surveilled this rather innocuous software would be a great way to ensure you have a backdoor that checks in with the mother ship, and provides a delivery system for other goodies.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!