Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Malware Delivered via Windows Installer Files - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malware Delivered via Windows Installer Files

For some days, I collected a few samples of malicious MSI files. MSI files are Windows installer files that Windows users can execute to install software on a Windows system. Of course, you can replace “software” by “malware”. MSI files look less suspicious and they could bypass simple filters based on file extensions like “(com|exe|dll|js|vbs|…)”. They also look less dangerous because they are Composite Document Files:

$ file sample.msi
sample.msi: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0

Just based on the information returned by the UNIX file command, you can expect a suspicious file : The tool used to create the MSI file is MSI Wrapper[1]. This tool is not malicious and can be very useful but it looks like being used by bad guys...

In fact, MSI files are little databases laid out in a structured storage file. The content of an MSI file can be extracted using tools like 7z. The structure is always the same:

!AdminExecuteSequence:                    data
!AdvtExecuteSequence:                     data
!Binary:                                  data
!Component:                               data
!CustomAction:                            data
!Directory:                               data
!Feature:                                 data
!FeatureComponents:                       data
!InstallExecuteSequence:                  data
!Property:                                data
!_Columns:                                data
!_StringData:                             ASCII text, with very long lines, with no line terminators
!_StringPool:                             data
!_Tables:                                 data
Binary._D7D112F049BA1A655B5D9A1D0702DEE5: PE32 executable (GUI) Intel 80386, for MS Windows
[5]SummaryInformation:                    data

The file with names starting with an exclamation point are the database tables. It is possible to read them with the  COM-based API for working with MSI[1]:

Const msiOpenDatabaseModeReadOnly = 0
Dim msi, db, view
Set msi = CreateObject("WindowsInstaller.Installer")
Set db = msi.OpenDataBase(“sample.msi", msiOpenDatabaseModeReadOnly)
Set view = db.OpenView("SELECT `Value` FROM `Property` WHERE `Property` = 'ProductName'")
Call view.Execute()
WScript.Echo(view.Fetch().StringData(1))

Returns:

Exe to msi converter free

But this technique is not easy to process the database. Let’s search for other tools. There exists the Wix[2] toolset that can easily convert a MSI file into a XML file:

C:\Users\REM>dark.exe -swall -x . sample.msi
dark.exe : warning DARK1108 : The command line switch 'swall' is deprecated. Please use 'sw' instead.
Windows Installer XML Toolset Decompiler version 3.11.1.2318
Copyright (c) .NET Foundation and contributors. All rights reserved.

sample.msi

The ‘-x .’ parameter asks the tools to dump binaries from cabinets and embedded binaries to the specified directory.
A WXS file is created. It is a regular XML file that you can open with your favorite tool:

[1] http://www.exemsi.com/download

[1] https://msdn.microsoft.com/en-us/library/aa367810(VS.85).aspx
[2] https://github.com/wixtoolset/wix3/releases/tag/wix3111rtm


http://www.exemsi.com/download

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

419 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!