Pinging All The Way

A week or two ago reader Norris Carden submitted a malicious document. This document is another "sleeper": it waits a couple of minutes before downloading and executing a malicious payload.

The trick used here is to start a ping command (from VBA macros) that will take several minutes to execute: cmd.exe /C ping -n 250 > nul

This command does 250 pings to Google DNS It will take around 4 minutes and 10 seconds to execute. And after that, the VBA code downloads and executes malware.

Didier Stevens
Microsoft MVP Consumer Security


677 Posts
ISC Handler
Dec 24th 2016
You can explain what's your command .How i can do that.It's is DDOS to google .Tks nice post.

1 Posts
what does the time delay buy the actor?

37 Posts
Same as the other sleeper I wrote a diary entry for.

Evade detection by time-limited, automatic dynamic analysis.

Which can in turn be defeated by killing the ping process.

677 Posts
ISC Handler
just being able to ping or use might be a way for badguys to determine whether an endpoint is outside of a protected network (no IPS, NGFW, etc).

135 Posts
The VBA code does not check the result of the ping command. It just launches the command with a synchronous call: when the command terminates the VBA code continues to run. Regardless of what the result of the ping command is.

677 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!