Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Pinging All The Way - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Pinging All The Way

A week or two ago reader Norris Carden submitted a malicious document. This document is another "sleeper": it waits a couple of minutes before downloading and executing a malicious payload.

The trick used here is to start a ping command (from VBA macros) that will take several minutes to execute: cmd.exe /C ping 8.8.8.8 -n 250 > nul

This command does 250 pings to Google DNS 8.8.8.8. It will take around 4 minutes and 10 seconds to execute. And after that, the VBA code downloads and executes malware.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
NVISO

DidierStevens

133 Posts
ISC Handler
You can explain what's your command .How i can do that.It's is DDOS to google .Tks nice post.
DaoTrong

1 Posts Posts
what does the time delay buy the actor?
TuggDougins

29 Posts Posts
Same as the other sleeper I wrote a diary entry for.

Evade detection by time-limited, automatic dynamic analysis.

Which can in turn be defeated by killing the ping process.
DidierStevens

133 Posts Posts
ISC Handler
just being able to ping or use 8.8.8.8 might be a way for badguys to determine whether an endpoint is outside of a protected network (no IPS, NGFW, etc).
Anonymous

Posts
The VBA code does not check the result of the ping command. It just launches the command with a synchronous call: when the command terminates the VBA code continues to run. Regardless of what the result of the ping command is.
DidierStevens

133 Posts Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!