This article will be the first entry into a series on dissecting malware on a forensic level. Recently, on one of the freelance sites, I was paid to download a file from a html page. The freelance company seemed reputable enough, to make sure malware doesn’t get through but where there is a will, there is a way.
I’d recommend for the company to hash each file and search it for common virus signatures like gmail does. But that may not be feasible for the companies bottom line, so opening any files you receive from a stranger on the internet should be treated like a patient with Ebola.
So that’s what I did. I downloaded the zip and moved it to a Docker. What I did find was pretty worrisome, since it attempted to insert
bytecode into a
powershell, but this article isn’t about that.
What this article is about, is first, inspecting the website where the file is hosted. Just landing on certain webpages can exploit your machine and send your data all over the place. And the easiest way to really drill down is with the Linux program
SS is a command line program that allows you to monitor that status of your internet sockets. Because the first thing any virus will do is attempt to phone home.
And for the virus to phone home it will have to make a TCP or UDP socket in order to transmit data back to the creepy hacker. But I noticed that SS didnt have a lot of helpful, human features that make it easy to understand what’s going on.
OpenSocks is a piece of software created by me that takes ss output and utilizes Python in a effort to locate exactly what sites are communicating with your computer on a socket level.
OpenSocks utilizes socket module by parsing the output of the Linux command.
ss -a -t | ss -a -u
-t means find TCP sockets, and the
-u finds all the UDP sockets.
Simply runOpenSocks in your terminal, and it will give you a output that is human readable and also makes tracking down malicious sockets a breeze.
So for example, the domain which hosted the malware was
After a quick ping to
volafile.org I found the IP address of the domain was
18.104.22.168. Now I can use that address to filter IP addresses with the Python script like so.
python resolve_host_names.py | grep 22.214.171.124
Here’s the output of running OpenSocks without any
grepor filter commands.