40

I received a pretty blatantly spammy email to my Gmail account. Attached to the email is a supposed HTML file. My first hunch was that it was probably one of the following:

  1. A nasty executable file masquerading as a simple HTML file, or
  2. An actual HTML file meant to be opened in a browser in a phishing attack

My guess is that it really is an HTML file, since Gmail claims the attachment is only 1K in size.

I know I should probably just mark this as spam and get on with my life, but my curiosity is getting the best of me... I really want to know what's in that attachment. Is there a safe way to go about downloading it to a sandboxed location and inspecting the contents? I'm at the beginning of a career shift into the security field, and I would love to pick apart this real world example of something potentially nasty and see how it ticks.

I'm thinking a LiveCD or a VM would be a safe environment... I would prefer to do it in a clean, un-networked environment, but in any case, I'll still be logging into my Gmail account to download the thing.

Any suggestions?

schroeder
  • 123,438
  • 55
  • 284
  • 319
lsdfapoinsafpr
  • 503
  • 1
  • 4
  • 6

6 Answers6

29

It could also be:

3. HTML page with JavaScript code attempting exploit a vulnerability in your browser.

4. HTML page with an embedded Java applet attempting to exploit a vulnerability in the JVM

5. HTML page with an embedded Flash file attempting to exploit a vulnerability in Flash Player

6. The email itself, before you open the attachment could try to exploit a vulnerability in your email client

There might be other possibilities.

For this purpose, I have the following setup:

  • Virtual Machine using VirtualBox. No network access.

  • I have a snapshot saved for the VM after a fresh OS install.

  • I also take two snapshots with What Changed? and TrackWinstall.

  • I copy files only in the direction Host -> VM, using a free ISO creator.

  • I create the .iso file and mount it. Then I can have all the fun I want on the VM itself.

  • I usually run the malware and study memory usage, CPU load, listening ports, networking attempts.

  • I check the changes to the OS using What Changed? and TrackWinstall.

  • Finally I restore to the fresh snapshot.

The reason I have the whole setup is because I like to run the malware and see what it's trying to do.

Update:

I was talking to a colleague who performs malware analysis as a hobby and he told me about his setup, it might be different that what you might want for an occasional .html attachment check.

  • Old PC with a fresh OS install.

  • After installing the needed tools he takes a full-disk image using Clonezilla Live.

  • What Changed for snapshots comparisons.

  • The PC is connected to the Internet through a separate network.

  • Whenever he finishes working on a sample, he reboots with Clonezilla and restores the full-disk image.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Adi
  • 43,808
  • 16
  • 135
  • 167
  • 1
    I like the point you make... it was short-sighted of me to suggest there were only two possibilities. I happened to mention the first ones that came to mind, so thanks for listing some others. I have some questions about your approach. Wouldn't creating the ISO and mounting it in the VM require you to download the suspicious file on the host in order to create the ISO (since the VM isn't networked)? – lsdfapoinsafpr Mar 20 '13 at 16:10
  • 6
    @Adnan, I think it is worth pointing out that malware can detect whether it is in a VM, even if it can't break out of the VM, it may still be able to alter its behavior to mask its true purpose. A less likely feature, but still possible. – 700 Software Mar 20 '13 at 18:44
  • This is a fantastic response. One thing to add - it doesn't show execution behavior, but as OP ended up going with, reading the source code (in a safe way) answers some questions there. Anyways, 10/10 response - thanks! – securityOrange Nov 16 '18 at 23:03
  • Worth noting Qubes OS when this type of security is desired. The GUI is geared for it, and Qubes will automatically instantiate disposable VMs and copy the message/file when you choose to edit or view it securely. It also utilizes disposable VMs to permanently sanitize certain file types such as pdf. – tasket Mar 30 '19 at 14:04
  • "I copy files only in the direction Host -> VM, using a free ISO creator." I am a little confused about this step. We have a virtual machine that we are ready to burn. Are we just putting the malware on an iso by itself as a way to transfer to the guest machine (instead of having a shared folder between the guest and the host?) How about just turning off file sharing once we transfer the malware into the virtual machine from the shared folder instead? – whitelightning Jun 10 '20 at 15:08
28

In Gmail, click on the button with the little triangle on the bar above the message, on the right. In the menu that pops up, select "Show Original". Now gmail shows you the raw message with all the headers, in another browser window. The attachment is in the message body, MIME-encoded into harmless text. You can cut and paste the MIME material and decode it with some MIME utilities (e.g. munpack on Linux or Cygwin).

Kaz
  • 2,303
  • 16
  • 17
  • 2
    I love this answer! It didn't cross my mind that the actual attachment would be encoded as part of the email header, but it makes total sense. I tested it out by copy and pasting the encoded portion of the header into a text file, then using openssl base64 on OSX to decode it. This seems much less risky for the simple reason that it won't run automatically like downloading from the browser might. I'll file away this method for future use. Thanks! – lsdfapoinsafpr Mar 21 '13 at 15:53
  • +1 *This* is exactly the answer to the OPs original question. Any mail app that lets you see the raw ASCII of the message is safe to look at the message and any attachments, whether it's an on-line (GMail) or a standalone app (Outlook etc). From there you can cut-n-paste to wherever you want for further investigation. –  Mar 21 '13 at 16:22
  • 1
    But, you don't love this answer enough to give it a green checkmark. * Pout *! :) :) – Kaz Mar 22 '13 at 23:12
5

The simplest approach would be to use direct HTTP access to save the file and open it in Notepad to examine the contents. The file can't magically run itself if you treat it directly as data and you should be able to examine the contents. The key is to make sure you do not access it with anything which could automatically run something for you.

To be a little more thorough, you could use a VM to actually let it go and see what it does, but for simple checking, treating it as a data file and accessing it with data analysis tools should be safe.

There is a very slim chance of issues if they happen to be targeting a VM vulnerability, but the chances of your particular questionable file rapidly identifying and targeting a suitable VM vulnerability to break sandbox are pretty close to nil unless you are being specifically targeted and even then it's probably a low likelihood.

If you've already opened the e-mail and just not the attachment, then you could simply save the attachment. If you are nervous about actually opening the e-mail, something like Lynx could probably be used.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • I have already opened the email, but not the attachment. Are you suggesting that I'm safe to download the attachment, assuming nothing automatically runs it once downloaded? I'm on a Mac, using Chrome... if that makes a difference. I don't think I have any settings to run anything automatically on download. – lsdfapoinsafpr Mar 20 '13 at 16:24
  • @sonofamitch - Yes, a data file can not do anything without being run. The trick is there are lots of things that can automatically run a file. Downloading it as a file and then opening it with a basic text editor or hex editor should prevent it from being able to execute anything though. – AJ Henderson Mar 20 '13 at 16:26
  • Does your operating system read the file to see if it can generate a thumbnail icon? In that case, the data in the file can take advantage of that for an exploit. – Douglas Held Jun 09 '15 at 06:45
  • bugs in VMs are sometimes found, which let code escape the sandbox – Display Name Sep 05 '15 at 13:16
  • @SargeBorsch indeed, however the odds of that happening on any particular questionable file are pretty darn near zero unless someone is being specifically targeted. I updated to expand on the possibility though, as it is possible, even if unlikely. – AJ Henderson Sep 05 '15 at 16:05
4

A liveCD running on a system with no hard drive, set in a DMZ network with no access to anything else would be my answer. That way there's nothing the malware could write to, and no way it could attempt to infect any other systems. The problem with a VM is that is that malware could attempt to compromise the host machine. Even if it isn't capable of infecting using some sort of hypervisor attack (pretty unlikely), it could simply use the network to attempt to crack the host machine.

GdD
  • 17,291
  • 2
  • 41
  • 63
3

Get a laptop. The laptop contains no hard disk. Use a boot cd that lets you boot from usb port. Insert a 2GB usbstick with the Tor Tails OS. Boot from the usb stick. Log into your email account, save the attachment to a "virtual" ram disk. Then log out from your e-mail account. Then run or analyze your attachment. Draw your conclusions. Shutdown the laptop and voila. No trace, no damage. QED.

Peter
  • 101
  • 1
  • 5
  • 1
    How good is Tor Tails at preventing writing to BIOS, USB controller, network card EPROM, graphics card EPROM? – Snowbody Feb 19 '15 at 21:36
2

The easiest way would be to foward the mail to an online scanning service.

You can submit files to virustotal by forwarding the email to scan@virustotal.com You will have to change the subject field to "SCAN". When it is done, you should receive a mail with the results. Email submissions is not prioritized, so it might take some time for the results to come back.

For more information, you can visit virustotal

And of course, you should not forward sensitive information.

Dog eat cat world
  • 5,759
  • 1
  • 27
  • 46