How to share malicious source code?

I have a client whose site (not one I developed) is infected by a trojan/malicious code. I have asked him to send me the dirty files in a zip but either Gmail or unzipping is blocking them.

I've tried text files and word files, and I'm suspecting many different file types will be blocked the same way, either by my mail client, anti-malware software, browser etc. (which is normal).

Do you know a way he could share those lines so I can read them and do some research about the malicious source code?

An image/screenshot of his text editor would be an idea but the files are long and I'd prefer to be able to copy/paste from them.

darma

Posted 2012-07-08T11:28:21.547

Reputation: 131

If it's text, they could upload it over on Pastebin or one of its many clones. I would recommend making an 'unlisted' or 'private' paste, not public. Their AUP doesn't seem to mention malicious code, but it's probably not your desire to spread this.

– Bob – 2012-07-08T11:59:39.137

why not just zip the whatever... save it on the website somewhere, and email you the LINK so you can download it when desired. I mean... goodness! you already have a website to download stuff from... – lornix – 2012-07-08T13:11:47.377

12You could set a password for the zip file so the antivirus scanners would not have access to the zip file. – colemik – 2012-07-08T13:50:44.103

This is exactly why antivirus companies ask people to submit malware in encrypted .zip files. – Michael Hampton – 2012-07-15T04:50:17.190

Answers

It's probably Gmail - it's designed to do that after all and does scan for viruses. I suspect using a less common compression method might work (.xz may work for a single file - zip files are checked from my very unscientific tests of Gmail), or just simply burning it onto a DVD or other media and snailmailing it might work better.

Considering you're doing incident response, would it be too much to ask for access to the site directly to download the files? That would be the simplest, and you can then observe the compromise in its native environment.

Journeyman Geek

Posted 2012-07-08T11:28:21.547

Reputation: 119 122

Would Gmail scan source code for malicious code‽ I think it's more likely it's just blocking ZIP files in general... – Bob – 2012-07-08T11:34:08.800

pretty easy to test. I just need to send myself a eicar file. Once i work out how to disable my AV ;p – Journeyman Geek – 2012-07-08T11:38:18.377

Yes i've asked him his FTP access, might be the best way. I'm still curious though and interested in your replies here ; it's not the 1st time i'm confronted to that situation (+ clients are not always very techy so i can't ask them too "complicated" manipulations). – darma – 2012-07-08T11:46:49.540

uncompiled code is harmless. Do you actually have a problem with stuff being blocked? A compiled application does you no good, that is the only thing Google can likely detect, and the only thing they care about. – Ramhound – 2012-07-09T14:17:34.327

The bigger thing, as far as i'm concerned is to see the evidence in context of the wider situation. I'm not saying it is google, but trying to use a less common compression method is a good way to test. – Journeyman Geek – 2012-07-09T14:30:59.733

Just use an encrypted zip file, either letting zip itself do the encryption, or using gpg to encrypt it. Then mail the encrypted file, and exchange the passphrase so you can unpack it on the other end. This way an anti-virus scanner is prevented from reading the contents, and thus shouldn't block it.

Izzy

Posted 2012-07-08T11:28:21.547

Reputation: 3 187

One way which you can always use is to make an archive (zip, tar, whatever). Uuencode that archive and strip the begin 600 filename from the beginning and the end from the end of the encoded result.

I never encountered a virus scanner blocking pure ASCII files yet. And that is just what the result of above operations are.

Restoring it is as simple as opening the file in a text editor. Adding the begin and end lines, and either using uudecode or winzip to decode it back.

Hennes

Posted 2012-07-08T11:28:21.547

Reputation: 60 739

I've experienced it that zipcepted malicious files tend to go undetected by anti virus scanners.

Try embedding the zipped malicious file into another zipped file (and possibly another), and most scanners won't detect it until you extract it to the final level (just before file extraction). At that point, you can turn off your antivirus and extract, or extract the file inside Linux where most trojans/viruses don't work.

Aditya M P

Posted 2012-07-08T11:28:21.547

Reputation: 303