Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus in DLL file?


  • Please log in to reply
24 replies to this topic

#1 Enterprise256

Enterprise256

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 05 March 2015 - 02:44 PM

Is it possible to have a virus on a DLL file?

 

Is this a false positive or valid? https://www.virustotal.com/en/file/a71ad40cf4272dfa2d0fbf6fd95e1eb489aaef8e3295de5be20413da59bc4d9f/analysis/1425504500/

 

EDIT: Latest https://www.virustotal.com/en/file/a71ad40cf4272dfa2d0fbf6fd95e1eb489aaef8e3295de5be20413da59bc4d9f/analysis/


Edited by Enterprise256, 05 March 2015 - 02:49 PM.


BC AdBot (Login to Remove)

 


#2 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:03:23 AM

Posted 05 March 2015 - 03:00 PM

 

Malware can certainly exist in a DLL as well as numerous other file types.  Often DLLs can be converted to EXEs simply by modifying some attributes within the file's PE header.  The execution of an EXE versus a DLL differs as well.

 

Without looking too much into it, it could be a false positive but the suspicious metadata leads me to believe that it likely contains malicious content.  Perhaps not something as malicious as some major Trojans and other malware, but perhaps it has adware/browser hijackers/other PUPs wrapped within the binary data deeming it moreso benign in nature.

 

I would not trust the file and determine that it's "unclean".  Not sure what it is (is it from a game?) but be sure that you're only downloading software from trusted sites; when downloading games and other applications of that nature, malware in all forms is common.  The chance that it is malicious increases if retrieved via a torrent.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:23 AM

Posted 05 March 2015 - 03:24 PM

Is it possible for you to upload that file to a website like ge.tt or mega.co.nz and post the non-direct download link here, so members like White Hat Mike or Didier could analyze the file and see if it's malicious or not.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 Enterprise256

Enterprise256
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 05 March 2015 - 03:44 PM

 

 

Malware can certainly exist in a DLL as well as numerous other file types.  Often DLLs can be converted to EXEs simply by modifying some attributes within the file's PE header.  The execution of an EXE versus a DLL differs as well.

 

Without looking too much into it, it could be a false positive but the suspicious metadata leads me to believe that it likely contains malicious content.  Perhaps not something as malicious as some major Trojans and other malware, but perhaps it has adware/browser hijackers/other PUPs wrapped within the binary data deeming it moreso benign in nature.

 

I would not trust the file and determine that it's "unclean".  Not sure what it is (is it from a game?) but be sure that you're only downloading software from trusted sites; when downloading games and other applications of that nature, malware in all forms is common.  The chance that it is malicious increases if retrieved via a torrent.

 

It's a component of an aircraft for Flight Simulator X.

 

Is it possible for you to upload that file to a website like ge.tt or mega.co.nz and post the non-direct download link here, so members like White Hat Mike or Didier could analyze the file and see if it's malicious or not.

Ofcourse. Here it is.

 

http://ge.tt/5NbquhB2/v/0?c

 

It should be 8.54MB when downloaded. ( for some reason showing 8.9 on the site )



#5 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:03:23 AM

Posted 05 March 2015 - 04:14 PM



 



 


 

Malware can certainly exist in a DLL as well as numerous other file types.  Often DLLs can be converted to EXEs simply by modifying some attributes within the file's PE header.  The execution of an EXE versus a DLL differs as well.

 

Without looking too much into it, it could be a false positive but the suspicious metadata leads me to believe that it likely contains malicious content.  Perhaps not something as malicious as some major Trojans and other malware, but perhaps it has adware/browser hijackers/other PUPs wrapped within the binary data deeming it moreso benign in nature.

 

I would not trust the file and determine that it's "unclean".  Not sure what it is (is it from a game?) but be sure that you're only downloading software from trusted sites; when downloading games and other applications of that nature, malware in all forms is common.  The chance that it is malicious increases if retrieved via a torrent.

 

It's a component of an aircraft for Flight Simulator X.

 



Is it possible for you to upload that file to a website like ge.tt or mega.co.nz and post the non-direct download link here, so members like White Hat Mike or Didier could analyze the file and see if it's malicious or not.

Ofcourse. Here it is.

 

http://ge.tt/5NbquhB2/v/0?c

 

It should be 8.54MB when downloaded. ( for some reason showing 8.9 on the site )

 

 

The download is not working for me.  Could you upload it to Mega?


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#6 Enterprise256

Enterprise256
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 05 March 2015 - 04:54 PM

 



 



 


 

Malware can certainly exist in a DLL as well as numerous other file types.  Often DLLs can be converted to EXEs simply by modifying some attributes within the file's PE header.  The execution of an EXE versus a DLL differs as well.

 

Without looking too much into it, it could be a false positive but the suspicious metadata leads me to believe that it likely contains malicious content.  Perhaps not something as malicious as some major Trojans and other malware, but perhaps it has adware/browser hijackers/other PUPs wrapped within the binary data deeming it moreso benign in nature.

 

I would not trust the file and determine that it's "unclean".  Not sure what it is (is it from a game?) but be sure that you're only downloading software from trusted sites; when downloading games and other applications of that nature, malware in all forms is common.  The chance that it is malicious increases if retrieved via a torrent.

 

It's a component of an aircraft for Flight Simulator X.

 



Is it possible for you to upload that file to a website like ge.tt or mega.co.nz and post the non-direct download link here, so members like White Hat Mike or Didier could analyze the file and see if it's malicious or not.

Ofcourse. Here it is.

 

http://ge.tt/5NbquhB2/v/0?c

 

It should be 8.54MB when downloaded. ( for some reason showing 8.9 on the site )

 

 

The download is not working for me.  Could you upload it to Mega?

 

Alright.

 

https://mega.co.nz/#!CZ8z1LBb!-y4mhUXmnI5qtqKMHMS1wulo4Hgk-FWGJR6jDJ2ICsk



#7 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:03:23 AM

Posted 05 March 2015 - 05:56 PM

Can't give you a definite answer as I didn't break it down in-depth.

 

While I believe it could be clean, it certainly fits the benign category at best.  As stated before (and Didier stated below), the metadata is very suspicous.  Common for a third-party mod but with a mod you never actually know what they put inside the file (from a normal user standpoint).  It also appears to be packed.


Edited by White Hat Mike, 05 March 2015 - 06:30 PM.

Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:23 AM

Posted 05 March 2015 - 06:08 PM

Flight Simulator X is from Microsoft and dates from 2006, right?

Do third parties provide extensions to this flight simulator, like extra airplane models?

Because the metadata makes me believe that this DLL was not compiled by Microsoft.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:23 AM

Posted 05 March 2015 - 06:10 PM

Yes Didier, there's a lot of mods that exists for Microsoft Flight Simulator. Maps, skins, planes, etc. the whole thing. It's pretty much like Garry's Mod.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:23 AM

Posted 05 March 2015 - 06:19 PM

So it's possible that someone compiled this just 2 weeks ago?
And is it usual to use packers for the executables?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:03:23 AM

Posted 05 March 2015 - 06:28 PM

Flight Simulator X is from Microsoft and dates from 2006, right?

Do third parties provide extensions to this flight simulator, like extra airplane models?

Because the metadata makes me believe that this DLL was not compiled by Microsoft.

 

 

Yes Didier, there's a lot of mods that exists for Microsoft Flight Simulator. Maps, skins, planes, etc. the whole thing. It's pretty much like Garry's Mod.

 

 

So it's possible that someone compiled this just 2 weeks ago?
And is it usual to use packers for the executables?

 

This is why I believe that it may not be safe.  The metadata simply doesn't make sense; it looks like a template that was never modified (i.e. "Your Company" as the company name).  Microsoft would not produce and distribute a DLL with such metadata.

 

The DLL does not exhibit any blatantly obvious malicious behavior through basic checks, and it being packed may lead it to be flagged by various AV engines.  I didn't know that this was a mod, meaning a third-party user compiled it and it could really be anything.  I wouldn't trust it.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#12 Enterprise256

Enterprise256
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 05 March 2015 - 07:27 PM

Can't give you a definite answer as I didn't break it down in-depth.

 

While I believe it could be clean, it certainly fits the benign category at best.  As stated before (and Didier stated below), the metadata is very suspicous.  Common for a third-party mod but with a mod you never actually know what they put inside the file (from a normal user standpoint).  It also appears to be packed.

Right. I'm not sure what to do at this point... Hm.

 

The DLL is run when the aircraft is loaded into Flight Simulator X and is required for it to run.

 

The thing that's putting me off is when I read "Malware_Prot.AJ" on virustotal and did a google search.

 

It's used for this addon to be specific... http://majesticsoftware.com/mjc8q400/



#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:23 AM

Posted 06 March 2015 - 11:00 AM

I searched through VirusTotal and found 3 files with the same name.

 

https://www.virustotal.com/en/file/e526c3df6d5a44e76759d1aca8d13660afdf1fe742c82c5b44c10cef459d7cba/analysis/

https://www.virustotal.com/en/file/1a906a298bb6c6bc0cb84b2609f99fa17b2bc34689c678b46770ea99b054a21e/analysis/

https://www.virustotal.com/en/file/a71ad40cf4272dfa2d0fbf6fd95e1eb489aaef8e3295de5be20413da59bc4d9f/analysis/

 

That first file is not packed, has identical version information, and has no detections.

I wonder if the packed files are modifications of the first file (done by somebody else than Majestic Software)?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#14 Enterprise256

Enterprise256
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 06 March 2015 - 01:14 PM

How complicated is it to look into the dll to figure out if it's actually doing anything malicious? Would I be able to do it myself with some time? My guess is not. :|

 

The first one is from an older revision of the package.


Edited by Enterprise256, 06 March 2015 - 01:16 PM.


#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:23 AM

Posted 06 March 2015 - 02:25 PM

The size of the DLL is massive. I guess it would take months, if not years, of 1 FTE to analyze everything this DLL does.

But before you can start disassembling and decompiling it, you must unpack it.

 

Unpacking is often a problem, because the packers are designed to make unpacking for reverse engeneering hard.

 

If these three DLLs all come from the same source (Majestic Software), then they recently started to pack the DLL to protect it against snooping eyes.

 

One way to check the DLL is to unpack it, and then submit it to VT. But unfortunately, these packers have no unpacker.

 

If I have time, I'll have a go at it by running it in a VM and dumping it from the process memory.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users