Antique Malware Can Still Bite You - Investigating Malware in an Old File Format
by Korey Young
Many security analysts wouldn't think twice about ignoring and passing over a file with an antiquated file extension attached to an email.
Many "ordinary" people would probably just ignore the file if they didn't recognize the extension.
But your curious clickers might still try to open the file; and if they are on an old system, it could still detonate and cause damage. Now you might think that there is no chance that there are still old enough systems around to be able to open these antiquated files, but you would be surprised how many ancient systems are still hanging around to do a critical function that cannot run on an up-to-date system.
So how would you, the part-time malware analyst, analyze an antiquated file if one got in and executed on your old, critical use computer? I say part-time malware analyst because a malware reverse engineer would still be able to easily dig into an antique file's binary to see what it does. But many cyber security teams do not have a malware reverse engineer on staff, and instead have to rely on malware sandboxes or visual inspection of the file's contents in a text editor.
The subject of this analysis is a PIF file that came into my email sandbox.
Being a relatively young person, I had to look up what a PIF file was, because my Windows 10 computer did not recognize the file format. I found out that a PIF is an MS-DOS shortcut file, and it could be opened with MS-DOS' text editor application. I tried to open it in my Windows 10 Notepad application, but I got an error saying that it was too big to be opened in Notepad and asked if I wanted to open the file in another application.
That was my first insight that this was not just a regular MS-DOS shortcut file, because MS-DOS shortcut files are ordinarily small files. I allowed the file to open in WordPad on my Windows 10 machine and was greeted with many weird characters, like you would see if you opened a binary file in a text editor. So I figured that I needed MS-DOS' text editor application to properly view the shortcut file.
The problem was that, like many part-time malware analysts, I didn't have old analysis operating systems laying around.
I searched around the Internet and eventually found an MS-DOS emulator called DOSBox. I installed DOSBox on my analysis machine, got folder sharing working between DOSBox and my base operating system, and was able to get my PIF file listed in a directory listing in DOSBox. I then tried to view the PIF file's contents using MS-DOS' text editor program EDIT, but was again greeted by the weird text symbolizing a binary file. I was beginning to see that this file was not just an MS-DOS shortcut, because the shortcut files normally just contain plain text, not binary. I didn't want to try to execute the PIF file, because I was only in an emulator and any malicious changes would persist.
I wanted to view the "shortcut" properties in a GUI. MS-DOS is command line only, so I would need to view the file in a more recent operating system. I happened to have a Windows 98 disk lying around, and the Internet told me that Windows 98 was able to handle MS-DOS files. So I installed Windows 98 in a virtual machine and set the VM to non-persistent so any changes the malware made would not linger past shutdown.
Windows 98 did indeed recognize the PIF file as an MS-DOS shortcut file, and I was able to view its properties.
But unfortunately, the properties gave little information other than the fact that it was a shortcut file; it did not show what the shortcut would try to open or do. When I viewed the PIF contents in WordPad in Windows 98, I was again greeted with the weird characters of binary file content. I also tried to view the PIF file shortcut properties in a Windows XP VM to see if the properties view in Windows XP gave more information; but it too only said that the file was an MS-DOS shortcut without any information about what the shortcut did. Windows 7 offered even less help, as it did not recognize the PIF file format at all.
At this point, I had exhausted all of the manual analysis options, short of binary reverse engineering the apparent binary file.
The next step a part-time malware analyst would take is to analyze the file with a malware sandbox. There are several options available online: Hybrid Analysis, ANY.RUN, VirusTotal, etc. Hybrid Analysis and ANY.RUN will actually try to run your file, whereas VirusTotaljust runs many anti-virus engines against your file to see if there are any virus signature hits.
I uploaded the PIF file to Hybrid Analysis and ANY.RUN.
But even just seeing their configuration options told me that they would not be able to successfully run the file because neither Hybrid Analysis or ANY.RUN offer an analysis environment below Windows 7. I don't blame them for this because hopefully very few people are still running operating systems earlier than Windows 7. But this restriction eliminates the automated sandbox analysis option when you are investigating an ancient file.
It would be nice if they at least still supported Windows XP, since there are still a considerable number of XP machines out there, many running antiquated but critical processes. Plus, with XP support, you would have the ability to analyze DOS files. As predicted, both Hybrid Analysis and ANY.RUN failed to execute the PIF file.
Hybrid Analysis just said the sandbox analysis failed, although it did show three hits for anti-virus flagging the PIF file as potentially bad.
ANY.RUN gave a screenshot of Windows 7 presenting a pop-up window immediately after launching the PIF file, saying that 16-bit files were not supported. This is why Windows 7 and above did not even recognize the file as a MS-DOS shortcut, because only Windows XP and below support 16-bit files.
VirusTotal was actually a bit helpful in analyzing this antique file, identifying the PIF file as potentially malicious. Five of VirusTotal's 55 anti-virus engines flagged the file as bad, although only three showed red in the antivirus results list. And one of the three red results remained in the "undetected" state, because it only flagged the PIF file as Adware. Only Avast and ClamAV were fully confident that the file was malicious. Avast flagged it as a rootkit and ClamAV flagged it as a generic Trojan.
So, we have finally finished the journey of finding out if an ancient file is malicious or not.
We went through five different versions of operating systems, several sandboxes, and a bunch of antivirus engines.
I don't blame the sandboxes or anti-virus vendors for not having support or definitions to detect these old file formats. After all, it is very, very low probability that an old enough machine would be exposed to a malware attack.
However, there are still quite a bit of Windows XP machines out there, so it is interesting that the malware sandboxes do not still offer a Windows XP analysis environment. When an ancient file attack does happen, malware analysts need to be able to quickly analyze the file; and it might be very hard to find the necessary old operating systems or equipment to perform the analysis.