Year of Python (YOP) – Week Twelve

23Mar15

Hello reader!

This weeks script is a rather simple one.  As you may or may not know there’s some malware floating around the Internet that uses Office documents as its initial “lure” to the reader.  I’m sure most of you could look through your spam mail of your <insert free webmail service here> account and see plenty of examples of what I’m talking about.  Subjects like “Invoice ID”, “Payment Collection”, or “Debt Collection”, all with a nice little Office Icon’d attachment included for you to open.  And if you open the attachment…well bad things my happen.

Dider Stevens has a python program called oledump that can normally parse these files.  And in doing so give you a look in to what else the files may be doing.  Lately it appears that there’s a cat and mouse game going on.  Dider updates his took to parse the latest variant of these malware attachments, and then the malware author changes tactics slightly so the script doesn’t work anymore.  And then Dider updates his oledump program to account for the change….rinse, lather, and repeat….

So normally I use his oledump program to look at these files.  Mainly to get an idea of what exe they are trying to download (there’s always another exe involved).  But there have been times where oledump hasn’t been updated yet, and I get some new version of this malware document.  Since (for me) Google is pretty quick on noticing these things as having a virus in them, I like to download them to my linux machine as soon as I can to examine them.

Now these files you can actually open up in a text editor to see the content.  And when you do you’ll see a base64 encoded string (the newer variants now have two of them).  However it’s not one long string, it broken up over many lines, and I wanted to come up with a way copy out the base64 encoded part to a file, recombine it into one line, and then decode it.

Which leads us to this weeks YOP entry…It’s basically two functions that I wrote.  The first:

def fix_file(filename):
    with open(filename, "r") as oldfile:
        with open(args.output_file, "w") as newfile:
            for oldfile_line in oldfile:
            oldfile_clean = oldfile_line.rstrip()
            newfile.write(oldfile_clean)
    return

Just takes the base64 encoded text I copied and pasted into a new file, and turns it into one long base64 encoded string.  Then it writes that new string to a new file.  The next function:

def decode_base64(filename):
    with open(filename, "r") as file_to_decode:
        with open(args.base64_file, "w") as decoded_file:
            base64_decode = file_to_decode.read()
            decoded_file.write(base64_decode.decode('base64', 'strict'))
    return

Takes the output file from the first function, base64 decodes it, then writes it to yet another new file.

Once that’s done, you can run strings against it, load it up into a hex editor, or whatever you want to do with it.  Now I know I could just feed everything through without writing the intermediate output file (from the first function), but I wanted to practice using file handles, and it’s a good way for me to troubleshoot any issues.

Until next week!

https://github.com/CdtDelta/YOP

Advertisements


No Responses Yet to “Year of Python (YOP) – Week Twelve”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: