Symantec does provide a utility called QExtract that allows for the extraction of quarantined files. Documentation on the syntax of the command line utility can be found in Symantec's online knowledge base. As an example, the following is the output obtained from using the /DETAILED switch with qextract.exe on a system that the Mebroot rootkit payload was detected on.
QExtract can restore the malicious file by using the session ID, file name, or risk name obtained from this output (see the aforementioned documentation for syntax). The utility works, but is limited. It only runs on Windows. Additionally, you cannot point QExtract to an alternate source location. If SEP is not installed, then the default path to the quarantine files must be manually created. Moreover, when restoring something from a quarantine file, the original path of the file must exist or restoration will fail.
The file structure of the quarantine files in Symantec's AV products has been known for some time, however. Since 2007 there has been an Encase script available that will extract these files. SEP Quarantine files, also known as Virus Bin (VBN) files, are located in the C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine folder. For the purpose of this post, I am looking at the detection of the aforementioned Mebroot rootkit. Some details including hashes and statistics from Virus Total are as follows.
Symantec: Trojan.MebrootLooking at a VBN file using X-Ways WinHex Editor we see the file begins with the original location of the detected malware. At offset 0x00000184 (byte 388) SEP stores additional information on detection of the malicious file including the system name, original location/name of file, time of detection, and Symantec unique record ID.
MD5: fd543137a51fc24e07e00f9bc7c3c06e
SHA1: 357ac149ba2c864a5f0fc2276c2fa437b5c5533b
http://www.virustotal.com/file-scan/report.html?id=43cafc4464ac08a6b1be53958be377c70ded28ed6f0602449fbd7872604074fe-1303095131
At offset 0x00000E68 (byte 3688) we see something else. It appears that the data has been obfuscated or encrypted. Note the that the value 0x5A is common throughout the file. What are the chances that these are actually spaces (0x20) and the data was XOR'd with the value of 0X5A?
Using Winhex to inverse XOR with the value of 0x5A gives us the malicious file. Note: the file signature of 0x4D5A (MZ) which is for a Windows/DOS executable file.
To carve out the Mebroot payload, simply copy the selected block to a new file and save it.
I would imagine this will work with previous versions of Symantec Corporate Edition but the offsets may be different. If anyone has any experience in that regard let me know.
Happy Hunting!
From memory, Symantec also appends data to the end of the VBN file which can corrupt your executable
ReplyDeleteInteresting. I did not see that. Md5's matched on multiple samples. What version out of curiosity? Also to update everyone played with version 12.1 today (released 2 weeks ago). It appears some things have changed.
ReplyDeleteAnon here again,
ReplyDeleteVersion 11.0.4202.75
Have you had any issues with packed executables? When I carve out UPX packed exes, and try to unpack them I get a checksum error. I wonder if Symantecs unpacking engine has anything todo with this, or if it is just an issue when carving from VBN files?
I have not had the opportunity to try a UPX packed exe yet but I can give it a go.
ReplyDeleteHey Anon,
ReplyDeleteMy apologies for not posting back a reply for a couple of days, 102+ F fever degraded my IQ for the better part of last week.
I did some testing with the following sample:
http://www.virustotal.com/file-scan/report.html?id=7c0501e39c8553d9901715b889c7ab531b2fce7bf21af2d784a58b72a2087d44-1246977455
MD5: 013913a80b01b8bbb593d49c961dcd9e
Magic File Type:
MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
UPX compressed Packer Signature: UPX v0.89.6 - v1.02 / v1.05 - v1.22 [599,2397]
Md5 and File size matched up post carving and unpacking. No issues unpacking.
Not much help I know.