Pinging All The Way
A week or two ago reader Norris Carden submitted a malicious document. This document is another "sleeper": it waits a couple of minutes before downloading and executing a malicious payload.
The trick used here is to start a ping command (from VBA macros) that will take several minutes to execute: cmd.exe /C ping 8.8.8.8 -n 250 > nul
This command does 250 pings to Google DNS 8.8.8.8. It will take around 4 minutes and 10 seconds to execute. And after that, the VBA code downloads and executes malware.
Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
NVISO
×
Diary Archives
Comments
Anonymous
Dec 25th 2016
8 years ago
Anonymous
Dec 25th 2016
8 years ago
Evade detection by time-limited, automatic dynamic analysis.
Which can in turn be defeated by killing the ping process.
Anonymous
Dec 25th 2016
8 years ago
Anonymous
Dec 25th 2016
8 years ago
Anonymous
Dec 25th 2016
8 years ago