Have you ever heard the saying "You never get a second chance to make a first impression"? The same applies to malware analysis, and information security in general.
This morning I was doing some research into some malicious spam emails that were coming in. They were your normal click-on-a-link-and-be-redirected-to-50-sites emails and I had tracked it down to the last site. After decoding the JS it gave out, I could see the attacks it was going to perform and the URLs it was going to go to. So close to the malicious executable...so close.
So I typed the followed at my prompt:
curl -D header.txt "http://badsite.com/welcome.php?id=12&pid=10&1=12"
See any problems?
Curl writes anything it downloads to standard output by default. In other words, since I didn't redirect the output to a file or use the -O option, the file from the malicious site was written to my screen. Normally, this wouldn't have been such a bad thing except it was gzip compressed, so my screen was filled with binary characters.
No problem, right? All I have to do is download it again, this time redirecting. Here's what happened:
curl -D header.txt "http://badsite.com/welcome.php?id=12&pid=10&1=12" > 1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 bytes downloaded? What happened?
Many web-based malicious toolkits used by attackers have an option to only allow the attack file to be downloaded once per IP address. This prevents multiple re-infections on clients and analysts (like me) from exploring their site. When I initially requested the file and didn't redirect the output, I used my one shot. The second time I went to download it, the site saw me and didn't let me access it again. Of course, there are ways around this, but thats for another post.
So, what did I take away from this?
1. Everyone makes mistakes. Hell, I make alot of them. If anyone tells you they don't, they're lying. Learn and move on.
2. I need better web download tools. Well, the tools (eg. curl) work fine. I'm flawed. I've already started to create a script that does all that needs done for me. No more mess ups.
I hope others can read this and learn from my mistake. I'd love to hear how others download malicious websites.