SecuriTreeHome

SecuriTree

  • Malware Theory
    • Anti-Analysis
      • Anti-Debugging
      • Anti-VM
    • Persistency
    • Listener
    • Communication
    • Initial Access
      • Tricks
      • Executables
      • Containers
        (MOTW Bypass)
      • Delivery
    • Shellcode
      • Execution
      • Preparation
        • Encoding
        • Encryption
        • Placement
        • Generators
          (Msfvenom)
#Malware Theory #Initial Access #Containers (MOTW Bypass)

Malware Containers

The main goal of using containers to drop malware is:

  • Mark-Of-The-Web bypass
  • delivery of more than one file at once - might be useful to more sophisticated malware execution (DLL side loading etc.)
  • smuggling an executable format that normally could be blocked even by default browser downloaders

Container Files

Disk Images

Alternate data streams (which MOTW is based on) are an NTFS feature. If there's no NTFS or cross-filesystem operation occurs, there's no MOTW. This can be used using file formats that mount their own file system. MOTW of the container doesn't propagate to files inside the container.

Examples of containers supported by default by Windows (double click mounts the image and the included files are ready to use):

  • .vhd, .vhdx - virtual hard disk (elevation required)
  • .iso - optical disk image
  • .img - raw diska image

Archives

Archive formats work similarly to disk images, but here their operation is more varied. Much depends on the program that extracts the file. MOTW propagation conditions can vary widely and things can change quickly over time. There are many different archive formats and software to be used. See the list of the most popular archive formats and their MOTW behavior.

  • .zip - supported by default; doesn't strip MOTW.
  • .cab - supported by default; doesn't strip MOTW.
  • .7z - requires 7zip; strip MOTW only with manual files extraction; 7zip supports MOTW propagation but it's disabled by default.

Children

Containers