Category Archives: Reversing

DeXRAY – Twentin Quarantino

Posted on by

DeXRAY now supports over twenty Quarantine filetypes. I set a goal to look at one AV per day, unless I am busy with other stuff. So far, the results are kinda predictable: the most difficult to access with a debugger / crack / analyze are Chinese, Russian, and… Microsoft. The rest of the files took between 2 minutes to 2h of work max. It’s a great reversing experience as it’s heavily time-sensitive research (I want to crack it in one session), and at the same time I am learning about many pointers which I can use for further research and study. The guys @ProjectZero are unfortunately right. The moment you start looking at AV internals you discover lots of juicy stuff. Ouch. I strongly believe the AV is _needed_ in a current ‘open ecosystem’ setup existing in most of the companies, but it’s time AV vendors really review their code.

Anyway…

I have added support for Baidu .qv, CMC Antivirus *.cmc, and F-Prot .tmp Quarantine files. Confirmed Lavasoft AdAwareย  to be using BitDefender’s Quarantine files (.bdq), confirmed Comodo stores Quarantine files w/o encryption ๐Ÿ™‚

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted ๐Ÿ™‚
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • MalwareBytes Data files (DATA)
  • MalwareBytes Quarantine files (QUAR)
  • McAfee Quarantine files (BUP)
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – not handled yet; only recognized
  • Panda <GUID> Zip files
  • SUPERAntiSpyware (SDB)
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • TrendMicro (Magic@0=A9 AC BD A7 which is ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Any binary file (using X-RAY scanning)

The script can be downloaded here.

DeXRAY

Posted on by

DeXRAY is a private tool that turned public a few years ago. Back in a day it helped me to decrypt some Quarantine files from forensic cases I worked on. Over time I expanded it to cover more engines and file formats. Not all the decryptions work perfectly, but as usual – this is a work in progress. Also, because I add stuff ad hoc, it’s not a beautiful code either. But it works ๐Ÿ™‚

At the moment Dexray supports quarantine files and logs from a number of AVs, and data files storing PE files in an encrypted form (XOR with a single byte key). The full list of supported or recognized file formats is listed below:

  • ASquared (EQF)
  • ESET (NQF)
  • Kaspersky (KLQ) – based on the code by Optiv
  • MalwareBytes Data files (DATA)
  • MalwareBytes Quarantine files (QUAR)
  • McAfee Quarantine files (BUP) – not perfect, but it should still help
  • Microsoft Forefront (Magic@0=0B AD) – not handled yet; only recognized
  • SUPERAntiSpyware (SDB)
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN) – not perfect, but it should still help
  • Symantec Quarantine Index files (QBI)
  • TrendMicro (Magic@0=A9 AC BD A7 which is ‘VSBX’ string ^ 0xFF) – based on the code by Optiv
  • Any binary file (using X-RAY scanning)

Now, it is a buggy program. I know of it so please bear with me. If you find something not working, or stupid, please tell me ๐Ÿ™‚

Also, if you have any Quarantine files that you can share, from any AV, please send them over. I will appreciate it as it will help me to add new engines and test the support for already implemented ones. Thanks!

Note: I used the code from Optiv to implement decryption of Kaspersky and Trend. This is a good stuff. Thanks to that – apart from decryption of the malware – DeXRAY now dumps additional metadata extracted from these two Quarantine file types. The metadata is stored in dedicated files with the .met extension, and is also printed to STDERR.

Here is an example for Kaspersky:

kav

And for Trend:

trend

The output files are saved into the following files:

  • .out – the decrypted data
  • .met – metadata (Trend&Kaspersky only)

In some cases you may find more than one .out file created for a given input files. This is the case with Trend Micro Quarantine files.

  • The first is:
    • <filename>.TREND1.out file
      and contains a decrypted input file which includes both metadata and the file content
  • The second is:
    • <filename>TREND2.out
      that contains the actual file you want to analyze.

Another case like that is if the binary blob contains more than one encrypted PE file which is decrypted using X-Rays algorithm (basically, a number of PE files encrypted using a single byte XOR key inside one blob/file).

The script can be downloaded here.