NASTI – Nickos And Sharpes Tool for Identifying potencially malicious files
by sharpe on Jun.12, 2009, under Malware, Security, Utilities
Recently whilst analysing the PSP2-BBB banker trojan, I discovered that this particular trojan, as well as many others, downloaded malicious payloads to the currently logged on user’s “Temp” and “Temporary Internet Files” directories, located in the “Local Settings” directory, on a Win32 system, and saved them as temp files with a random four character name plus the .TMP extension (e.g. 23D4.TMP). Knowing this, it would be nice to be able to identify executable files with inconsistent file extensions (e.g. executable files with .TMP as the file extension), as this would aid in the identification of potentially malicious files and thus speed up the analysis.
For the sake of illustration, if we look at one of the examined TMP files in a hex editor (presented in the following screen dump), we can clearly see that it is a valid Portable Executable (PE) file:
NASTI’s configuration enables the user to specify signatures for known file types and associate file extensions to this signature. When NASTI runs, it compares the current file’s extension with those supplied in the configuration file. If they do not match, then the signature should not be present in the file. If it is, the file is flagged.
Here is a screen dump of NASTI in the middle of a scan:
NASTI can be downloaded here: nasti (50). This is a beta release so use at your own risk.
