Archive for October, 2013

Catching dropped executable files without a sandbox

One common technique used by a lot of exploits, malware, and obfuscated software is to dynamically generate or download an executable or DLL file, run it or load it, then delete it. I frequently catch even legitimate software doing this, but I am always curious as to what executable code the authors are trying to hide. Saving those automatically generated files is a core feature of any decent sandbox out there, but in many cases, you see this activity on a production system and don’t know where the file is coming from. Especially if it only happens infrequently, it often doesn’t make sense to try to put the whole system in a sandbox. So instead, I just use a simple trick with NTFS file permissions.

, ,