-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support raw Zlib Compressed data #139
Comments
I'm sorry to be bearer of bad news, but I don't think this can be fixed. This is very probably a problem with CyberChef, and more specifically this issue: gchq/CyberChef#671. I tried to encode a different string in CyberChef, and use the python zlib library to read it (as I'm doing with that previous sample) and it is erroring out. If you can use any tool other than CyberChef to read the resulting zlib stream, I would be glad to investigate the difference. I will close this issue for the moment, but we can still discuss about it, and if you do have another tool that reads it, you should completely re-open it!! :) |
Sorry, I wasn’t entirely clear, mostly because I was confusing the formats at hand. This StackOverflow post details what I’m talking about nicely: in this case, I’m talking about the “deflate” format, not the Zlib or Gzip formats. I got them all mixed up. AssemblyLine cannot detect the deflate format because it is header-less. You need to actually try to inflate it to detect it properly. There are several libraries that support this format, including .NET’s System.Io.Compression namespace and Python’s zlib (see StackOverflow post). This issue has nothing to do with CyberChef, I was just using it as a quick example for producing an EICAR case, but you can produce it with the Python library or in .NET no problem. The output from CyberChef should still be a valid test regardless, as I don’t think that dependency is affecting this case. |
It turns out the MIME for this type is ‘ application/x-deflate’ |
Could you point me toward a sample that have a mimetype of |
I was able to recover the original content with |
Maybe instead of inflating all |
Could you point out a sample that does use this? Is this file dropped by a javascript file? Is it contained in a iso image? |
We've discussed this offline and figured out that the stream comes out of a base64 encoded blob already extracted by FrankenStrings. FrankenStrings should test to see if the content of the blob is deflated and could decompress it before being re-uploaded. |
This is now implemented in FrankenStrings v4.4.0.stable22. |
Describe the bug
Typically when compressing data with GZip, the data is packaged into an archive format that is easy to detect for AssemblyLine. However, there is also the option to useZlib directly to compress it into a raw data stream without any GZip, or other archive format, container to fingerprint it. AssemblyLine cannot detect the raw Zlib compression and it will not inflate it for further analysis.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
AssemblyLine should be able to detect this as "Malicious" due to it being a compressed version of the EICAR string. Currently, the only tool within AL that detects this is Kaspersky. AssemblyLine itself is unable to inflate the file for further analysis, and instead relies solely on Kaspersky.
Screenshots
Environment (please complete the following information if pertinent):
Additional context
Zlib raw compression is used in many places, including in Python and .NET. Unpacking raw compressed data would enable further detection of malicious activity. Given the way AL currently classifies files based upon magic values among other things, maybe the change could involve taking any
application/octet-stream
that has an unknownal_type
after trying the existing classifiers, and then attempt to raw inflate it with ZLib.The text was updated successfully, but these errors were encountered: