While at Microsoft, Mark Zbikowski developed the MS-DOS executable file format to start with his initials, MZ. These letters translate in hexadecimal to 4D5A. When header inspection of a file a malware analyst commonly checks the first two bytes for this value to qualify that the file is an executable.
4D5A in hex represents the “MZ” header of a Windows executable.
The center of our wheelhouse is support for architecture, malware analysis and incident response, and security for Windows based servers and hosts and medium to large networks. Extending this further, 4D5A security knows how to ‘execute’ to best meet the needs of a client.
A little more detail for the geek inside of you:
Content inspection is increasingly important as a form of triage and follow on investigation related to malware. Malicious actors may attempt to conceal the true nature of a file by giving it a false extension, such as “.jpg”, when it is in fact a Trojan (executable). Examples exist online, related to both eCrime and espionage, where such tactics are utilized to subvert simple high level security measures from IDS, IPS, and/or even netflow analysis by humans. Experienced incident responder, forensic, and similar security experts must perform content inspection along with other forms of static, dynamic, and/or reverse engineering methods to properly interpret a file and it’s function. The puzzle can become even more challenging if obfuscation, such as base64, XOR, and/or other encryption are performed on a data file using a false extension.
If you’re a computer expert you may be wondering, how does an executable inside of an image file get executed? That depends upon several factors, but it is common for malware on a system to download a secondary payload, which is obfuscated as an image file, and then perform operations to install it on the system. This bypasses the common Windows process where an extension and header are used to identify a file type and then open or run it accordingly. This method is used by malicious actors as a way to conceal attack files as well as subvert common security controls.
Leave a comment
You must be logged in to post a comment.