 Hello, I'm Didier Stevens, a senior handler with the Internet Storm Center. Now recently, a couple of days ago, I wrote about malicious DAA attachments. So a reader of us, Jason, got an email with an attachment and that attachment was a Swift detail.daa. Now DAA is a direct access archive and it is a kind of CD, DVD image format. So of course, as you can expect, it contains a Windows executable and that is the malware. Now you actually need a tool to open this Windows, like Windows 10 cannot open it natively. You need a tool like Power ISO. The format of DAA file, I also wrote a diary entry about that and I have the file open here in my binary editor. When you look at the beginning, the header here, a hexadecimal view, you have DAA followed by zeros. This identifies DAA file. And then here at this position, you have a pointer, a little union, 4C, so 0,0,0,0,0,4C and that points into here, 4C here. And then you have another pointer here, 5E, so 0,0,0,0,0,0,5E and that points into here. This here is the ZLIP compressed data. So the DAA file format contains an ISO file, an ISO file that is compressed and it is ZLIP compressed and that's what you see here, the ZLIP. If you read my other diary entries about ZLIP compression, you might expect to see a header for ZLIP like 7, 8, but this is not present here because this is a raw compression. You don't have the header. You have the compression itself without any header. And what is stored here at 4C, starting here, is the size of the different chunks. So the ISO file that is compressed is split up into chunks of 65,536 bytes each and that is compressed. And those compressed chunks are stored starting from this position here, 5E, one after another. And here you have the size of each chunk that is in that list that starts at 4C. And that's a bit weird how it is stored because it's not little engine, neither is it big engine, it's a mix of both. So the most significant, so first of all, a number at the size is stored using 3 bytes, so not 4 bytes or 2 bytes, but 3 bytes. And the first byte, the most significant byte is the first one, 0,0. And the least significant byte, that is the middle byte here, 9,7. And the value in it in the middle is at the end. So you have to read this as 0,0,0,6,9,7 and here 0,0,d2,af and so on. So that gives you the size of each chunk. So with that information, you could write a program that could extract that ISO file and I have a program that helps me with this, but it's actually not a program specific for that DAA format. It's a program, I had the ID some time ago and I just now took the time to implement it. It's a program that will search for, in the binary data that you provided, it will search for streams of data that are compressed. And if it can compress them, it will report them to you. So and that's what we actually have here. Most of this file here is made up of ZLIP compressed chunks, so deflated data. So my tool is called search for compression. It's still a beta tool, I still will make some changes to it, but you can find it in my GitHub beta repository. And here is the sample, DAA, okay. And here so you get the typical output for my tool. So here an index 127 and each line here is a sequence of bytes that could be decompressed. And first of all, here you have the position and here you see 5E. So 5E is indeed a pointer. And here you have the size of that compressed chunk, the size of the decompressed chunks, 65,536. Like I said, the ISO file is split up in parts like that. And then here is the remainder. And this line here is actually a false positive. So you have a very small chunk, 4 bytes that decompress into 2 bytes, but that's a false positive. So we can filter those out by giving a minimum length for the decompressed data. And let's say that we want at least 10 like this, okay. And then you see we only get chunks that make up that ISO file. Here all the chunks, 65,536, all of them except for the last one. Now we can select that first chunk to look into it. So I'm selecting it like this as one. And then I get an exaskey dump. Let me do a run linked encoded exaskey dump because there are a lot of zeros in here like this. Okay, and let's scroll back. Okay, so here you see at the start a long sequence of zeros that typical for ISO files. And here at position 8000, you get information like CD001, Win32, Swift Detail, PowerISO, Timestamps, and so on. Again, Swift Detail, PowerISO, SwiftDetail.exe. So that is the malicious program, the executable. And then here at this position, F00, you can see MZ at the start of the COM header and here the PE. So this is a PE file. Now using the file command, we can identify that sample like this. File identifies this as a direct access archive, PowerISO. Direct access archive. And with my tool here, I can also extract that ISO file. So what I'm going to do with option N10, I make sure that I only have compressed data from the ISO itself. And then I say select all, A4 all, and I do a binary dump. My minus D does a binary dump, not the next decimal dump, but the binary dump. And I write this to a file, ISO.virt like this. And now when I run the file command on that one, you can see that we have an ISO file. And then you can mount this user tool to look into that ISO file.