Is it Even Possible to Remove Malware from an .exe File?

This question has to have been asked (or alluded to) at some point in the history of this virus-conscious community. But none of my searches turned up any such threads, so I am going to take the liberty of starting two threads in one day. #TopicHog

 

OK, I am really not a programmer, and I may ask what seem like very stupid questions, make some very ignorant assumptions... Please bear with me. 

 

Is it possible for a very skilled programmer to break open (decompile?) an executable-install file and remove malware? And then recompile the whole mess of code and have it still function properly... The question is this: CAN YOU CLEAN A DIRTY INSTALL FILE AND SALVAGE IT, SO THAT YOUR FRIEND CAN HAVE A CLEAN INSTALL?

 

 

I have provided the following conditions to accompany my question:

 

• The malware has been previously identified and successfully thwarted. (i.e., you have loaded the exe file onto your machine; your machine became infected, but you isolated the threat and identified it as a common browser hijacker. You also have logs of its system-level activities from point of installation to the point of eradicatifon.)
• The malware has no inherently destructive capabilities. (i.e., it is not a wipeware or anything aggressively malicious, just a predictable browser hijacker or toolbar bug.)
• The malware does not otherwise interfere with or compromise the integrity of the desired software. (i.e., the .exe has no apparent problems aside from the fact that your Chrome browser has become suddenly compromised. The desired software appears to be intact and function normally -- from which we can infer that its code has not been disturbed)
• However, no mal/adware was able to be detected on the .exe file upon preemtive scan by several reputable anti-malware applications.(i.e., the bug has itself very well hidden in the install file. Even though it is fairly easy to detect kill [with the right weapons] once it is out, it seems to have been clevery embedded in the .exe file containing the desired software.) 

 

Did that make sense?  No?

 

OK, Hypothetical Story Time!

 

Jim is a programmer who decides he wants a particular version of software called Goodware v7.x. Goodware is great program but it is a bit esoteric, is made in Central Asia somewhere, and is only available from third-party download sites. For this reason, Jim is a little worried. (But not too worried because Jim is a skilled hacker who pwns any malicious digibyte that dare step to him.)

 

Not terribly worried, Jim scans the Goodware install file with several anti-malware applications: MonkeyVirus, AlphaVirus, and MileyVirus -- all come up as "No threats detected", so Jim installs Goodware .exe on his machine. 

 

Once Goodware is installed and Jim has used the software to do a few good things to his hard drive, he goes to his Chrome browser to check his email and BAM! He realizes that his Chrome browser has been hijacked by a mal that has set his homepage to Badware.tk.

 

OH NO!  What does Jim do?

 

Well, Jim looks over his logs, peruses some keyword searches for Badware.tk on his phone, deletes a few system files and registry entries, executes a few line comands, runs AlphaVirus again, unin/reinstalls his Chrome browser, restarts his machine, runs Goodware (which still works perfectly, sans virus), confirms that the malware has been eradicated, and *poof*, it's all fixed (because Jim knows what he is doing.) 

 

But Jim wants to give a copy of Goodware to his boyfriend, Thomas. Thomas works on custom cars for a living, is not a computer expert, and probably wouldn't know what to do if Badware attacked his five-year-old computer. 

 

Since Goodware is fairly hard to come by, and this bug seemed easy enough to kill, Hacker Jim wonders if it might be possible to actually extract the Badware from the executable file before giving it to Thomas.  

 

My QUESTION redux:

 

Would it really be worth for Jim the trouble of trying to fish the Badware out of the Goodware install file?

 

What if Jim was fully aware that it would be much safer and probably faster to just go find another copy of Goodware from a different host, but he is now curious and obsessed with this idea:  'COULD I POSSIBLY PURGE THE INSTALL FILE MANUALLY?'

 

The point I am getting at is this: If someone had some skills and was really obsessed with the process, no matter how impracticle it might be, would it even be feasibly possible to remove a known threat from a common-format installation file before transmitting it to a less savvy friend?

 

(Maybe one of these framings makes some sense?... Hopefully.)

 

This relates indirectly to my earlier post suggesting the adoption of a clean installation of Irfanview on the Bleeping downloads section. 

 

I will hog no more topics today. Thank you for reading. 

Is it possible for a very skilled programmer to break open (decompile?) an executable-install file and remove malware?

It is, yes. It would be easier to do if this executable was his and he had direct access to the source code. So he could clean it, then re-compile it without the malicious code. Might not be possible for every executables. And also, I've never really seen anyone bothering doing that. It's just easier to find another clean executable than going throught the hassle of doing all that. If a download isn't clean, you don't use it, simple as that. Hence why a lot of programs host their own downloads or use official and recognized mirors.

I expect Didier to jump in this thread and give us full theory on the subject

Edited by Aura., 07 April 2015 - 07:53 PM.

Thank you, Aura!

Even an anti-virus will attempt to clean an infected file before quarantine/delete.

No problem evan, my pleasure

Yes, this is possible.

 

Many anti-virus programs do this actually, when they clean a file. So when an executable is infected with a file-infector (that is malware that attaches itself to a file), in most cases, anti-virus can clean it (e.g. remove the attached malware).

 

If the original EXE has a digital signature, you can even check if the removal was successful, by checking the digital signature. With malware, the signature will be invalid, and without, it will be valid.

So basically, all what Jim would have to do is to scan the bundled file against an Antivirus which could "clean" that file to remove the malware and then pass it along to his friend? However, will it work on bundled installers? The Antivirus should have PUP detection and also detect that file, obviously.

No, bundled installers are different. There was no "clean" file that was later on infected.

So I guess it won't apply in his situation because it sounds like he's talking about a bundled installer.

...it sounds like he's talking about a bundled installer.

From the link in his first posting...This relates indirectly to my earlier post suggesting the adoption of a clean installation of Irfanview on the Bleeping downloads section.

When I say 'clean download', I am refering to the software's notoriety for coming bundled with bADwarez of all description

Yes exactly. So in that case, scanning the bundled installer against an Antivirus wouldn't do the trick. However ... extracting the content of the installer (depends if it's a .exe or .msi) could work since you could grab only the installer for the program itself. But that doesn't work with every installers sadly. It works for drivers ones as far as I know.

It will never work in his case, because of his condition:

 

• However, no mal/adware was able to be detected on the .exe file upon preemtive scan by several reputable anti-malware applications.(i.e., the bug has itself very well hidden in the install file. Even though it is fairly easy to detect kill [with the right weapons] once it is out, it seems to have been clevery embedded in the .exe file containing the desired software.) 

Well I guess it would work if he was to submit the .exe (sample) to an Antivirus company so they can add it to their definitions. Or if he uploads it on VirusTotal, they're going to obtain the sample eventually.

Then it will be detected. But I doubt that AV companies will include cleaning instructions to the signature, as it is not a file-infector.

Keep in mind that in many cases the infected files cannot be disinfected properly by your anti-virus due to flaws and bugs in the viral code. When disinfection is attempted, the files become corrupted and the system may become irreparable. Some file infectors will create non-functional files that also contain the virus so it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection.