Using Self-extracting Executables to Infect Computers

In one of my previous articles I wrote about a Trojan infection that was found in pirated copies of Windows 7 RC, they discovered the infection embedded in a self-extracting executable (SFX) container. The question to ask is; What exactly is a self-extracting executable and just how dangerous is it? A SFX is a simple computer application that enables your computer to unzip and extract items from zipped files without the need of additional software.

In other words a second program is not necessary to extract the file archives as is usually required. In this way any computer that the zipped files are sent to will be able to execute, regardless of whether or not the computer has the correct decompression program on it. Altogether SFX's make for the easy distribution and execution of compressed files. The process is quick and simple as users can execute SFX files in the same way that they would any other program, by simply double clicking on the file.

There are a couple of programs out there that allow for the creation of self-extracting executables. Today we will look at three programs that can be used on Microsoft Windows to create self-extracting executables; WinZip, WinRAR, 7-Zip. Below are step by step instructions on how to create a SFX with the three different programs:

If using WinZip:

• Locate the zip file you would like to make a SFX and right mouse click on it.
• Then select "Create Self-Extractor (Exe)" from the WinZip Menu.
• A Window should open then click OK.

If using WinRAR:

• Select files you want to add to your archive then click the "add" button.
• A dialog window will open were you select the features you want.
• Make sure that the SFX Archive is checked on the dialog window.
• Then click OK.
  

If using 7zipSilencer:

• Select the 7-Zip archive you want to make a container.
  
• Select the icon from the "Select SFX file" section.
• Enter the name of the executable to be launched in 7z archive.
• Under "Select output file" select the name of the executable and folder.
• Click "Start" and wait for process to complete.

The use of these programs is very convenient when sharing and distributing different type of files. But as convenient as it is, it is not the safest way of sharing and receiving files. As was noted in  my previous article, SFX files are as convenient an "all in one kit" for cyber-criminals as it is for us. The "Win32.Trojan-gen infection" was hidden inside a SFX container named "setup.EXE" (the name of a legitimate program), clearly showing us that Trojan horses and viruses can easily be stored in an SFX file. Computer users are advised to never accept or click on suspicious SFX files, especially if it comes from an unknown source.