How to share malicious source code?
I have a client whose site (not one I developed) is infected by a trojan/malicious code. I have asked him to send me the dirty files in a zip but either Gmail or unzipping is blocking them.
I've tried text files and word files, and I'm suspecting many different file types will be blocked the same way, either by my mail client, anti-malware software, browser etc. (which is normal).
Do you know a way he could share those lines so I can read them and do some research about the malicious source code?
An image/screenshot of his text editor would be an idea but the files are long and I'd prefer to be able to copy/paste from them.
It's probably Gmail - it's designed to do that after all and does scan for viruses. I suspect using a less common compression method might work (.xz may work for a single file - zip files are checked from my very unscientific tests of Gmail), or just simply burning it onto a DVD or other media and snailmailing it might work better.
Considering you're doing incident response, would it be too much to ask for access to the site directly to download the files? That would be the simplest, and you can then observe the compromise in its native environment.
Just use an encrypted zip file, either letting zip itself do the encryption, or using gpg to encrypt it. Then mail the encrypted file, and exchange the passphrase so you can unpack it on the other end. This way an anti-virus scanner is prevented from reading the contents, and thus shouldn't block it.
One way which you can always use is to make an archive (zip, tar, whatever). Uuencode that archive and strip the begin 600 filename from the beginning and the end from the end of the encoded result.
I never encountered a virus scanner blocking pure ASCII files yet. And that is just what the result of above operations are.
Restoring it is as simple as opening the file in a text editor. Adding the begin and end lines, and either using uudecode or winzip to decode it back.