A Steganography sample malware
in [Anti-Virus]
|
Prev: c:\recycler\S-1-5-21-129_ ... Dc775.zip
Next: explorer.exe startet nicht richtig - HILFE bitte!!
From: Art on 23 Jun 2006 08:59 On Thu, 22 Jun 2006 23:45:58 -0400, kurt wismer <kurtw(a)sympatico.ca> wrote: >> I'm puzzled that only two products alert on the JPEGS >> even though many alert on the (apparently) >> companion malware. I would think it important to >> alert on the JPEGS as a warning to users to get rid >> of them. > >think of it as being analogous to the issue of scanning inside of >various types of archives (which i know you're already quite familiar >with)... ultimately the jpegs are just acting as a kind of container... >how good are av apps at scanning inside containers in general and exotic >(ie. non-zip/rar/arj) containers in particular? i seem to recall you >saying something about problems unpacking installation files even (and >one wouldn't normally consider those to be 'exotic')... Here's a snippet from the blog I referenced where the author responds to a comment by "Mike": ******************************************************* And basic X-raying is all that?s required to decrypt these files, for now anyway. ******************************************************* Now, I dunno what he means by "basic X-raying" but he makes it sound as if the decryption in this particular case is straightforward. Whether he means in a lab only or in a scanner is a question. Anyway, that's partially why I'm surprised that Kaspersky in particular isn't alerting. They seem to never shy away from difficult "unravelling" and "scanning within" all kinds of files. Plus the fact that it _appears_ that Symantec is effectively decrypting, and Bit Defender _may_ also be decrypting. As of this moment, I haven't yet heard back from a Kaspersky analyst. I'm hoping their response will shed light on my questions. Art http://home.epix.net/~artnpeg
From: Dustin Cook on 23 Jun 2006 11:11 Art wrote: > I'm puzzled that only two products alert on the JPEGS > even though many alert on the (apparently) > companion malware. I would think it important to > alert on the JPEGS as a warning to users to get rid > of them. The code contained inside the jpegs isn't functional without something to read it, win32.exe. Otherwise, the jpegs are a picture of a frog, with hidden code. Code only readable by software that already knows it's there. I don't think picture viewer will do anything bad if you decide to look at one. :) You could stenagraphy a .gif, .bmp, almost anything that doesn't have crc checks and/or a hashing table. The catch tho is, your code likely isn't operational on it's own. A 3rd party will need to come read, and put you back together in order to run. > I'm also puzzled/curious about the Symantec > alerts. > > Here's a McAfee blog with some info on this > malware set: > > http://www.avertlabs.com/research/blog/?p=36 > > BTW, while McAfee alerts on WIN32.EXE as Generic > Downloader, it does not alert on the JPEGS. I believe BugHunter also picks up win32.exe, but it doesn't alarm on the jpegs either. And it's not going too.... -- Regards, Dustin Cook http://bughunter.atspace.org
From: Art on 23 Jun 2006 11:36 On 23 Jun 2006 08:11:24 -0700, "Dustin Cook" <bughunter.dustin(a)gmail.com> wrote: >> I'm puzzled that only two products alert on the JPEGS >> even though many alert on the (apparently) >> companion malware. I would think it important to >> alert on the JPEGS as a warning to users to get rid >> of them. > >The code contained inside the jpegs isn't functional without something >to read it, win32.exe. Otherwise, the jpegs are a picture of a frog, >with hidden code. Code only readable by software that already knows >it's there. I don't think picture viewer will do anything bad if you >decide to look at one. :) Of course it doesn't but that's beside the point. >You could stenagraphy a .gif, .bmp, almost anything that doesn't have >crc checks and/or a hashing table. The catch tho is, your code likely >isn't operational on it's own. A 3rd party will need to come read, and >put you back together in order to run. Yep, and that's exactly why I think the .JPGs should be detected. >> I'm also puzzled/curious about the Symantec >> alerts. >> >> Here's a McAfee blog with some info on this >> malware set: >> >> http://www.avertlabs.com/research/blog/?p=36 >> >> BTW, while McAfee alerts on WIN32.EXE as Generic >> Downloader, it does not alert on the JPEGS. > >I believe BugHunter also picks up win32.exe, but it doesn't alarm on >the jpegs either. And it's not going too.... Too bad. It would be a useful detection IMO. Art http://home.epix.net/~artnpeg
From: Dustin Cook on 23 Jun 2006 13:06 Art wrote: > Of course it doesn't but that's beside the point. I'm lost then. Steganography is the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message; this is in contrast to cryptography, where the existence of the message itself is not disguised, but the content is obscured. > Yep, and that's exactly why I think the .JPGs should be detected. Ehm... You do realize the growing possibility of false alarms if we have antivirus/malware products trying to guess if something has a hidden bit of code in a jpeg right? That's alot of signatures. :) > Too bad. It would be a useful detection IMO. I would tend to disagree... -- Regards, Dustin Cook http://bughunter.atspace.org
From: Art on 23 Jun 2006 14:23
On 23 Jun 2006 10:06:24 -0700, "Dustin Cook" <bughunter.dustin(a)gmail.com> wrote: > >Art wrote: > >> Of course it doesn't but that's beside the point. > >I'm lost then. >Steganography is the art and science of writing hidden messages in such >a way that no one apart from the intended recipient knows of the >existence of the message; this is in contrast to cryptography, where >the existence of the message itself is not disguised, but the content >is obscured. In this case they use JPG steganogrophy to hide malicious code in JPGs. Companion malware is required to decrypt and run the malicious code. >Ehm... You do realize the growing possibility of false alarms if we >have antivirus/malware products trying to guess if something has a >hidden bit of code in a jpeg right? I don't know that av have to "guess" (use heuristics only). It doesn't appear that Symantec is detecting heuristically since it gives exact IDs (and different ones) on three different JPG files. >That's alot of signatures. :) Hell, signatures are balooning outa sight anyway :) What's a few more? >> Too bad. It would be a useful detection IMO. > >I would tend to disagree... I'd say informing the user of the infested JPG which might be used by the companion malware at any point is important. I'd say it's more important than wasting sigs as some do on commercial sw which might be used for nefarious purposes. I'd go so far as to say it's more important than flagging harmless adware that's merely annoying. After all, we're talking here about some nasty downloader Trojans. Art http://home.epix.net/~artnpeg |