A Steganography sample malware
in [Anti-Virus]
|
Prev: c:\recycler\S-1-5-21-129_ ... Dc775.zip
Next: explorer.exe startet nicht richtig - HILFE bitte!!
From: edgewalker on 26 Jun 2006 15:14 "4Q" <paul_zest(a)hushmail.com> wrote in message news:1151288525.774701.244920(a)u72g2000cwu.googlegroups.com... > The trick has a vague similarity to the stego .bmp (if anyone can > work it out without me having to print the code here) and involves > machine code for 'decimal adjust AL after addition' Go ahead and post it in acvsc. Reminds me of batman186 (IIRC) which uses a script to com/com to script flip.
From: edgewalker on 26 Jun 2006 15:17 "GEO" <Me(a)home.here> wrote in message news:449eb494.1904414(a)news.telus.net... > On Sun, 25 Jun 2006 16:47:01 -0400, "edgewalker" <null(a)null.invalid> > wrote: > > >> >| "Art" <null(a)zilch.com> > >> >| I'm puzzled that only two products alert on the JPEGS > >> >| even though many alert on the (apparently) > >> >| companion malware. I would think it important to > >> >| alert on the JPEGS as a warning to users to get rid > >> >| of them. > > >> >D.Lipman wrote: > >> >Now on another batch... > >> >Symantec is calling the submitted JPEGs -- Trojan.Frogexer!gen. > > >> Geo wrote: > >> The latest version of Bagle was formed by two files inside the ZIP > >> file, one an EXE and one a DLL. Looking at the DLL with Notepad I > >> noticed that it was nothing but ASCII characters: > >> 'ucrjsyfzimaepnc.....' > > >"edgewalker" wrote: > >Some dll extensioned files are very nearly identical to exes. Most are > >indeed executable, but can't (as named) be executed by simply invoking > >them from the gui or command line. > > I have looked at other DLL files and, looking at them on Notepad, I > had noticed what you mentioned; that was why I was surprised to see > that the ones included on the zipped Bagle were formed by ASCII > characters. It made me wonder what was the information included in the > extra file. Any guesses? Some programs use the dll extension for what are equivalent to ini files or the Windows registry. Some Windows dlls are libraries of icon graphic data. It could be anything.
From: Dustin Cook on 26 Jun 2006 15:27 4Q wrote: > It's a good example of an exception to the companion stego executer. > i.e. the data is pseudo hidden in the picture, *but* the .bmp picture > data is also a complete working program. A complete working program which requires a very stupid user to knowingly rename it so that it can be executed. It's an example of pointless code... > *shrug* I was talking about a .bmp that allows for machine code to > be inserted into its internal structure, .bmp and .jpg don't have > the same internals. (this kind of trick was used in notepad.exe as > well, but was never published ;]]) Actually, your talking about island or cavity infection, right? And that trick if you will was published several years ago. .bmp and jpg aren't internally the same, no; but the same principles still apply. You could hide code in just about any type of file you wanted. Whats the point in the long run tho? > Anyhow that being the case I guess you aren't going to be impressed > with this next little trick a mutual hacker friend of ours showed me > many years ago... How about a .vbs application that changes itself > into a .com application It's about as cool as my text to .com converter I wrote in 92... really neat, but.. utterly useless. Well, unless you were into bbses. Then it was kinda cool. Instead of your bbs.txt file, you could have kewlbbs.com :) And if you had ansi support, it was really cool. > without any modification to the code?!? Yes a schizophrenic > poly-morph application that flips from .vbs to .com then > .com to .vbs etc etc just by double clicking on it. And it's not difficult to do. :) 4Q, you can't honestly be impressed by hat tricks can you? If you are, do some reading into the old commodores, cocos, etc. They have more. :) > The trick has a vague similarity to the stego .bmp (if anyone can > work it out without me having to print the code here) and involves > machine code for 'decimal adjust AL after addition' Which is no different then the eicar test file. It's written in assembly, but uses a very specific character set, IE: executable text. Boring, then, boring now. > </end of hax0r tricks> hax0r tricks based on old old schoolness. :) > Yeah it would never ever get ITW in a month of sundays but > is just an example of how a coder can think beyond the limits > of what systems were originally intended to do. Systems were intended to follow instructions, it's not thinking outside the box to provide it instructions. > Like when you contacted the author of ASIC and said > "Hey great news, I've used your ASIC tool for virus! bet you > never thought anyone would do that" *impressed?!* *grin* True, but writing a virus in asic wasn't thinking outside the box. Asic was a programming language, it was doing what I told it. Nothing more, nothing less. The only thing I can say about the entire thing was I didn't have/need any tutorials, I had to write the code all by myself, so my work really is my own, it's not based on somebody elses work, like so much vx is. Otherwise, their nothing special. That was thinking outside the box. :) All original code. heh, so rare these days. -- Regards, Dustin Cook http://bughunter.atspace.org
From: B. R. 'BeAr' Ederson on 26 Jun 2006 16:12 On Mon, 26 Jun 2006 19:06:56 GMT, Art wrote: > I just noticed there's a "lossless" plugin for Irfan which I've yet to > download. It is for some standard operations which can be done lossless (like basic rotation and scrubbing of EXIF data). It would be interesting, whether <Optimize JPG file> or <*don't* keep other APP markers> results in any significant size changes on your pictures... > The freeware 2JPEG is a command line converter that makes it convenient > to write programs or batch programs to find all JPGs and filter out the > embedded code You surely know that IrfanView can be scripted (via command line or <Batch conversation/Rename>), too? BeAr -- =========================================================================== = What do you mean with: "Perfection is always an illusion"? = ===============================================================--(Oops!)===
From: GEO on 26 Jun 2006 16:17
On Mon, 26 Jun 2006 15:17:59 -0400, "edgewalker" <null(a)null.invalid> wrote: >> >"edgewalker" wrote: >> >Some dll extensioned files are very nearly identical to exes. Most are >> >indeed executable, but can't (as named) be executed by simply invoking >> >them from the gui or command line. >> I have looked at other DLL files and, looking at them on Notepad, I >> had noticed what you mentioned; that was why I was surprised to see >> that the ones included on the zipped Bagle were formed by ASCII >> characters. It made me wonder what was the information included in the >> extra file. Any guesses? > >Some programs use the dll extension for what are equivalent to ini files or >the Windows registry. Some Windows dlls are libraries of icon graphic >data. It could be anything. Does not look like an ini file, and no icons here: ucrjsyfzimaepnctcgbhyfvgrfkhdqohcpouckkitblmewxpbcweorvructcyy lnnzesfrqkohbkyfcazcdjuxzlfcckliqhppfxtjacuvbuglwmvbttxuy...... ...etc May be Symantec should be adding it too?? :) Geo |