A Steganography sample malware
in [Anti-Virus]
|
Prev: c:\recycler\S-1-5-21-129_ ... Dc775.zip
Next: explorer.exe startet nicht richtig - HILFE bitte!!
From: Art on 2 Jul 2006 08:40 The JPG-SCAN program at my web site has been updated to detect certain narrower specific characteristics that the Trojanized JPG samples I have display. Deletion of detected Trojanized JPGs is left up to the user. Art http://home.epix.net/~artnpeg
From: Art on 2 Jul 2006 16:13 On Sun, 02 Jul 2006 12:40:22 GMT, Art <null(a)zilch.com> wrote: >The JPG-SCAN program at my web site has been updated >to detect certain narrower specific characteristics that the >Trojanized JPG samples I have display. Deletion of detected >Trojanized JPGs is left up to the user. Updated again Sunday afternoon to accomodate additional Trojanized samples I found. It's quite unlikely that the scanner will false alarm on non-Trojanized JPGs, so if the picture image is of little value the file(s) detected should be deleted. If anyone finds apparent FPs, please send sample(s) of the file(s) to artsown at epix dot net. As of this afternoon here in cental Pa., I see Ewido added as the fourth to to the very short list of av/anti-malware vendors alerting on the Trojanized files. Art http://home.epix.net/~artnpeg
From: Art on 4 Jul 2006 15:15 On Thu, 22 Jun 2006 22:51:00 GMT, Art <null(a)zilch.com> wrote: Thread update: As of today, most vendors are still not alerting on the JPGs. Some such as TIBS.JPG and WEB.JPG only have one vendor alerting ... Symantec. With PROXY.JPG, only Fortinet and Symantec alert. I made a attemt to get a idea of which vendors might alert on a realtime scanner basis. I isolated the appending malicous code portions of the files, and for five of the eight samples I was able to also determine the XOR decryptor used. I found that McAfee in particular didn't alert on the encrypted files but it did on some of the decrypted files. So to nursemaid the av products a bit, I only uploaded decrypted files to VT. Notably, in my other tests using McAfee SCAN, F-Prot DOS and KAVDOS32, F-Prot and Kaspersky didn't care if the files were decrypted or not. The details are far too lengthy to report here since they involve many Virus Total results as well as other details. Suffice it to say that the results are quite mixed and detection is "spotty". While some of the better av/antimalware products can be expected to alert realtime on some of the files (when a new and "unknown" companion runs the appended malicious code), I wouldn't place any bets on it in general. So IMO, the situation is just as peculiar, or worse, as when I started this thread. Three of my samples, NT1, NT2 and NT3 (the ones I failed to decrypt) aren't detected by any vendors in their isolated non-JPG form. Yet these are the three that four vendors alert on in their full JPG form. So we have reason(s) to expect that the appended code is malicious. I'm not about to use a companion to extract, decrypt and run the code (on a goat PC) to see which av alert, if any. Why the vendors don't alert on the JPGs is beyond me. They are leaving users at much higher risk, when it would be so easy for them to provide detection. Art http://home.epix.net/~artnpeg
From: Art on 4 Jul 2006 22:06 My JPG-SCAN program has been speeded up considerably, and there have been some cosmetic changes done recently. Detection is now "tight enough" that there should be no false positives on legit JPG files. Art http://home.epix.net/~artnpeg
From: Dustin Cook on 4 Jul 2006 22:15
Art <null(a)zilch.com> wrote in news:6e7ma2tf4liihq5lno54scdecet49c5lp6@ 4ax.com: > My JPG-SCAN program has been speeded up considerably, > and there have been some cosmetic changes done recently. > Detection is now "tight enough" that there should be no > false positives on legit JPG files. Jeeze Art... Are you going to make a gif/tga/bmp scanner too? *grin* -- Dustin Author of BugHunter - MalWare Removal Tool http://bughunter.it-mate.co.uk |