A Steganography sample malware
in [Anti-Virus]
|
Prev: c:\recycler\S-1-5-21-129_ ... Dc775.zip
Next: explorer.exe startet nicht richtig - HILFE bitte!!
From: Dustin Cook on 23 Jun 2006 15:42 Art wrote: > I don't know that av have to "guess" (use heuristics only). It doesn't > appear that Symantec is detecting heuristically since it gives exact > IDs (and different ones) on three different JPG files. Nah, your right, they're using sigs. The malware isn't really keen on the process, IE: it's fixed, or appears to be. > Hell, signatures are balooning outa sight anyway :) What's a few > more? How very true, and quiet saddening. :) > I'd say informing the user of the infested JPG which might be > used by the companion malware at any point is important. I'd > say it's more important than wasting sigs as some do on > commercial sw which might be used for nefarious purposes. > I'd go so far as to say it's more important than flagging > harmless adware that's merely annoying. After all, we're > talking here about some nasty downloader Trojans. Fair enough Art, You've convinced me to hunt down the frog jpegs and add them to bughunter...Although, I still maintain they are harmless without win32.exe.... --- Regards, Dustin Cook http://bughunter.atspace.org
From: edgewalker on 23 Jun 2006 16:34 "Ian Kenefick" <ian_kenefick(a)eircom.net> wrote in message news:82em925ueka2t9klceara5i2eirnkvdap9(a)4ax.com... > It was interesting yin McAfee's analysis. He mentions that some > analysts would skip over the jpegs thinking they were benign jpegs and > not taking them into consideration in the overall analysis. Of > course... dynamic analysis would show their true functionality. You > wonder how much of this stuff does get 'missed' by virus analysts. The only "threat" is the executable. The same old story as before regarding jpg viruses - something "else" has to be amiss. True, they should include it in the cleanup, but it is not really necessary.
From: edgewalker on 23 Jun 2006 16:38 "Art" <null(a)zilch.com> wrote in message news:8uln92h8dhur78rmq0v2c60j2f5jqq5fsn(a)4ax.com... > On Thu, 22 Jun 2006 23:45:58 -0400, kurt wismer <kurtw(a)sympatico.ca> > wrote: > > >Art wrote: > >> Regulars here are aware that steganography is a technique > >> of embedding malicious code in picture image files (and other > >> files). > > > >minor quibble - steganography is a technique for hiding messages in > >other things, it's not just for hiding malware... > > To paraphrase Winston Churchill, "Such errant pedantry up with I shall > not put!". Obviously if malicious code can be embedded in certain > fles, any code can be embedded. What he's getting at is not only code but "information" gets embedded. Your statement sounded too much like a wromg definition of steganography.
From: Art on 23 Jun 2006 16:44 On 23 Jun 2006 12:42:39 -0700, "Dustin Cook" <bughunter.dustin(a)gmail.com> wrote: >Fair enough Art, You've convinced me to hunt down the frog jpegs and >add them to bughunter... No need to hunt. Just let me know if you want me to send them to you. And no, I'm not a malware spreader. I trust you aren't either any more :) >Although, I still maintain they are harmless >without win32.exe.... Of course. Or some other suitable malware the mob in Russia is cranking out that also works with these paticular JPG files. Art http://home.epix.net/~artnpeg
From: 4Q on 23 Jun 2006 16:48
Dustin Cook wrote: > Art wrote: > > > I'm puzzled that only two products alert on the JPEGS > > even though many alert on the (apparently) > > companion malware. I would think it important to > > alert on the JPEGS as a warning to users to get rid > > of them. > > The code contained inside the jpegs isn't functional without something > to read it, win32.exe. Otherwise, the jpegs are a picture of a frog, > with hidden code. Code only readable by software that already knows > it's there. I don't think picture viewer will do anything bad if you > decide to look at one. :) Raidy an exception to the rule maybe Minders .bmp IRC worm His code was contained inside the .bmp file and looked like a little bit of random noise inside a viewer, however his worm was also a weak SE trick and the picture contained a message asking the user to rename the .bmp to a .com Then it operated as a normal wormoid. Bit lame as an ITW example but hey nice example of a hax0r thinking outside the box. 4Q |