A Steganography sample malware
in [Anti-Virus]
|
Prev: c:\recycler\S-1-5-21-129_ ... Dc775.zip
Next: explorer.exe startet nicht richtig - HILFE bitte!!
From: edgewalker on 23 Jun 2006 17:48 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:DVYmg.293$Tk.289(a)trnddc08... [interesting, but snipped anyway] My take on this is that the jpg's are indeed trojans, but only in the presence of the executable malware companion. That companion is the threat. The obfuscated code could be any filetype at all and the code encrypted as well as steganogrified - then where are you. I don't think the industry would want to add technology to find hidden code when the hidden code can be so easily encrypted anyway. To stop a threat, cut off its head. Deal with the jpg's as part of the verification process (to get exact identification of variant) and to help with cleanup. It doesn't need to produce an alert. ....any more than "Eddie lives...etc... does
From: David H. Lipman on 23 Jun 2006 18:22 From: "edgewalker" <null(a)null.invalid> | | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:DVYmg.293$Tk.289(a)trnddc08... | | [interesting, but snipped anyway] | | My take on this is that the jpg's are indeed trojans, but only in the presence | of the executable malware companion. That companion is the threat. The | obfuscated code could be any filetype at all and the code encrypted as well | as steganogrified - then where are you. I don't think the industry would want | to add technology to find hidden code when the hidden code can be so easily | encrypted anyway. To stop a threat, cut off its head. Deal with the jpg's as | part of the verification process (to get exact identification of variant) and to | help with cleanup. It doesn't need to produce an alert. | | ...any more than "Eddie lives...etc... does | I agree. This goes back to the experimental, demonstration, infector called W32/PerRun -- http://vil.nai.com/vil/content/v_99522.htm ~ 4 years ago. While steganography was not mentioned in conjunction with this I knew it would eventually be used. Here we are, 4 years later, and we have active Trojans using the technology. BTW, the source, the Russian Mob ! -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: Dustin Cook on 23 Jun 2006 19:52 4Q wrote: > Raidy an exception to the rule maybe Minders .bmp IRC worm > His code was contained inside the .bmp file and looked like > a little bit of random noise inside a viewer, however his > worm was also a weak SE trick and the picture contained a > message asking the user to rename the .bmp to a .com > Then it operated as a normal wormoid. How exactly is this a good example tho? The user had to rename it to get it to execute. :) Art is suggesting the jpegs themselves should be detected and removed, because they pose a danger. I maintain that without win32.exe, they are harmless. I've acquired a sample of them, and I'm not sure if I will add them to bughunter or not... I'm really not keen on the idea of scanning jpegs... > Bit lame as an ITW example but hey nice example of a hax0r > thinking outside the box. It's a very sad state if his ITW thing went anyplace. -- Regards, Dustin Cook http://bughunter.atspace.org
From: GEO on 23 Jun 2006 22:14 On Fri, 23 Jun 2006 21:19:31 GMT, "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: >| I'm puzzled that only two products alert on the JPEGS >| even though many alert on the (apparently) >| companion malware. I would think it important to >| alert on the JPEGS as a warning to users to get rid >| of them. > >Now on another batch... > >Symantec is calling the submitted JPEGs -- Trojan.Frogexer!gen. > The latest version of Bagle was formed by two files inside the ZIP file, one an EXE and one a DLL. Looking at the DLL with Notepad I noticed that it was nothing but ASCII characters: 'ucrjsyfzimaepnc.....' Geo
From: James Egan on 24 Jun 2006 02:52
On Thu, 22 Jun 2006 22:51:00 GMT, Art <null(a)zilch.com> wrote: >I'm puzzled that only two products alert on the JPEGS >even though many alert on the (apparently) >companion malware. I would think it important to >alert on the JPEGS as a warning to users to get rid >of them. Seems like a lot of effort for very little gain to me. There are too many proprietary steganography techniques to cover to make it a worthwhile venture given that the likelihood of the hidden malware ever being executed is close to zero. If it's created by a joke steganography program like Data Stash which purports to use blowfish encryption but in fact just stores the hidden file as a plain zip appended at the end then it might cause a few scanners to alert regardless of any steganography functionality. Jim. |