A Steganography sample malware
in [Anti-Virus]
|
Prev: c:\recycler\S-1-5-21-129_ ... Dc775.zip
Next: explorer.exe startet nicht richtig - HILFE bitte!!
From: Art on 22 Jun 2006 18:51 Regulars here are aware that steganography is a technique of embedding malicious code in picture image files (and other files). Such files are themselves harmless since they require companion active malware to run the embedded code. The subject sample came in a zip of four files, three JPEGS and a file named WIN32.EXE. Here's the Virus Total result for the WIN32.EXE file: *********************************** AntiVir TR/Crypt.F.Gen Authentium no virus found Avast no virus found AVG no virus found BitDefender Trojan.Downloader.Small.AMA CAT-QuickHeal no virus found ClamAV no virus found DrWeb Trojan.DownLoader.9540 eTrust-Inoculat no virus found eTrust-Vet Win32/Vxidl!generic Ewido Downloader.Tibs.eo Fortinet no virus found F-Prot no virus found Ikarus no virus found Kaspersky Trojan-Downloader.Win32.Tibs.eo McAfee 4791 Generic Downloader Microsoft no virus found NOD32v2 probably a variant of Win32/TrojanDownloader.Small.AWA Norman no virus found Panda Adware/Adsmart Sophos no virus found Symantec Trojan.Galapoper.A TheHacker no virus found UNA no virus found VBA32 Trojan.DownLoader.9540 VirusBuster no virus found ************************************ Only Bit Defender and Symantec alerted on the JPEGS. Bit Defender found Trojan.HideFrog.A in all three (they are images of a frog :)) Symantec alerted as follows: NT1.JPG W32.Looksky!gen NT2.JPG Trojan.Desktophijack.B NT3.JPG Trojan.Jupillites I'm puzzled that only two products alert on the JPEGS even though many alert on the (apparently) companion malware. I would think it important to alert on the JPEGS as a warning to users to get rid of them. I'm also puzzled/curious about the Symantec alerts. Here's a McAfee blog with some info on this malware set: http://www.avertlabs.com/research/blog/?p=36 BTW, while McAfee alerts on WIN32.EXE as Generic Downloader, it does not alert on the JPEGS. Art http://home.epix.net/~artnpeg
From: Ian Kenefick on 22 Jun 2006 20:41 On Thu, 22 Jun 2006 22:51:00 GMT, Art <null(a)zilch.com> wrote: >Only Bit Defender and Symantec alerted on the JPEGS. >Bit Defender found Trojan.HideFrog.A in all three >(they are images of a frog :)) > >Symantec alerted as follows: >NT1.JPG W32.Looksky!gen >NT2.JPG Trojan.Desktophijack.B >NT3.JPG Trojan.Jupillites > >I'm puzzled that only two products alert on the JPEGS >even though many alert on the (apparently) >companion malware. I would think it important to >alert on the JPEGS as a warning to users to get rid >of them. > >I'm also puzzled/curious about the Symantec >alerts. > >Here's a McAfee blog with some info on this >malware set: > >http://www.avertlabs.com/research/blog/?p=36 > >BTW, while McAfee alerts on WIN32.EXE as Generic >Downloader, it does not alert on the JPEGS. It was interesting yin McAfee's analysis. He mentions that some analysts would skip over the jpegs thinking they were benign jpegs and not taking them into consideration in the overall analysis. Of course... dynamic analysis would show their true functionality. You wonder how much of this stuff does get 'missed' by virus analysts. -- Regards, Ian Kenefick http://www.IK-CS.com Error: Keyboard not attached. Press F1 to continue.
From: Art on 22 Jun 2006 21:02 On Fri, 23 Jun 2006 01:41:30 +0100, Ian Kenefick <ian_kenefick(a)eircom.net> wrote: >It was interesting yin McAfee's analysis. He mentions that some >analysts would skip over the jpegs thinking they were benign jpegs and >not taking them into consideration in the overall analysis. Of >course... dynamic analysis would show their true functionality. You >wonder how much of this stuff does get 'missed' by virus analysts. I've sent the JPEGs to Kaspersky asking why KAV doesn't alert. Depending on the analyst, I might get a good answer. Sometimes Eugene himself is the analyst, and if I'm lucky I'll hit paydirt :) Art http://home.epix.net/~artnpeg
From: kurt wismer on 22 Jun 2006 23:45 Art wrote: > Regulars here are aware that steganography is a technique > of embedding malicious code in picture image files (and other > files). minor quibble - steganography is a technique for hiding messages in other things, it's not just for hiding malware... [snip] > I'm puzzled that only two products alert on the JPEGS > even though many alert on the (apparently) > companion malware. I would think it important to > alert on the JPEGS as a warning to users to get rid > of them. think of it as being analogous to the issue of scanning inside of various types of archives (which i know you're already quite familiar with)... ultimately the jpegs are just acting as a kind of container... how good are av apps at scanning inside containers in general and exotic (ie. non-zip/rar/arj) containers in particular? i seem to recall you saying something about problems unpacking installation files even (and one wouldn't normally consider those to be 'exotic')... -- "it's not the right time to be sober now the idiots have taken over spreading like a social cancer, is there an answer?"
From: Art on 23 Jun 2006 08:05
On Thu, 22 Jun 2006 23:45:58 -0400, kurt wismer <kurtw(a)sympatico.ca> wrote: >Art wrote: >> Regulars here are aware that steganography is a technique >> of embedding malicious code in picture image files (and other >> files). > >minor quibble - steganography is a technique for hiding messages in >other things, it's not just for hiding malware... To paraphrase Winston Churchill, "Such errant pedantry up with I shall not put!". Obviously if malicious code can be embedded in certain fles, any code can be embedded. Art http://home.epix.net/~artnpeg |