PC Review


Reply
Thread Tools Rate Thread

A Steganography sample malware

 
 
Art
Guest
Posts: n/a
 
      22nd Jun 2006
Regulars here are aware that steganography is a technique
of embedding malicious code in picture image files (and other
files). Such files are themselves harmless since they require
companion active malware to run the embedded code.

The subject sample came in a zip of four files, three JPEGS
and a file named WIN32.EXE. Here's the Virus Total result
for the WIN32.EXE file:
***********************************
AntiVir TR/Crypt.F.Gen
Authentium no virus found
Avast no virus found
AVG no virus found
BitDefender Trojan.Downloader.Small.AMA
CAT-QuickHeal no virus found
ClamAV no virus found
DrWeb Trojan.DownLoader.9540
eTrust-Inoculat no virus found
eTrust-Vet Win32/Vxidl!generic
Ewido Downloader.Tibs.eo
Fortinet no virus found
F-Prot no virus found
Ikarus no virus found
Kaspersky Trojan-Downloader.Win32.Tibs.eo
McAfee 4791 Generic Downloader
Microsoft no virus found
NOD32v2 probably a variant of Win32/TrojanDownloader.Small.AWA
Norman no virus found
Panda Adware/Adsmart
Sophos no virus found
Symantec Trojan.Galapoper.A
TheHacker no virus found
UNA no virus found
VBA32 Trojan.DownLoader.9540
VirusBuster no virus found
************************************
Only Bit Defender and Symantec alerted on the JPEGS.
Bit Defender found Trojan.HideFrog.A in all three
(they are images of a frog )

Symantec alerted as follows:
NT1.JPG W32.Looksky!gen
NT2.JPG Trojan.Desktophijack.B
NT3.JPG Trojan.Jupillites

I'm puzzled that only two products alert on the JPEGS
even though many alert on the (apparently)
companion malware. I would think it important to
alert on the JPEGS as a warning to users to get rid
of them.

I'm also puzzled/curious about the Symantec
alerts.

Here's a McAfee blog with some info on this
malware set:

http://www.avertlabs.com/research/blog/?p=36

BTW, while McAfee alerts on WIN32.EXE as Generic
Downloader, it does not alert on the JPEGS.

Art
http://home.epix.net/~artnpeg
 
Reply With Quote
 
 
 
 
Ian Kenefick
Guest
Posts: n/a
 
      23rd Jun 2006
On Thu, 22 Jun 2006 22:51:00 GMT, Art <(E-Mail Removed)> wrote:

>Only Bit Defender and Symantec alerted on the JPEGS.
>Bit Defender found Trojan.HideFrog.A in all three
>(they are images of a frog )
>
>Symantec alerted as follows:
>NT1.JPG W32.Looksky!gen
>NT2.JPG Trojan.Desktophijack.B
>NT3.JPG Trojan.Jupillites
>
>I'm puzzled that only two products alert on the JPEGS
>even though many alert on the (apparently)
>companion malware. I would think it important to
>alert on the JPEGS as a warning to users to get rid
>of them.
>
>I'm also puzzled/curious about the Symantec
>alerts.
>
>Here's a McAfee blog with some info on this
>malware set:
>
>http://www.avertlabs.com/research/blog/?p=36
>
>BTW, while McAfee alerts on WIN32.EXE as Generic
>Downloader, it does not alert on the JPEGS.


It was interesting yin McAfee's analysis. He mentions that some
analysts would skip over the jpegs thinking they were benign jpegs and
not taking them into consideration in the overall analysis. Of
course... dynamic analysis would show their true functionality. You
wonder how much of this stuff does get 'missed' by virus analysts.

--
Regards, Ian Kenefick
http://www.IK-CS.com
Error: Keyboard not attached. Press F1 to continue.
 
Reply With Quote
 
 
 
 
Art
Guest
Posts: n/a
 
      23rd Jun 2006
On Fri, 23 Jun 2006 01:41:30 +0100, Ian Kenefick
<(E-Mail Removed)> wrote:

>It was interesting yin McAfee's analysis. He mentions that some
>analysts would skip over the jpegs thinking they were benign jpegs and
>not taking them into consideration in the overall analysis. Of
>course... dynamic analysis would show their true functionality. You
>wonder how much of this stuff does get 'missed' by virus analysts.


I've sent the JPEGs to Kaspersky asking why KAV doesn't alert.
Depending on the analyst, I might get a good answer. Sometimes
Eugene himself is the analyst, and if I'm lucky I'll hit paydirt

Art
http://home.epix.net/~artnpeg
 
Reply With Quote
 
kurt wismer
Guest
Posts: n/a
 
      23rd Jun 2006
Art wrote:
> Regulars here are aware that steganography is a technique
> of embedding malicious code in picture image files (and other
> files).


minor quibble - steganography is a technique for hiding messages in
other things, it's not just for hiding malware...

[snip]
> I'm puzzled that only two products alert on the JPEGS
> even though many alert on the (apparently)
> companion malware. I would think it important to
> alert on the JPEGS as a warning to users to get rid
> of them.


think of it as being analogous to the issue of scanning inside of
various types of archives (which i know you're already quite familiar
with)... ultimately the jpegs are just acting as a kind of container...
how good are av apps at scanning inside containers in general and exotic
(ie. non-zip/rar/arj) containers in particular? i seem to recall you
saying something about problems unpacking installation files even (and
one wouldn't normally consider those to be 'exotic')...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
 
Reply With Quote
 
Art
Guest
Posts: n/a
 
      23rd Jun 2006
On Thu, 22 Jun 2006 23:45:58 -0400, kurt wismer <(E-Mail Removed)>
wrote:

>Art wrote:
>> Regulars here are aware that steganography is a technique
>> of embedding malicious code in picture image files (and other
>> files).

>
>minor quibble - steganography is a technique for hiding messages in
>other things, it's not just for hiding malware...


To paraphrase Winston Churchill, "Such errant pedantry up with I shall
not put!". Obviously if malicious code can be embedded in certain
fles, any code can be embedded.

Art
http://home.epix.net/~artnpeg
 
Reply With Quote
 
Art
Guest
Posts: n/a
 
      23rd Jun 2006
On Thu, 22 Jun 2006 23:45:58 -0400, kurt wismer <(E-Mail Removed)>
wrote:

>> I'm puzzled that only two products alert on the JPEGS
>> even though many alert on the (apparently)
>> companion malware. I would think it important to
>> alert on the JPEGS as a warning to users to get rid
>> of them.

>
>think of it as being analogous to the issue of scanning inside of
>various types of archives (which i know you're already quite familiar
>with)... ultimately the jpegs are just acting as a kind of container...
>how good are av apps at scanning inside containers in general and exotic
>(ie. non-zip/rar/arj) containers in particular? i seem to recall you
>saying something about problems unpacking installation files even (and
>one wouldn't normally consider those to be 'exotic')...


Here's a snippet from the blog I referenced where the author responds
to a comment by "Mike":
*******************************************************
And basic X-raying is all thatís required to decrypt these files, for
now anyway.
*******************************************************
Now, I dunno what he means by "basic X-raying" but he makes it
sound as if the decryption in this particular case is straightforward.
Whether he means in a lab only or in a scanner is a question.
Anyway, that's partially why I'm surprised that Kaspersky in
particular isn't alerting. They seem to never shy away from difficult
"unravelling" and "scanning within" all kinds of files. Plus the fact
that it _appears_ that Symantec is effectively decrypting,
and Bit Defender _may_ also be decrypting. As of this moment, I
haven't yet heard back from a Kaspersky analyst. I'm hoping
their response will shed light on my questions.

Art
http://home.epix.net/~artnpeg
 
Reply With Quote
 
Dustin Cook
Guest
Posts: n/a
 
      23rd Jun 2006

Art wrote:

> I'm puzzled that only two products alert on the JPEGS
> even though many alert on the (apparently)
> companion malware. I would think it important to
> alert on the JPEGS as a warning to users to get rid
> of them.


The code contained inside the jpegs isn't functional without something
to read it, win32.exe. Otherwise, the jpegs are a picture of a frog,
with hidden code. Code only readable by software that already knows
it's there. I don't think picture viewer will do anything bad if you
decide to look at one.

You could stenagraphy a .gif, .bmp, almost anything that doesn't have
crc checks and/or a hashing table. The catch tho is, your code likely
isn't operational on it's own. A 3rd party will need to come read, and
put you back together in order to run.

> I'm also puzzled/curious about the Symantec
> alerts.
>
> Here's a McAfee blog with some info on this
> malware set:
>
> http://www.avertlabs.com/research/blog/?p=36
>
> BTW, while McAfee alerts on WIN32.EXE as Generic
> Downloader, it does not alert on the JPEGS.


I believe BugHunter also picks up win32.exe, but it doesn't alarm on
the jpegs either. And it's not going too....

--
Regards,
Dustin Cook
http://bughunter.atspace.org

 
Reply With Quote
 
Art
Guest
Posts: n/a
 
      23rd Jun 2006
On 23 Jun 2006 08:11:24 -0700, "Dustin Cook"
<(E-Mail Removed)> wrote:

>> I'm puzzled that only two products alert on the JPEGS
>> even though many alert on the (apparently)
>> companion malware. I would think it important to
>> alert on the JPEGS as a warning to users to get rid
>> of them.

>
>The code contained inside the jpegs isn't functional without something
>to read it, win32.exe. Otherwise, the jpegs are a picture of a frog,
>with hidden code. Code only readable by software that already knows
>it's there. I don't think picture viewer will do anything bad if you
>decide to look at one.


Of course it doesn't but that's beside the point.

>You could stenagraphy a .gif, .bmp, almost anything that doesn't have
>crc checks and/or a hashing table. The catch tho is, your code likely
>isn't operational on it's own. A 3rd party will need to come read, and
>put you back together in order to run.


Yep, and that's exactly why I think the .JPGs should be detected.

>> I'm also puzzled/curious about the Symantec
>> alerts.
>>
>> Here's a McAfee blog with some info on this
>> malware set:
>>
>> http://www.avertlabs.com/research/blog/?p=36
>>
>> BTW, while McAfee alerts on WIN32.EXE as Generic
>> Downloader, it does not alert on the JPEGS.

>
>I believe BugHunter also picks up win32.exe, but it doesn't alarm on
>the jpegs either. And it's not going too....


Too bad. It would be a useful detection IMO.

Art
http://home.epix.net/~artnpeg
 
Reply With Quote
 
Dustin Cook
Guest
Posts: n/a
 
      23rd Jun 2006

Art wrote:

> Of course it doesn't but that's beside the point.


I'm lost then.
Steganography is the art and science of writing hidden messages in such
a way that no one apart from the intended recipient knows of the
existence of the message; this is in contrast to cryptography, where
the existence of the message itself is not disguised, but the content
is obscured.

> Yep, and that's exactly why I think the .JPGs should be detected.


Ehm... You do realize the growing possibility of false alarms if we
have antivirus/malware products trying to guess if something has a
hidden bit of code in a jpeg right?

That's alot of signatures.

> Too bad. It would be a useful detection IMO.


I would tend to disagree...

--
Regards,
Dustin Cook
http://bughunter.atspace.org

 
Reply With Quote
 
Art
Guest
Posts: n/a
 
      23rd Jun 2006
On 23 Jun 2006 10:06:24 -0700, "Dustin Cook"
<(E-Mail Removed)> wrote:

>
>Art wrote:
>
>> Of course it doesn't but that's beside the point.

>
>I'm lost then.
>Steganography is the art and science of writing hidden messages in such
>a way that no one apart from the intended recipient knows of the
>existence of the message; this is in contrast to cryptography, where
>the existence of the message itself is not disguised, but the content
>is obscured.


In this case they use JPG steganogrophy to hide malicious code in
JPGs. Companion malware is required to decrypt and run the malicious
code.

>Ehm... You do realize the growing possibility of false alarms if we
>have antivirus/malware products trying to guess if something has a
>hidden bit of code in a jpeg right?


I don't know that av have to "guess" (use heuristics only). It doesn't
appear that Symantec is detecting heuristically since it gives exact
IDs (and different ones) on three different JPG files.

>That's alot of signatures.


Hell, signatures are balooning outa sight anyway What's a few
more?

>> Too bad. It would be a useful detection IMO.

>
>I would tend to disagree...


I'd say informing the user of the infested JPG which might be
used by the companion malware at any point is important. I'd
say it's more important than wasting sigs as some do on
commercial sw which might be used for nefarious purposes.
I'd go so far as to say it's more important than flagging
harmless adware that's merely annoying. After all, we're
talking here about some nasty downloader Trojans.

Art
http://home.epix.net/~artnpeg
 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Announcing the release of Anti-Steganography (AntiSteg v1.00) seconserv Anti-Virus 1 25th Oct 2008 01:27 PM
JPG-Files and Steganography Siegberth Dorfner Freeware 6 31st Mar 2006 12:24 AM
steganography in vb.net gopi krishna via DotNetMonster.com Microsoft Dot NET Framework Forms 0 12th Apr 2005 06:58 PM
INFORMATION ABOUT << STEGANOGRAPHY >> phoenix Microsoft Dot NET 1 1st Jun 2004 08:39 AM
steghide 0.5.1 - A steganography program Gordon Darling Freeware 0 16th Oct 2003 12:10 AM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 03:12 AM.