A Steganography sample malware

Discussion in 'Anti-Virus' started by Art, Jun 22, 2006.

  1. Art

    Art Guest

    Regulars here are aware that steganography is a technique
    of embedding malicious code in picture image files (and other
    files). Such files are themselves harmless since they require
    companion active malware to run the embedded code.

    The subject sample came in a zip of four files, three JPEGS
    and a file named WIN32.EXE. Here's the Virus Total result
    for the WIN32.EXE file:
    ***********************************
    AntiVir TR/Crypt.F.Gen
    Authentium no virus found
    Avast no virus found
    AVG no virus found
    BitDefender Trojan.Downloader.Small.AMA
    CAT-QuickHeal no virus found
    ClamAV no virus found
    DrWeb Trojan.DownLoader.9540
    eTrust-Inoculat no virus found
    eTrust-Vet Win32/Vxidl!generic
    Ewido Downloader.Tibs.eo
    Fortinet no virus found
    F-Prot no virus found
    Ikarus no virus found
    Kaspersky Trojan-Downloader.Win32.Tibs.eo
    McAfee 4791 Generic Downloader
    Microsoft no virus found
    NOD32v2 probably a variant of Win32/TrojanDownloader.Small.AWA
    Norman no virus found
    Panda Adware/Adsmart
    Sophos no virus found
    Symantec Trojan.Galapoper.A
    TheHacker no virus found
    UNA no virus found
    VBA32 Trojan.DownLoader.9540
    VirusBuster no virus found
    ************************************
    Only Bit Defender and Symantec alerted on the JPEGS.
    Bit Defender found Trojan.HideFrog.A in all three
    (they are images of a frog :))

    Symantec alerted as follows:
    NT1.JPG W32.Looksky!gen
    NT2.JPG Trojan.Desktophijack.B
    NT3.JPG Trojan.Jupillites

    I'm puzzled that only two products alert on the JPEGS
    even though many alert on the (apparently)
    companion malware. I would think it important to
    alert on the JPEGS as a warning to users to get rid
    of them.

    I'm also puzzled/curious about the Symantec
    alerts.

    Here's a McAfee blog with some info on this
    malware set:

    http://www.avertlabs.com/research/blog/?p=36

    BTW, while McAfee alerts on WIN32.EXE as Generic
    Downloader, it does not alert on the JPEGS.

    Art
    http://home.epix.net/~artnpeg
     
    Art, Jun 22, 2006
    #1
    1. Advertisements

  2. Art

    Ian Kenefick Guest

    On Thu, 22 Jun 2006 22:51:00 GMT, Art <> wrote:

    >Only Bit Defender and Symantec alerted on the JPEGS.
    >Bit Defender found Trojan.HideFrog.A in all three
    >(they are images of a frog :))
    >
    >Symantec alerted as follows:
    >NT1.JPG W32.Looksky!gen
    >NT2.JPG Trojan.Desktophijack.B
    >NT3.JPG Trojan.Jupillites
    >
    >I'm puzzled that only two products alert on the JPEGS
    >even though many alert on the (apparently)
    >companion malware. I would think it important to
    >alert on the JPEGS as a warning to users to get rid
    >of them.
    >
    >I'm also puzzled/curious about the Symantec
    >alerts.
    >
    >Here's a McAfee blog with some info on this
    >malware set:
    >
    >http://www.avertlabs.com/research/blog/?p=36
    >
    >BTW, while McAfee alerts on WIN32.EXE as Generic
    >Downloader, it does not alert on the JPEGS.


    It was interesting yin McAfee's analysis. He mentions that some
    analysts would skip over the jpegs thinking they were benign jpegs and
    not taking them into consideration in the overall analysis. Of
    course... dynamic analysis would show their true functionality. You
    wonder how much of this stuff does get 'missed' by virus analysts.

    --
    Regards, Ian Kenefick
    http://www.IK-CS.com
    Error: Keyboard not attached. Press F1 to continue.
     
    Ian Kenefick, Jun 23, 2006
    #2
    1. Advertisements

  3. Art

    Art Guest

    On Fri, 23 Jun 2006 01:41:30 +0100, Ian Kenefick
    <> wrote:

    >It was interesting yin McAfee's analysis. He mentions that some
    >analysts would skip over the jpegs thinking they were benign jpegs and
    >not taking them into consideration in the overall analysis. Of
    >course... dynamic analysis would show their true functionality. You
    >wonder how much of this stuff does get 'missed' by virus analysts.


    I've sent the JPEGs to Kaspersky asking why KAV doesn't alert.
    Depending on the analyst, I might get a good answer. Sometimes
    Eugene himself is the analyst, and if I'm lucky I'll hit paydirt :)

    Art
    http://home.epix.net/~artnpeg
     
    Art, Jun 23, 2006
    #3
  4. Art

    kurt wismer Guest

    Art wrote:
    > Regulars here are aware that steganography is a technique
    > of embedding malicious code in picture image files (and other
    > files).


    minor quibble - steganography is a technique for hiding messages in
    other things, it's not just for hiding malware...

    [snip]
    > I'm puzzled that only two products alert on the JPEGS
    > even though many alert on the (apparently)
    > companion malware. I would think it important to
    > alert on the JPEGS as a warning to users to get rid
    > of them.


    think of it as being analogous to the issue of scanning inside of
    various types of archives (which i know you're already quite familiar
    with)... ultimately the jpegs are just acting as a kind of container...
    how good are av apps at scanning inside containers in general and exotic
    (ie. non-zip/rar/arj) containers in particular? i seem to recall you
    saying something about problems unpacking installation files even (and
    one wouldn't normally consider those to be 'exotic')...

    --
    "it's not the right time to be sober
    now the idiots have taken over
    spreading like a social cancer,
    is there an answer?"
     
    kurt wismer, Jun 23, 2006
    #4
  5. Art

    Art Guest

    On Thu, 22 Jun 2006 23:45:58 -0400, kurt wismer <>
    wrote:

    >Art wrote:
    >> Regulars here are aware that steganography is a technique
    >> of embedding malicious code in picture image files (and other
    >> files).

    >
    >minor quibble - steganography is a technique for hiding messages in
    >other things, it's not just for hiding malware...


    To paraphrase Winston Churchill, "Such errant pedantry up with I shall
    not put!". Obviously if malicious code can be embedded in certain
    fles, any code can be embedded.

    Art
    http://home.epix.net/~artnpeg
     
    Art, Jun 23, 2006
    #5
  6. Art

    Art Guest

    On Thu, 22 Jun 2006 23:45:58 -0400, kurt wismer <>
    wrote:

    >> I'm puzzled that only two products alert on the JPEGS
    >> even though many alert on the (apparently)
    >> companion malware. I would think it important to
    >> alert on the JPEGS as a warning to users to get rid
    >> of them.

    >
    >think of it as being analogous to the issue of scanning inside of
    >various types of archives (which i know you're already quite familiar
    >with)... ultimately the jpegs are just acting as a kind of container...
    >how good are av apps at scanning inside containers in general and exotic
    >(ie. non-zip/rar/arj) containers in particular? i seem to recall you
    >saying something about problems unpacking installation files even (and
    >one wouldn't normally consider those to be 'exotic')...


    Here's a snippet from the blog I referenced where the author responds
    to a comment by "Mike":
    *******************************************************
    And basic X-raying is all that’s required to decrypt these files, for
    now anyway.
    *******************************************************
    Now, I dunno what he means by "basic X-raying" but he makes it
    sound as if the decryption in this particular case is straightforward.
    Whether he means in a lab only or in a scanner is a question.
    Anyway, that's partially why I'm surprised that Kaspersky in
    particular isn't alerting. They seem to never shy away from difficult
    "unravelling" and "scanning within" all kinds of files. Plus the fact
    that it _appears_ that Symantec is effectively decrypting,
    and Bit Defender _may_ also be decrypting. As of this moment, I
    haven't yet heard back from a Kaspersky analyst. I'm hoping
    their response will shed light on my questions.

    Art
    http://home.epix.net/~artnpeg
     
    Art, Jun 23, 2006
    #6
  7. Art

    Dustin Cook Guest

    Art wrote:

    > I'm puzzled that only two products alert on the JPEGS
    > even though many alert on the (apparently)
    > companion malware. I would think it important to
    > alert on the JPEGS as a warning to users to get rid
    > of them.


    The code contained inside the jpegs isn't functional without something
    to read it, win32.exe. Otherwise, the jpegs are a picture of a frog,
    with hidden code. Code only readable by software that already knows
    it's there. I don't think picture viewer will do anything bad if you
    decide to look at one. :)

    You could stenagraphy a .gif, .bmp, almost anything that doesn't have
    crc checks and/or a hashing table. The catch tho is, your code likely
    isn't operational on it's own. A 3rd party will need to come read, and
    put you back together in order to run.

    > I'm also puzzled/curious about the Symantec
    > alerts.
    >
    > Here's a McAfee blog with some info on this
    > malware set:
    >
    > http://www.avertlabs.com/research/blog/?p=36
    >
    > BTW, while McAfee alerts on WIN32.EXE as Generic
    > Downloader, it does not alert on the JPEGS.


    I believe BugHunter also picks up win32.exe, but it doesn't alarm on
    the jpegs either. And it's not going too....

    --
    Regards,
    Dustin Cook
    http://bughunter.atspace.org
     
    Dustin Cook, Jun 23, 2006
    #7
  8. Art

    Art Guest

    On 23 Jun 2006 08:11:24 -0700, "Dustin Cook"
    <> wrote:

    >> I'm puzzled that only two products alert on the JPEGS
    >> even though many alert on the (apparently)
    >> companion malware. I would think it important to
    >> alert on the JPEGS as a warning to users to get rid
    >> of them.

    >
    >The code contained inside the jpegs isn't functional without something
    >to read it, win32.exe. Otherwise, the jpegs are a picture of a frog,
    >with hidden code. Code only readable by software that already knows
    >it's there. I don't think picture viewer will do anything bad if you
    >decide to look at one. :)


    Of course it doesn't but that's beside the point.

    >You could stenagraphy a .gif, .bmp, almost anything that doesn't have
    >crc checks and/or a hashing table. The catch tho is, your code likely
    >isn't operational on it's own. A 3rd party will need to come read, and
    >put you back together in order to run.


    Yep, and that's exactly why I think the .JPGs should be detected.

    >> I'm also puzzled/curious about the Symantec
    >> alerts.
    >>
    >> Here's a McAfee blog with some info on this
    >> malware set:
    >>
    >> http://www.avertlabs.com/research/blog/?p=36
    >>
    >> BTW, while McAfee alerts on WIN32.EXE as Generic
    >> Downloader, it does not alert on the JPEGS.

    >
    >I believe BugHunter also picks up win32.exe, but it doesn't alarm on
    >the jpegs either. And it's not going too....


    Too bad. It would be a useful detection IMO.

    Art
    http://home.epix.net/~artnpeg
     
    Art, Jun 23, 2006
    #8
  9. Art

    Dustin Cook Guest

    Art wrote:

    > Of course it doesn't but that's beside the point.


    I'm lost then.
    Steganography is the art and science of writing hidden messages in such
    a way that no one apart from the intended recipient knows of the
    existence of the message; this is in contrast to cryptography, where
    the existence of the message itself is not disguised, but the content
    is obscured.

    > Yep, and that's exactly why I think the .JPGs should be detected.


    Ehm... You do realize the growing possibility of false alarms if we
    have antivirus/malware products trying to guess if something has a
    hidden bit of code in a jpeg right?

    That's alot of signatures. :)

    > Too bad. It would be a useful detection IMO.


    I would tend to disagree...

    --
    Regards,
    Dustin Cook
    http://bughunter.atspace.org
     
    Dustin Cook, Jun 23, 2006
    #9
  10. Art

    Art Guest

    On 23 Jun 2006 10:06:24 -0700, "Dustin Cook"
    <> wrote:

    >
    >Art wrote:
    >
    >> Of course it doesn't but that's beside the point.

    >
    >I'm lost then.
    >Steganography is the art and science of writing hidden messages in such
    >a way that no one apart from the intended recipient knows of the
    >existence of the message; this is in contrast to cryptography, where
    >the existence of the message itself is not disguised, but the content
    >is obscured.


    In this case they use JPG steganogrophy to hide malicious code in
    JPGs. Companion malware is required to decrypt and run the malicious
    code.

    >Ehm... You do realize the growing possibility of false alarms if we
    >have antivirus/malware products trying to guess if something has a
    >hidden bit of code in a jpeg right?


    I don't know that av have to "guess" (use heuristics only). It doesn't
    appear that Symantec is detecting heuristically since it gives exact
    IDs (and different ones) on three different JPG files.

    >That's alot of signatures. :)


    Hell, signatures are balooning outa sight anyway :) What's a few
    more?

    >> Too bad. It would be a useful detection IMO.

    >
    >I would tend to disagree...


    I'd say informing the user of the infested JPG which might be
    used by the companion malware at any point is important. I'd
    say it's more important than wasting sigs as some do on
    commercial sw which might be used for nefarious purposes.
    I'd go so far as to say it's more important than flagging
    harmless adware that's merely annoying. After all, we're
    talking here about some nasty downloader Trojans.

    Art
    http://home.epix.net/~artnpeg
     
    Art, Jun 23, 2006
    #10
  11. Art

    Dustin Cook Guest

    Art wrote:

    > I don't know that av have to "guess" (use heuristics only). It doesn't
    > appear that Symantec is detecting heuristically since it gives exact
    > IDs (and different ones) on three different JPG files.


    Nah, your right, they're using sigs. The malware isn't really keen on
    the process, IE: it's fixed, or appears to be.

    > Hell, signatures are balooning outa sight anyway :) What's a few
    > more?


    How very true, and quiet saddening. :)

    > I'd say informing the user of the infested JPG which might be
    > used by the companion malware at any point is important. I'd
    > say it's more important than wasting sigs as some do on
    > commercial sw which might be used for nefarious purposes.
    > I'd go so far as to say it's more important than flagging
    > harmless adware that's merely annoying. After all, we're
    > talking here about some nasty downloader Trojans.


    Fair enough Art, You've convinced me to hunt down the frog jpegs and
    add them to bughunter...Although, I still maintain they are harmless
    without win32.exe....

    ---
    Regards,
    Dustin Cook
    http://bughunter.atspace.org
     
    Dustin Cook, Jun 23, 2006
    #11
  12. Art

    edgewalker Guest

    "Ian Kenefick" <> wrote in message news:...

    > It was interesting yin McAfee's analysis. He mentions that some
    > analysts would skip over the jpegs thinking they were benign jpegs and
    > not taking them into consideration in the overall analysis. Of
    > course... dynamic analysis would show their true functionality. You
    > wonder how much of this stuff does get 'missed' by virus analysts.


    The only "threat" is the executable. The same old story as before regarding
    jpg viruses - something "else" has to be amiss. True, they should include it
    in the cleanup, but it is not really necessary.
     
    edgewalker, Jun 23, 2006
    #12
  13. Art

    edgewalker Guest

    "Art" <> wrote in message news:...
    > On Thu, 22 Jun 2006 23:45:58 -0400, kurt wismer <>
    > wrote:
    >
    > >Art wrote:
    > >> Regulars here are aware that steganography is a technique
    > >> of embedding malicious code in picture image files (and other
    > >> files).

    > >
    > >minor quibble - steganography is a technique for hiding messages in
    > >other things, it's not just for hiding malware...

    >
    > To paraphrase Winston Churchill, "Such errant pedantry up with I shall
    > not put!". Obviously if malicious code can be embedded in certain
    > fles, any code can be embedded.


    What he's getting at is not only code but "information" gets embedded. Your
    statement sounded too much like a wromg definition of steganography.
     
    edgewalker, Jun 23, 2006
    #13
  14. Art

    Art Guest

    On 23 Jun 2006 12:42:39 -0700, "Dustin Cook"
    <> wrote:

    >Fair enough Art, You've convinced me to hunt down the frog jpegs and
    >add them to bughunter...


    No need to hunt. Just let me know if you want me to send
    them to you. And no, I'm not a malware spreader. I trust
    you aren't either any more :)

    >Although, I still maintain they are harmless
    >without win32.exe....


    Of course. Or some other suitable malware the mob in Russia
    is cranking out that also works with these paticular JPG files.

    Art
    http://home.epix.net/~artnpeg
     
    Art, Jun 23, 2006
    #14
  15. Art

    4Q Guest

    Dustin Cook wrote:
    > Art wrote:
    >
    > > I'm puzzled that only two products alert on the JPEGS
    > > even though many alert on the (apparently)
    > > companion malware. I would think it important to
    > > alert on the JPEGS as a warning to users to get rid
    > > of them.

    >
    > The code contained inside the jpegs isn't functional without something
    > to read it, win32.exe. Otherwise, the jpegs are a picture of a frog,
    > with hidden code. Code only readable by software that already knows
    > it's there. I don't think picture viewer will do anything bad if you
    > decide to look at one. :)


    Raidy an exception to the rule maybe Minders .bmp IRC worm
    His code was contained inside the .bmp file and looked like
    a little bit of random noise inside a viewer, however his
    worm was also a weak SE trick and the picture contained a
    message asking the user to rename the .bmp to a .com
    Then it operated as a normal wormoid.

    Bit lame as an ITW example but hey nice example of a hax0r
    thinking outside the box.

    4Q
     
    4Q, Jun 23, 2006
    #15
  16. Art

    edgewalker Guest

    "Art" <> wrote in message news:...
    > On 23 Jun 2006 08:11:24 -0700, "Dustin Cook"
    > <> wrote:


    > >I believe BugHunter also picks up win32.exe, but it doesn't alarm on
    > >the jpegs either. And it's not going too....

    >
    > Too bad. It would be a useful detection IMO.


    Do you want to look in *everything* for *anything*? Think of the cost.
     
    edgewalker, Jun 23, 2006
    #16
  17. Art

    Art Guest

    On Fri, 23 Jun 2006 16:38:43 -0400, "edgewalker" <>
    wrote:

    >> >minor quibble - steganography is a technique for hiding messages in
    >> >other things, it's not just for hiding malware...

    >>
    >> To paraphrase Winston Churchill, "Such errant pedantry up with I shall
    >> not put!". Obviously if malicious code can be embedded in certain
    >> fles, any code can be embedded.

    >
    >What he's getting at is not only code but "information" gets embedded. Your
    >statement sounded too much like a wromg definition of steganography.


    Woe to me :(

    Art :)
    http://home.epix.net/~artnpeg
     
    Art, Jun 23, 2006
    #17
  18. Art

    Art Guest

    On Fri, 23 Jun 2006 16:51:52 -0400, "edgewalker" <>
    wrote:

    >
    >"Art" <> wrote in message news:...
    >> On 23 Jun 2006 08:11:24 -0700, "Dustin Cook"
    >> <> wrote:

    >
    >> >I believe BugHunter also picks up win32.exe, but it doesn't alarm on
    >> >the jpegs either. And it's not going too....

    >>
    >> Too bad. It would be a useful detection IMO.

    >
    >Do you want to look in *everything* for *anything*? Think of the cost.


    See my reply to Dustin concerning that. Think of the cost of all the
    sigs nowdays for harmless adware, cookies, and controversialware.

    Art
    http://home.epix.net/~artnpeg
     
    Art, Jun 23, 2006
    #18
  19. From: "Art" <>

    | Regulars here are aware that steganography is a technique
    | of embedding malicious code in picture image files (and other
    | files). Such files are themselves harmless since they require
    | companion active malware to run the embedded code.

    | The subject sample came in a zip of four files, three JPEGS
    | and a file named WIN32.EXE. Here's the Virus Total result
    | for the WIN32.EXE file:
    | ***********************************
    | AntiVir TR/Crypt.F.Gen
    | Authentium no virus found
    | Avast no virus found
    | AVG no virus found
    | BitDefender Trojan.Downloader.Small.AMA
    | CAT-QuickHeal no virus found
    | ClamAV no virus found
    | DrWeb Trojan.DownLoader.9540
    | eTrust-Inoculat no virus found
    | eTrust-Vet Win32/Vxidl!generic
    | Ewido Downloader.Tibs.eo
    | Fortinet no virus found
    | F-Prot no virus found
    | Ikarus no virus found
    | Kaspersky Trojan-Downloader.Win32.Tibs.eo
    | McAfee 4791 Generic Downloader
    | Microsoft no virus found
    | NOD32v2 probably a variant of Win32/TrojanDownloader.Small.AWA
    | Norman no virus found
    | Panda Adware/Adsmart
    | Sophos no virus found
    | Symantec Trojan.Galapoper.A
    | TheHacker no virus found
    | UNA no virus found
    | VBA32 Trojan.DownLoader.9540
    | VirusBuster no virus found
    | ************************************
    | Only Bit Defender and Symantec alerted on the JPEGS.
    | Bit Defender found Trojan.HideFrog.A in all three
    | (they are images of a frog :))

    | Symantec alerted as follows:
    | NT1.JPG W32.Looksky!gen
    | NT2.JPG Trojan.Desktophijack.B
    | NT3.JPG Trojan.Jupillites

    | I'm puzzled that only two products alert on the JPEGS
    | even though many alert on the (apparently)
    | companion malware. I would think it important to
    | alert on the JPEGS as a warning to users to get rid
    | of them.

    | I'm also puzzled/curious about the Symantec
    | alerts.

    | Here's a McAfee blog with some info on this
    | malware set:

    | http://www.avertlabs.com/research/blog/?p=36

    | BTW, while McAfee alerts on WIN32.EXE as Generic
    | Downloader, it does not alert on the JPEGS.

    | Art
    | http://home.epix.net/~artnpeg

    Hi Art:

    I see a nice thread came from this :)

    I orginally received from Symantec the following...

    We have analyzed your submission. The following is a report of our findings for each file
    you have submitted:

    filename: nt1.jpg
    machine: AVCAutomation:
    result: See the developer notes

    filename: nt2.jpg
    machine: AVCAutomation:
    result: See the developer notes

    filename: nt3.jpg
    machine: AVCAutomation:
    result: See the developer notes

    Developer notes:
    nt1.jpg is an image file that contains virus. You should delete this file.
    nt2.jpg is an image file that contains virus. You should delete this file.
    nt3.jpg is an image file that contains virus. You should delete this file.

    -----

    I was asking myself "What Virus" ? They didn't identify anything !

    Now on another batch...

    Symantec is calling the submitted JPEGs -- Trojan.Frogexer!gen.

    filename: proxy.jpg
    machine: AVCAutomation:
    result: This file is detected as Trojan.Frogexer!gen.

    filename: tibs.jpg
    machine: AVCAutomation:
    result: This file is detected as Trojan.Frogexer!gen.

    filename: jpg.jpg
    machine: AVCAutomation:
    result: This file is detected as Trojan.Frogexer!gen.

    filename: tool.jpg
    machine: AVCAutomation:
    result: This file is detected as Trojan.Frogexer!gen.

    filename: winlogon.jpg
    machine: AVCAutomation:
    result: This file is detected as Trojan.Frogexer!gen.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Jun 23, 2006
    #19
  20. Art

    edgewalker Guest

    "Art" <> wrote in message news:...

    > Now, I dunno what he means by "basic X-raying"


    If you're interested - "pferrie.tripod.com/vb/x-raying.pdf" I believe it is FTP
    protocol.
     
    edgewalker, Jun 23, 2006
    #20
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. seconserv
    Replies:
    1
    Views:
    203
    ASCII
    Oct 25, 2008
  2. seconserv
    Replies:
    1
    Views:
    168
    VanguardLH
    Oct 25, 2008
  3. seconserv
    Replies:
    0
    Views:
    171
    seconserv
    Nov 21, 2008
  4. seconserv
    Replies:
    1
    Views:
    184
    Carsten Krueger
    Dec 24, 2008
  5. seconserv
    Replies:
    0
    Views:
    184
    seconserv
    Jan 21, 2009
Loading...

Share This Page