A Steganography sample malware
in [Anti-Virus]
|
Prev: c:\recycler\S-1-5-21-129_ ... Dc775.zip
Next: explorer.exe startet nicht richtig - HILFE bitte!!
From: James Egan on 27 Jun 2006 10:22 On Tue, 27 Jun 2006 12:45:39 GMT, Art <null(a)zilch.com> wrote: >To add a little more info, I found that all four files have the same >identical characteristic in that truncating them just after the first >occurance of FF D9 results in a 886 byte froggie which Irfan "thinks" >is a legit JPG file. By four files, I mean in addition to NT1, 2, 3 >I'm including WINLOGON.JPG. In this latter file I found only one >occurance of FF D9 and that's probably the file Jim was looking >at. I haven't got any of the files. I just added some plaintext onto the end of a smallish jpg on my machine here to see if Irfanview left it in after "saving as" another jpg. It didn't, of course, because it was only interested in the stuff up to the first (and only in this case) end of image marker and used that for creating its new file. The fact that the image is a bit bigger than the original is one of the quirks of jpeg when saving a low grade image at a higher percentage. This appending at the end of the file is a common technique in some of the not very good steganography products which guillermito reversed a few years back. A good read if you're interested. http://www.guillermito2.net/stegano/ Jim.
From: Art on 27 Jun 2006 12:06 On Tue, 27 Jun 2006 15:22:28 +0100, James Egan <jegan(a)jegan.com> wrote: >On Tue, 27 Jun 2006 12:45:39 GMT, Art <null(a)zilch.com> wrote: > >>To add a little more info, I found that all four files have the same >>identical characteristic in that truncating them just after the first >>occurance of FF D9 results in a 886 byte froggie which Irfan "thinks" >>is a legit JPG file. By four files, I mean in addition to NT1, 2, 3 >>I'm including WINLOGON.JPG. In this latter file I found only one >>occurance of FF D9 and that's probably the file Jim was looking >>at. > >I haven't got any of the files. I just added some plaintext onto the >end of a smallish jpg on my machine here to see if Irfanview left it >in after "saving as" another jpg. It didn't, of course, because it was >only interested in the stuff up to the first (and only in this case) >end of image marker and used that for creating its new file. The fact >that the image is a bit bigger than the original is one of the quirks >of jpeg when saving a low grade image at a higher percentage. Yep. It's nice that a method like that isn't required at all. >This appending at the end of the file is a common technique in some of >the not very good steganography products which guillermito reversed a >few years back. A good read if you're interested. >http://www.guillermito2.net/stegano/ Yes it is indeed a good read. Your inputs have been helpful. Thanks. Art http://home.epix.net/~artnpeg
From: Art on 30 Jun 2006 18:10 I've put JPG-SCAN.ZIP up at my web site for anyone interested. It uses a a extremely simple algorithm for detecting the subject samples. I had a collection of 78 .JPG files I had downloaded a long time ago ... mostly pictures of various locations in Alaska. Of these, 10 alerted my scanner since they had some kind of extraneous bytes near the end of the file after the JPG end bytes. I have no reason to think these 10 are actually Trojanized, but it's curious that files like this are created somehow. I "cleaned" one of them using IrfanView at 100% quality and the file size more than tripled up to nearly a half meg from less than 200K. People will just have to tinker around finding a quality percentage that's suitable for them consistent with lower file sizes. It was fun designing the scanner, and I might add other kinds of simple but useful "oddball" detections, such as for Word DOC embedded Trojans. The scanner can be speeded up considerably, but for now there's little point in doing that since it takes less than a minute to scan the 1,250 folders on my Win 2K PC main partition. Art http://home.epix.net/~artnpeg
From: James Egan on 1 Jul 2006 04:18 On Fri, 30 Jun 2006 22:10:33 GMT, Art <null(a)zilch.com> wrote: >I've put JPG-SCAN.ZIP up at my web site for anyone interested. >It uses a a extremely simple algorithm for detecting the subject >samples. I had a collection of 78 .JPG files I had downloaded a >long time ago ... mostly pictures of various locations in Alaska. Of >these, 10 alerted my scanner since they had some kind of extraneous >bytes near the end of the file after the JPG end bytes. I have no >reason to think these 10 are actually Trojanized, but it's curious >that files like this are created somehow. I "cleaned" one of them >using IrfanView at 100% quality and the file size more than tripled >up to nearly a half meg from less than 200K. People will just have >to tinker around finding a quality percentage that's suitable for >them consistent with lower file sizes. Wouldn't it be better to simply truncate the files? Irfanview would only ruin any hidden data in the files if it was mixed in with the image datastreams (which it isn't). Jim.
From: Art on 1 Jul 2006 06:21
On Sat, 01 Jul 2006 09:18:31 +0100, James Egan <jegan(a)jegan.com> wrote: >On Fri, 30 Jun 2006 22:10:33 GMT, Art <null(a)zilch.com> wrote: > >>I've put JPG-SCAN.ZIP up at my web site for anyone interested. >>It uses a a extremely simple algorithm for detecting the subject >>samples. I had a collection of 78 .JPG files I had downloaded a >>long time ago ... mostly pictures of various locations in Alaska. Of >>these, 10 alerted my scanner since they had some kind of extraneous >>bytes near the end of the file after the JPG end bytes. I have no >>reason to think these 10 are actually Trojanized, but it's curious >>that files like this are created somehow. I "cleaned" one of them >>using IrfanView at 100% quality and the file size more than tripled >>up to nearly a half meg from less than 200K. People will just have >>to tinker around finding a quality percentage that's suitable for >>them consistent with lower file sizes. > >Wouldn't it be better to simply truncate the files? Irfanview would >only ruin any hidden data in the files if it was mixed in with the >image datastreams (which it isn't). No, IrfanView does truncate the files and remove the extraneous bytes after the "end of JPG" marker bytes. IOW, it removes appendages. My thinking on this first go-around with the scanner was that it would not offer to modify files. That way "power users" at least could look at the files flagged as suspicious in a hex editor and see what's going on, so to speak. But now that you bring it up, I think I will include a option to truncate the files as a convenience to users, since that would eliminate the need to use Irfan (or other apps). So far as I can determine, the scanner would only have to find the first occurance of the "end of JPG" marker bytes and truncate all bytes after that. Art http://home.epix.net/~artnpeg |