From: Dustin Cook on

Art wrote:

> I don't know that av have to "guess" (use heuristics only). It doesn't
> appear that Symantec is detecting heuristically since it gives exact
> IDs (and different ones) on three different JPG files.

Nah, your right, they're using sigs. The malware isn't really keen on
the process, IE: it's fixed, or appears to be.

> Hell, signatures are balooning outa sight anyway :) What's a few
> more?

How very true, and quiet saddening. :)

> I'd say informing the user of the infested JPG which might be
> used by the companion malware at any point is important. I'd
> say it's more important than wasting sigs as some do on
> commercial sw which might be used for nefarious purposes.
> I'd go so far as to say it's more important than flagging
> harmless adware that's merely annoying. After all, we're
> talking here about some nasty downloader Trojans.

Fair enough Art, You've convinced me to hunt down the frog jpegs and
add them to bughunter...Although, I still maintain they are harmless
without win32.exe....

Dustin Cook

From: edgewalker on

"Ian Kenefick" <ian_kenefick(a)> wrote in message news:82em925ueka2t9klceara5i2eirnkvdap9(a)

> It was interesting yin McAfee's analysis. He mentions that some
> analysts would skip over the jpegs thinking they were benign jpegs and
> not taking them into consideration in the overall analysis. Of
> course... dynamic analysis would show their true functionality. You
> wonder how much of this stuff does get 'missed' by virus analysts.

The only "threat" is the executable. The same old story as before regarding
jpg viruses - something "else" has to be amiss. True, they should include it
in the cleanup, but it is not really necessary.

From: edgewalker on

"Art" <null(a)> wrote in message news:8uln92h8dhur78rmq0v2c60j2f5jqq5fsn(a)
> On Thu, 22 Jun 2006 23:45:58 -0400, kurt wismer <kurtw(a)>
> wrote:
> >Art wrote:
> >> Regulars here are aware that steganography is a technique
> >> of embedding malicious code in picture image files (and other
> >> files).
> >
> >minor quibble - steganography is a technique for hiding messages in
> >other things, it's not just for hiding malware...
> To paraphrase Winston Churchill, "Such errant pedantry up with I shall
> not put!". Obviously if malicious code can be embedded in certain
> fles, any code can be embedded.

What he's getting at is not only code but "information" gets embedded. Your
statement sounded too much like a wromg definition of steganography.

From: Art on
On 23 Jun 2006 12:42:39 -0700, "Dustin Cook"
<bughunter.dustin(a)> wrote:

>Fair enough Art, You've convinced me to hunt down the frog jpegs and
>add them to bughunter...

No need to hunt. Just let me know if you want me to send
them to you. And no, I'm not a malware spreader. I trust
you aren't either any more :)

>Although, I still maintain they are harmless
>without win32.exe....

Of course. Or some other suitable malware the mob in Russia
is cranking out that also works with these paticular JPG files.


From: 4Q on
Dustin Cook wrote:
> Art wrote:
> > I'm puzzled that only two products alert on the JPEGS
> > even though many alert on the (apparently)
> > companion malware. I would think it important to
> > alert on the JPEGS as a warning to users to get rid
> > of them.
> The code contained inside the jpegs isn't functional without something
> to read it, win32.exe. Otherwise, the jpegs are a picture of a frog,
> with hidden code. Code only readable by software that already knows
> it's there. I don't think picture viewer will do anything bad if you
> decide to look at one. :)

Raidy an exception to the rule maybe Minders .bmp IRC worm
His code was contained inside the .bmp file and looked like
a little bit of random noise inside a viewer, however his
worm was also a weak SE trick and the picture contained a
message asking the user to rename the .bmp to a .com
Then it operated as a normal wormoid.

Bit lame as an ITW example but hey nice example of a hax0r
thinking outside the box.