Prev: c:\recycler\S-1-5-21-129_ ... Dc775.zip
Next: explorer.exe startet nicht richtig - HILFE bitte!!
From: Dustin Cook on 23 Jun 2006 15:42
> I don't know that av have to "guess" (use heuristics only). It doesn't
> appear that Symantec is detecting heuristically since it gives exact
> IDs (and different ones) on three different JPG files.
Nah, your right, they're using sigs. The malware isn't really keen on
the process, IE: it's fixed, or appears to be.
> Hell, signatures are balooning outa sight anyway :) What's a few
How very true, and quiet saddening. :)
> I'd say informing the user of the infested JPG which might be
> used by the companion malware at any point is important. I'd
> say it's more important than wasting sigs as some do on
> commercial sw which might be used for nefarious purposes.
> I'd go so far as to say it's more important than flagging
> harmless adware that's merely annoying. After all, we're
> talking here about some nasty downloader Trojans.
Fair enough Art, You've convinced me to hunt down the frog jpegs and
add them to bughunter...Although, I still maintain they are harmless
From: edgewalker on 23 Jun 2006 16:34
"Ian Kenefick" <ian_kenefick(a)eircom.net> wrote in message news:82em925ueka2t9klceara5i2eirnkvdap9(a)4ax.com...
> It was interesting yin McAfee's analysis. He mentions that some
> analysts would skip over the jpegs thinking they were benign jpegs and
> not taking them into consideration in the overall analysis. Of
> course... dynamic analysis would show their true functionality. You
> wonder how much of this stuff does get 'missed' by virus analysts.
The only "threat" is the executable. The same old story as before regarding
jpg viruses - something "else" has to be amiss. True, they should include it
in the cleanup, but it is not really necessary.
From: edgewalker on 23 Jun 2006 16:38
"Art" <null(a)zilch.com> wrote in message news:8uln92h8dhur78rmq0v2c60j2f5jqq5fsn(a)4ax.com...
> On Thu, 22 Jun 2006 23:45:58 -0400, kurt wismer <kurtw(a)sympatico.ca>
> >Art wrote:
> >> Regulars here are aware that steganography is a technique
> >> of embedding malicious code in picture image files (and other
> >> files).
> >minor quibble - steganography is a technique for hiding messages in
> >other things, it's not just for hiding malware...
> To paraphrase Winston Churchill, "Such errant pedantry up with I shall
> not put!". Obviously if malicious code can be embedded in certain
> fles, any code can be embedded.
What he's getting at is not only code but "information" gets embedded. Your
statement sounded too much like a wromg definition of steganography.
From: Art on 23 Jun 2006 16:44
On 23 Jun 2006 12:42:39 -0700, "Dustin Cook"
>Fair enough Art, You've convinced me to hunt down the frog jpegs and
>add them to bughunter...
No need to hunt. Just let me know if you want me to send
them to you. And no, I'm not a malware spreader. I trust
you aren't either any more :)
>Although, I still maintain they are harmless
Of course. Or some other suitable malware the mob in Russia
is cranking out that also works with these paticular JPG files.
From: 4Q on 23 Jun 2006 16:48
Dustin Cook wrote:
> Art wrote:
> > I'm puzzled that only two products alert on the JPEGS
> > even though many alert on the (apparently)
> > companion malware. I would think it important to
> > alert on the JPEGS as a warning to users to get rid
> > of them.
> The code contained inside the jpegs isn't functional without something
> to read it, win32.exe. Otherwise, the jpegs are a picture of a frog,
> with hidden code. Code only readable by software that already knows
> it's there. I don't think picture viewer will do anything bad if you
> decide to look at one. :)
Raidy an exception to the rule maybe Minders .bmp IRC worm
His code was contained inside the .bmp file and looked like
a little bit of random noise inside a viewer, however his
worm was also a weak SE trick and the picture contained a
message asking the user to rename the .bmp to a .com
Then it operated as a normal wormoid.
Bit lame as an ITW example but hey nice example of a hax0r
thinking outside the box.