A Steganography sample malware
in [Anti-Virus]
|
Prev: c:\recycler\S-1-5-21-129_ ... Dc775.zip
Next: explorer.exe startet nicht richtig - HILFE bitte!!
From: edgewalker on 23 Jun 2006 16:51 "Art" <null(a)zilch.com> wrote in message news:l62o92ttjq9a1vidaai3bsqbfl0ic93tt7(a)4ax.com... > On 23 Jun 2006 08:11:24 -0700, "Dustin Cook" > <bughunter.dustin(a)gmail.com> wrote: > >I believe BugHunter also picks up win32.exe, but it doesn't alarm on > >the jpegs either. And it's not going too.... > > Too bad. It would be a useful detection IMO. Do you want to look in *everything* for *anything*? Think of the cost.
From: Art on 23 Jun 2006 16:56 On Fri, 23 Jun 2006 16:38:43 -0400, "edgewalker" <null(a)null.invalid> wrote: >> >minor quibble - steganography is a technique for hiding messages in >> >other things, it's not just for hiding malware... >> >> To paraphrase Winston Churchill, "Such errant pedantry up with I shall >> not put!". Obviously if malicious code can be embedded in certain >> fles, any code can be embedded. > >What he's getting at is not only code but "information" gets embedded. Your >statement sounded too much like a wromg definition of steganography. Woe to me :( Art :) http://home.epix.net/~artnpeg
From: Art on 23 Jun 2006 16:59 On Fri, 23 Jun 2006 16:51:52 -0400, "edgewalker" <null(a)null.invalid> wrote: > >"Art" <null(a)zilch.com> wrote in message news:l62o92ttjq9a1vidaai3bsqbfl0ic93tt7(a)4ax.com... >> On 23 Jun 2006 08:11:24 -0700, "Dustin Cook" >> <bughunter.dustin(a)gmail.com> wrote: > >> >I believe BugHunter also picks up win32.exe, but it doesn't alarm on >> >the jpegs either. And it's not going too.... >> >> Too bad. It would be a useful detection IMO. > >Do you want to look in *everything* for *anything*? Think of the cost. See my reply to Dustin concerning that. Think of the cost of all the sigs nowdays for harmless adware, cookies, and controversialware. Art http://home.epix.net/~artnpeg
From: David H. Lipman on 23 Jun 2006 17:19 From: "Art" <null(a)zilch.com> | Regulars here are aware that steganography is a technique | of embedding malicious code in picture image files (and other | files). Such files are themselves harmless since they require | companion active malware to run the embedded code. | The subject sample came in a zip of four files, three JPEGS | and a file named WIN32.EXE. Here's the Virus Total result | for the WIN32.EXE file: | *********************************** | AntiVir TR/Crypt.F.Gen | Authentium no virus found | Avast no virus found | AVG no virus found | BitDefender Trojan.Downloader.Small.AMA | CAT-QuickHeal no virus found | ClamAV no virus found | DrWeb Trojan.DownLoader.9540 | eTrust-Inoculat no virus found | eTrust-Vet Win32/Vxidl!generic | Ewido Downloader.Tibs.eo | Fortinet no virus found | F-Prot no virus found | Ikarus no virus found | Kaspersky Trojan-Downloader.Win32.Tibs.eo | McAfee 4791 Generic Downloader | Microsoft no virus found | NOD32v2 probably a variant of Win32/TrojanDownloader.Small.AWA | Norman no virus found | Panda Adware/Adsmart | Sophos no virus found | Symantec Trojan.Galapoper.A | TheHacker no virus found | UNA no virus found | VBA32 Trojan.DownLoader.9540 | VirusBuster no virus found | ************************************ | Only Bit Defender and Symantec alerted on the JPEGS. | Bit Defender found Trojan.HideFrog.A in all three | (they are images of a frog :)) | Symantec alerted as follows: | NT1.JPG W32.Looksky!gen | NT2.JPG Trojan.Desktophijack.B | NT3.JPG Trojan.Jupillites | I'm puzzled that only two products alert on the JPEGS | even though many alert on the (apparently) | companion malware. I would think it important to | alert on the JPEGS as a warning to users to get rid | of them. | I'm also puzzled/curious about the Symantec | alerts. | Here's a McAfee blog with some info on this | malware set: | http://www.avertlabs.com/research/blog/?p=36 | BTW, while McAfee alerts on WIN32.EXE as Generic | Downloader, it does not alert on the JPEGS. | Art | http://home.epix.net/~artnpeg Hi Art: I see a nice thread came from this :-) I orginally received from Symantec the following... We have analyzed your submission. The following is a report of our findings for each file you have submitted: filename: nt1.jpg machine: AVCAutomation: result: See the developer notes filename: nt2.jpg machine: AVCAutomation: result: See the developer notes filename: nt3.jpg machine: AVCAutomation: result: See the developer notes Developer notes: nt1.jpg is an image file that contains virus. You should delete this file. nt2.jpg is an image file that contains virus. You should delete this file. nt3.jpg is an image file that contains virus. You should delete this file. ----- I was asking myself "What Virus" ? They didn't identify anything ! Now on another batch... Symantec is calling the submitted JPEGs -- Trojan.Frogexer!gen. filename: proxy.jpg machine: AVCAutomation: result: This file is detected as Trojan.Frogexer!gen. filename: tibs.jpg machine: AVCAutomation: result: This file is detected as Trojan.Frogexer!gen. filename: jpg.jpg machine: AVCAutomation: result: This file is detected as Trojan.Frogexer!gen. filename: tool.jpg machine: AVCAutomation: result: This file is detected as Trojan.Frogexer!gen. filename: winlogon.jpg machine: AVCAutomation: result: This file is detected as Trojan.Frogexer!gen. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
From: edgewalker on 23 Jun 2006 17:31
"Art" <null(a)zilch.com> wrote in message news:8elo929bumaa3lul8rr7hkfj7nfc6be7rl(a)4ax.com... > On Fri, 23 Jun 2006 16:51:52 -0400, "edgewalker" <null(a)null.invalid> > wrote: > > > > >"Art" <null(a)zilch.com> wrote in message news:l62o92ttjq9a1vidaai3bsqbfl0ic93tt7(a)4ax.com... > >> On 23 Jun 2006 08:11:24 -0700, "Dustin Cook" > >> <bughunter.dustin(a)gmail.com> wrote: > > > >> >I believe BugHunter also picks up win32.exe, but it doesn't alarm on > >> >the jpegs either. And it's not going too.... > >> > >> Too bad. It would be a useful detection IMO. > > > >Do you want to look in *everything* for *anything*? Think of the cost. > > See my reply to Dustin concerning that. Think of the cost of all the > sigs nowdays for harmless adware, cookies, and controversialware. Yes, it's sad. I don't think they should alert, but they should include them in verification and cleanup. Alerts should be for threats. |