A Steganography sample malware
in [Anti-Virus]
|
Prev: c:\recycler\S-1-5-21-129_ ... Dc775.zip
Next: explorer.exe startet nicht richtig - HILFE bitte!!
From: B. R. 'BeAr' Ederson on 24 Jun 2006 19:05 On Sat, 24 Jun 2006 12:19:06 GMT, Art wrote: > Even without the presence of a current companion, a new and currently > "unknown" companion could cnceivably get past av scanners and run the > code embedded in the JPGs. The JPGs are a threat as long as they are on > a PC. In fact, this sort of thing may well be a part of the plan of the > bad guys. If known malicious code is deliberately excluded from detection when placed within non-executable data, the release of trigger programs will become some kind of sport, the AV vendors will lose every now and then. Moreover, if "appropriate" pictures are selected for the code injection, they will spread like fire and last forever. :-( Therefore, I generally agree with you. To limit the necessary sigs and detection algorithms, spreading and dangerousness should be taken into account. As every computer already contains a lot of code which *can* be exploited for malicious actions, the specifics of the steganographic hidden code are decisive, IMHO. BeAr -- =========================================================================== = What do you mean with: "Perfection is always an illusion"? = ===============================================================--(Oops!)===
From: James Egan on 24 Jun 2006 19:30 On Sat, 24 Jun 2006 19:36:22 GMT, Art <null(a)zilch.com> wrote: > >I don't know what you mean by "least significant bit method". If we >can stick with the subject JPGs for the time being, clearly the >malware isn't hidden at all. > I meant a technique which mixes the data in with the image causing changes which aren't very noticeable to the eye rather than appending the whole of the (malware) data before some beginning of file marker or after an end of file marker. Such a technique is more pertinent to bitmaps where the least significant bit in a 24 bit pixel can be easily altered to something else (to store the malware) without radically altering the colour of the pixel. With (lossy) jpg's it wouldn't be so simple of course but will nonetheless be possible to some degree. >>any detection would be dependent on the >>image containing the malware and not just the malware itself. > >Well, I suppose I could modify the JPGs I have slightly and see if Bit >Defender and Symantec quit alerting on them. > The malware is probably all together as a comment at the beginning or at the end after the end of file marker so altering the image itself wouldn't make any difference. <snip> > >If it's not feasible, how do you explain the detections by Bit >Defender and Symantec? > I meant it's not feasible generally if some serious steganography prog has been used to create the image. Remember that as well as discovering that there is a hidden file within an image, the av also has to determine that the hidden file is malware which will likely involve breaking some serious encryption. Adding detection for non serious stuff like the frog jpegs shouldn't be difficult, but there could also be any number of infected images on the same computer which are undetectable. Therefore the emphasis must surely be placed on detecting and stopping the companion needed to activate the malware. Jim.
From: Art on 24 Jun 2006 20:37 On Sun, 25 Jun 2006 00:30:57 +0100, James Egan <jegan(a)jegan.com> wrote: <snip to just this portion> >I meant it's not feasible generally if some serious steganography prog >has been used to create the image. Remember that as well as >discovering that there is a hidden file within an image, the av also >has to determine that the hidden file is malware which will likely >involve breaking some serious encryption. Do av really have to determine that a "diddled with" JPG contains encrypted "information" and be able to deal with decrypting it? Or is it sufficient to recognize that something is definitely unusual for a otherwise recognizable JPG format? Why couldn't ISP email scanner/blockers treat such animals as exceptions and pass them on to the users with a warning message to the effect that something "fishy" has been detected? That way, the few users exchanging legit altered JPGs could deal with the issue by passing on a MD5 in the message body, passwords for the zips, etc. Users not expecting a "fishy" JPG have been duly warned and if they have half a brain they simply delete the attackment. Similarly, all av could treat such JPGs as a exception and simply issue a "something's fishy" warning to users. In fact, I suspect a very strong warning might be legitimately issued, but I might be overly optimistic about the definiteness of the determination. Art http://home.epix.net/~artnpeg BTW, we've limited the discussion to JPGs because of the actual sample malware I discussed, but we're really talking about multimedia files and other "data" files as well.
From: Dustin Cook on 24 Jun 2006 21:19 Art wrote: > Do av really have to determine that a "diddled with" JPG contains > encrypted "information" and be able to deal with decrypting it? Or is > it sufficient to recognize that something is definitely unusual for a > otherwise recognizable JPG format? How would AV know if it's diddled or not? The whole point behind the process is to alter only enough bits spread thruout the file to store your data, for all intents and purposes, it's video data... Nothing but a few bytes here and there altered... hardly noticable... -- Regards, Dustin Cook http://bughunter.atspace.org
From: Phil Weldon on 24 Jun 2006 21:25
'Art' wrote, in part: | Well, I suppose I could modify the JPGs I have slightly and see if Bit | Defender and Symantec quit alerting on them. _____ Try an image editor and change the overall 'brightness by 1%. That should destroy any executable hidden in a .jpg image. Phil Weldon "Art" <null(a)zilch.com> wrote in message news:t34r92ds8rqvp9l1u29djbsdhnec1vdose(a)4ax.com... .. | | I don't know what you mean by "least significant bit method". If we | can stick with the subject JPGs for the time being, clearly the | malware isn't hidden at all. | | >any detection would be dependent on the | >image containing the malware and not just the malware itself. | | Well, I suppose I could modify the JPGs I have slightly and see if Bit | Defender and Symantec quit alerting on them. | | >>2. Your statement that the probability of the malware being | >>executed is zero is nonsense no matter how you look at it. Even | >>without the presence of a current companion, a new and | >>currently "unknown" companion could cnceivably get past av | >>scanners and run the code embedded in the JPGs. | | >Then it's not the jpg which gets executed. It's the "unknown" | >companion which just slipped past your av scanner. | | Huh? They both execute. The companion causes the code in the | JPG to run. | .. | | If it's not feasible, how do you explain the detections by Bit | Defender and Symantec? | | Art | http://home.epix.net/~artnpeg |