A Steganography sample malware

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Regulars here are aware that steganography is a technique
of embedding malicious code in picture image files (and other
files). Such files are themselves harmless since they require
companion active malware to run the embedded code.

The subject sample came in a zip of four files, three JPEGS
and a file named WIN32.EXE. Here's the Virus Total result
for the WIN32.EXE file:
***********************************
AntiVir        TR/Crypt.F.Gen    
Authentium    no virus found    
Avast        no virus found    
AVG        no virus found    
BitDefender    Trojan.Downloader.Small.AMA    
CAT-QuickHeal    no virus found    
ClamAV        no virus found    
DrWeb        Trojan.DownLoader.9540    
eTrust-Inoculat  no virus found    
eTrust-Vet    Win32/Vxidl!generic    
Ewido                 Downloader.Tibs.eo    
Fortinet                no virus found    
F-Prot                no virus found    
Ikarus               no virus found    
Kaspersky    Trojan-Downloader.Win32.Tibs.eo    
McAfee    4791    Generic Downloader    
Microsoft    no virus found    
NOD32v2     probably a variant of Win32/TrojanDownloader.Small.AWA     
Norman            no virus found    
Panda            Adware/Adsmart    
Sophos            no virus found    
Symantec    Trojan.Galapoper.A    
TheHacker    no virus found    
UNA             no virus found    
VBA32            Trojan.DownLoader.9540    
VirusBuster    no virus found
************************************
Only Bit Defender and Symantec alerted on the JPEGS.
Bit Defender found Trojan.HideFrog.A in all three
(they are images of a frog :))

Symantec alerted as follows:
NT1.JPG    W32.Looksky!gen
NT2.JPG    Trojan.Desktophijack.B
NT3.JPG    Trojan.Jupillites

I'm puzzled that only two products alert on the JPEGS
even though many alert on the (apparently)
companion malware. I would think it important to
alert on the JPEGS as a warning to users to get rid
of them.

I'm also puzzled/curious about the Symantec
alerts.

Here's a McAfee blog with some info on this
malware set:

http://www.avertlabs.com/research/blog/?p=36

BTW, while McAfee alerts on WIN32.EXE as Generic
Downloader, it does not alert on the JPEGS.

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware


Quoted text here. Click to load it

It was interesting yin McAfee's analysis. He mentions that some
analysts would skip over the jpegs thinking they were benign jpegs and
not taking them into consideration in the overall analysis. Of
course... dynamic analysis would show their true functionality. You
wonder how much of this stuff does get 'missed' by virus analysts.

--
Regards, Ian Kenefick
http://www.IK-CS.com
Error: Keyboard not attached. Press F1 to continue.

Re: A Steganography sample malware

On Fri, 23 Jun 2006 01:41:30 +0100, Ian Kenefick

Quoted text here. Click to load it

I've sent the JPEGs to Kaspersky asking why KAV doesn't alert.
Depending on the analyst, I might get a good answer. Sometimes
Eugene himself is the analyst, and if I'm lucky I'll hit paydirt :)

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware



Quoted text here. Click to load it

The only "threat" is the executable. The same old story as before regarding
jpg viruses - something "else" has to be amiss. True, they should include it
in the cleanup, but it is not really necessary.



Re: A Steganography sample malware

Art wrote:
Quoted text here. Click to load it

minor quibble - steganography is a technique for hiding messages in
other things, it's not just for hiding malware...

[snip]
Quoted text here. Click to load it

think of it as being analogous to the issue of scanning inside of
various types of archives (which i know you're already quite familiar
with)... ultimately the jpegs are just acting as a kind of container...
how good are av apps at scanning inside containers in general and exotic
(ie. non-zip/rar/arj) containers in particular? i seem to recall you
saying something about problems unpacking installation files even (and
one wouldn't normally consider those to be 'exotic')...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: A Steganography sample malware

wrote:

Quoted text here. Click to load it

To paraphrase Winston Churchill, "Such errant pedantry up with I shall
not put!". Obviously if malicious code can be embedded in certain
fles, any code can be embedded.

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware


Quoted text here. Click to load it

What he's getting at is not only code but "information" gets embedded. Your
statement sounded too much like a wromg definition of steganography.



Re: A Steganography sample malware

wrote:

Quoted text here. Click to load it

Woe to me :(

Art :)
http://home.epix.net/~artnpeg

Re: A Steganography sample malware

wrote:

Quoted text here. Click to load it

Here's a snippet from the blog I referenced where the author responds
to a comment by "Mike":
*******************************************************
And basic X-raying is all thatís required to decrypt these files, for
now anyway.
*******************************************************
Now, I dunno what he means by "basic X-raying" but he makes it
sound as if the decryption in this particular case is straightforward.
Whether he means in a lab only or in a scanner is a question.
Anyway, that's partially why I'm surprised that Kaspersky in
particular isn't alerting. They seem to never shy away from difficult
"unravelling" and "scanning within" all kinds of files. Plus the fact
that it _appears_  that Symantec is effectively decrypting,
and Bit Defender _may_ also be decrypting. As of this moment, I
haven't yet heard back from a Kaspersky analyst. I'm hoping
their response will shed light on my questions.

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware



Quoted text here. Click to load it

If you're interested - "pferrie.tripod.com/vb/x-raying.pdf" I believe it is FTP
protocol.



Re: A Steganography sample malware


Art wrote:

Quoted text here. Click to load it

The code contained inside the jpegs isn't functional without something
to read it, win32.exe. Otherwise, the jpegs are a picture of a frog,
with hidden code. Code only readable by software that already knows
it's there. I don't think picture viewer will do anything bad if you
decide to look at one. :)

You could stenagraphy a .gif, .bmp, almost anything that doesn't have
crc checks and/or a hashing table. The catch tho is, your code likely
isn't operational on it's own. A 3rd party will need to come read, and
put you back together in order to run.

Quoted text here. Click to load it

I believe BugHunter also picks up win32.exe, but it doesn't alarm on
the jpegs either. And it's not going too....

--
Regards,
Dustin Cook
http://bughunter.atspace.org


Re: A Steganography sample malware

On 23 Jun 2006 08:11:24 -0700, "Dustin Cook"

Quoted text here. Click to load it

Of course it doesn't but that's beside the point.

Quoted text here. Click to load it

Yep, and that's exactly why I think the .JPGs should be detected.

Quoted text here. Click to load it

Too bad. It would be a useful detection IMO.

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware


Art wrote:

Quoted text here. Click to load it

I'm lost then.
Steganography is the art and science of writing hidden messages in such
a way that no one apart from the intended recipient knows of the
existence of the message; this is in contrast to cryptography, where
the existence of the message itself is not disguised, but the content
is obscured.

Quoted text here. Click to load it

Ehm... You do realize the growing possibility of false alarms if we
have antivirus/malware products trying to guess if something has a
hidden bit of code in a jpeg right?

That's alot of signatures. :)

Quoted text here. Click to load it

I would tend to disagree...

--
Regards,
Dustin Cook
http://bughunter.atspace.org


Re: A Steganography sample malware

On 23 Jun 2006 10:06:24 -0700, "Dustin Cook"

Quoted text here. Click to load it

In this case they use JPG steganogrophy to hide malicious code in
JPGs. Companion malware is required to decrypt and run the malicious
code.

Quoted text here. Click to load it

I don't know that av have to "guess" (use heuristics only). It doesn't
appear that Symantec is detecting heuristically since it gives exact
IDs (and different ones) on three different JPG files.

Quoted text here. Click to load it

Hell, signatures are balooning outa sight anyway :) What's a few
more?

Quoted text here. Click to load it

I'd say informing the user of the infested JPG which might be
used by the companion malware at any point is important. I'd
say it's more important than wasting sigs as some do on
commercial sw which might be used for nefarious purposes.
I'd go so far as to say it's more important than flagging
harmless adware that's merely annoying. After all, we're
talking here about some nasty downloader Trojans.

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware


Art wrote:

Quoted text here. Click to load it

Nah, your right, they're using sigs. The malware isn't really keen on
the process, IE: it's fixed, or appears to be.

Quoted text here. Click to load it

How very true, and quiet saddening. :)

Quoted text here. Click to load it

Fair enough Art, You've convinced me to hunt down the frog jpegs and
add them to bughunter...Although, I still maintain they are harmless
without win32.exe....

---
Regards,
Dustin Cook
http://bughunter.atspace.org


Re: A Steganography sample malware

On 23 Jun 2006 12:42:39 -0700, "Dustin Cook"

Quoted text here. Click to load it

No need to hunt. Just let me know if you want me to send
them to you. And no, I'm not a malware spreader. I trust
you aren't either any more :)

Quoted text here. Click to load it

Of course. Or some other suitable malware the mob in Russia
is cranking out that also works with these paticular JPG files.

Art
http://home.epix.net/~artnpeg


Re: A Steganography sample malware


Quoted text here. Click to load it


Do you want to look in *everything* for *anything*? Think of the cost.



Re: A Steganography sample malware

wrote:

Quoted text here. Click to load it

See my reply to Dustin concerning that. Think of the cost of all the
sigs nowdays for harmless adware, cookies, and controversialware.

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware


Quoted text here. Click to load it

Yes, it's sad.

I don't think they should alert, but they should include them in verification
and cleanup. Alerts should be for threats.



Re: A Steganography sample malware


| Regulars here are aware that steganography is a technique
| of embedding malicious code in picture image files (and other
| files). Such files are themselves harmless since they require
| companion active malware to run the embedded code.

| The subject sample came in a zip of four files, three JPEGS
| and a file named WIN32.EXE. Here's the Virus Total result
| for the WIN32.EXE file:
| ***********************************
| AntiVir TR/Crypt.F.Gen
| Authentium no virus found
| Avast no virus found
| AVG no virus found
| BitDefender Trojan.Downloader.Small.AMA
| CAT-QuickHeal no virus found
| ClamAV no virus found
| DrWeb Trojan.DownLoader.9540
| eTrust-Inoculat  no virus found
| eTrust-Vet Win32/Vxidl!generic
| Ewido              Downloader.Tibs.eo
| Fortinet             no virus found
| F-Prot             no virus found
| Ikarus            no virus found
| Kaspersky Trojan-Downloader.Win32.Tibs.eo
| McAfee 4791 Generic Downloader
| Microsoft no virus found
| NOD32v2     probably a variant of Win32/TrojanDownloader.Small.AWA
| Norman         no virus found
| Panda         Adware/Adsmart
| Sophos         no virus found
| Symantec Trojan.Galapoper.A
| TheHacker no virus found
| UNA          no virus found
| VBA32         Trojan.DownLoader.9540
| VirusBuster no virus found
| ************************************
| Only Bit Defender and Symantec alerted on the JPEGS.
| Bit Defender found Trojan.HideFrog.A in all three
| (they are images of a frog :))

| Symantec alerted as follows:
| NT1.JPG    W32.Looksky!gen
| NT2.JPG    Trojan.Desktophijack.B
| NT3.JPG    Trojan.Jupillites

| I'm puzzled that only two products alert on the JPEGS
| even though many alert on the (apparently)
| companion malware. I would think it important to
| alert on the JPEGS as a warning to users to get rid
| of them.

| I'm also puzzled/curious about the Symantec
| alerts.

| Here's a McAfee blog with some info on this
| malware set:

| http://www.avertlabs.com/research/blog/?p=36

| BTW, while McAfee alerts on WIN32.EXE as Generic
| Downloader, it does not alert on the JPEGS.

| Art
| http://home.epix.net/~artnpeg

Hi Art:

I see a nice thread came from this  :-)

I orginally received from Symantec the following...

We have analyzed your submission.  The following is a report of our findings for
each file
you have submitted:

filename: nt1.jpg
machine: AVCAutomation:
result: See the developer notes

filename: nt2.jpg
machine: AVCAutomation:
result: See the developer notes

filename: nt3.jpg
machine: AVCAutomation:
result: See the developer notes

Developer notes:
nt1.jpg is an image file that contains virus. You should delete this file.
nt2.jpg is an image file that contains virus. You should delete this file.
nt3.jpg is an image file that contains virus. You should delete this file.

-----

I was asking myself "What Virus" ?  They didn't identify anything !

Now on another batch...

Symantec is calling the submitted JPEGs -- Trojan.Frogexer!gen.

filename: proxy.jpg
machine: AVCAutomation:
result: This file is detected as Trojan.Frogexer!gen.

filename: tibs.jpg
machine: AVCAutomation:
result: This file is detected as Trojan.Frogexer!gen.

filename: jpg.jpg
machine: AVCAutomation:
result: This file is detected as Trojan.Frogexer!gen.

filename: tool.jpg
machine: AVCAutomation:
result: This file is detected as Trojan.Frogexer!gen.

filename: winlogon.jpg
machine: AVCAutomation:
result: This file is detected as Trojan.Frogexer!gen.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Site Timeline