A Steganography sample malware - Page 5

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: A Steganography sample malware



Steganography aside, what if the companoin used a cookie file or
other text filetype to do effectively the same thing? Do you really
want to scan all filetypes for all known encoding or  compressing
algorithms?


They're going down the wrong path in alerting on these harmless files.
They will howevr achieve their ultimate goal of marketing FUD.



Re: A Steganography sample malware

wrote:

Quoted text here. Click to load it

Nonsense. I think those who think there's no harm in not having a
means of dealing with the issue are sticking their heads in the sand.
Those damn frogs will bite you sooner or later :)

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware


Quoted text here. Click to load it

All they are doing is trying to draw in those that don't use AV, because they
only trade pictures (jpegs) with friends and relatives, into the marketplace.

Quoted text here. Click to load it

There is plenty of code already on everyones machine that, if used maliciously,
will destroy data. Why worry about malware that needs ini files in the form of
text or other non-executable filetypes? And who gives a hoot if it is stego or
crypto or compressed? Bottom line - the executable is the malware in this case.




Re: A Steganography sample malware


edgewalker wrote:

Quoted text here. Click to load it

I'd rather not. You can hide code in just about any filetype
imaginable. I could even hide code in a series of mp3s in the meta tag
section.

Quoted text here. Click to load it

That seems to be the idea. A jpeg scrubber. AV, antimalware whatever
should focus on the program that can reconstruct the data, not the
potential data itself. BugHunter will not be adding the jpegs to it's
database, as I don't feel they pose any real danger to anyone. Symantec
should be ashamed of themselves for giving into this false alarm crap.
Users are paranoid enough as it is, now you want various products
scanning for code thats harmless... Such a waste.

--
Regards,
Dustin Cook
http://bughunter.atspace.org


Re: A Steganography sample malware

Now Fortinet can be added to the short list of vendors
alerting on the JPG files:

NT1.JPG   Possible Tjreat (05993)
NT2.JPG   Possibe Threat (05994)
NT3.JPG   Possible Threat (05995)

Art
http://home.epix.net/~artnpeg

ATTN: Phil W and B. R. 'BeAr' Ederson ( was Re: A Steganography sample malware )


| Regulars here are aware that steganography is a technique
| of embedding malicious code in picture image files (and other
| files). Such files are themselves harmless since they require
| companion active malware to run the embedded code.

< snip >

So you guys have a *REAL* example to play with...

hxxp://countbest.net/pic/winlogon.jpg

http://www.dnsstuff.com/tools/whois.ch?ip=COUNTBEST.NET


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: ATTN: Phil W and B. R. 'BeAr' Ederson ( was Re: A Steganography sample malware )

On Mon, 26 Jun 2006 20:22:43 GMT, "David H. Lipman"

Quoted text here. Click to load it

That one is different from the three you sent me. Bit Defender
doesn't alert on this one. Fortinet and Symantec do. Where did
you find the other ones?

Art
http://home.epix.net/~artnpeg



Re: ATTN: Phil W and B. R. 'BeAr' Ederson ( was Re: A Steganography sample malware )


|
| That one is different from the three you sent me. Bit Defender
| doesn't alert on this one. Fortinet and Symantec do. Where did
| you find the other ones?
|
| Art
| http://home.epix.net/~artnpeg
|

:-)

I can't provide that -- sorry.
See my reply to Phil.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Phil W and B. R. 'BeAr' Ederson ( was Re: A Steganography sample malware )

'David H. Lipman' wrote:
| So you guys have a *REAL* example to play with...
|
| hxxp://countbest.net/pic/winlogon.jpg
|
| http://www.dnsstuff.com/tools/whois.ch?ip=COUNTBEST.NET
|
_____

Da5id, thanks for the post (you have read "Snow Crash", I hope.)
The frog I get from the URL is a windows bit map, not a JPEG compressed
image.
There seem to be pixels in the white background of the image that are not
necessary, and that could contain meaningful data.  But you have posted
about JPEG images, and this frog isn't one.

Phil Weldon

|
|| Regulars here are aware that steganography is a technique
|| of embedding malicious code in picture image files (and other
|| files). Such files are themselves harmless since they require
|| companion active malware to run the embedded code.
|
| < snip >
|
| So you guys have a *REAL* example to play with...
|
| hxxp://countbest.net/pic/winlogon.jpg
|
| http://www.dnsstuff.com/tools/whois.ch?ip=COUNTBEST.NET
|
|
| --
| Dave
| http://www.claymania.com/removal-trojan-adware.html
| http://www.ik-cs.com/got-a-virus.htm
|
|



Re: Phil W and B. R. 'BeAr' Ederson ( was Re: A Steganography sample malware )



| _____
|
| Da5id, thanks for the post (you have read "Snow Crash", I hope.)
| The frog I get from the URL is a windows bit map, not a JPEG compressed
| image.
| There seem to be pixels in the white background of the image that are not
| necessary, and that could contain meaningful data.  But you have posted
| about JPEG images, and this frog isn't one.
|
| Phil Weldon
|

Snow Crash ?
    You lost me.

Look at the URL and the location it is from.
What was true Today may not be true Tomorrow.
These sites change often.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Phil W and B. R. 'BeAr' Ederson ( was Re: A Steganography sample malware )



| Da5id, thanks for the post (you have read "Snow Crash", I hope.)
| The frog I get from the URL is a windows bit map, not a JPEG compressed
| image.
| There seem to be pixels in the white background of the image that are not
| necessary, and that could contain meaningful data.  But you have posted
| about JPEG images, and this frog isn't one.
|
| Phil Weldon
|

For more samples, go to;   alt.binaries.comp.virus
Subject:  Steganography

However you will have to get the password for the ZIP file from me via email.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Phil W and B. R. 'BeAr' Ederson ( was Re: A Steganography sample malware )

On Mon, 26 Jun 2006 21:31:58 GMT, "Phil Weldon"

Quoted text here. Click to load it

Phil, send me a emial at artsown at epix dot net and I'll send you the
three JPGs.

Art
http://home.epix.net/~artnpeg

Re: ATTN: Phil W and B. R. 'BeAr' Ederson ( was Re: A Steganography sample malware )

On Mon, 26 Jun 2006 20:22:43 GMT, David H. Lipman wrote:

[Download link]
Quoted text here. Click to load it

Nothing great to play with. Just a *.jpg with flange mounted Trojan
code. The most simple variant we discussed. No need to think about
brightness image changes and the like. Just let IrfanView with the
*.jpg lossless plugin Art mentioned yesterday scrub off all spare
bytes ("optimize") and you're done. Save and clean.

If the image were bigger, the attached code could be a set up wrong
track to distract from another danger. But the rest of the image is
too small to think about that another time.

BeAr
--
===========================================================================
= What do you mean with: "Perfection is always an illusion"?              =
===============================================================--(Oops!)===

Re: ATTN: Phil W and B. R. 'BeAr' Ederson ( was Re: A Steganography sample malware )

On Tue, 27 Jun 2006 18:37:39 +0200, "B. R. 'BeAr' Ederson"

Quoted text here. Click to load it

Why bother with IrfanView? It's easy to detect the Trojanized JPGs.
No need to scrub them. Simply delete them.

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware

I've put JPG-SCAN.ZIP up at my web site for anyone interested.
It uses a a extremely simple algorithm for detecting the subject
samples. I had a collection of 78 .JPG files I had downloaded a
long time ago ... mostly pictures of various locations in Alaska. Of
these, 10 alerted my scanner since they had some kind of extraneous
bytes near the end of the file after the JPG end bytes. I have no
reason to think these 10 are actually Trojanized, but it's curious
that files like this are created somehow. I "cleaned" one of them
using IrfanView at 100% quality and the file size more than tripled
up to nearly a half meg from less than 200K. People will just have
to tinker around finding a quality percentage that's suitable for
them consistent with lower file sizes.

It was fun designing the scanner, and I might add other kinds
of simple but useful "oddball" detections, such as for Word DOC
embedded Trojans. The scanner can be speeded up considerably,
but for now there's little point in doing that since it takes less
than a minute to scan the 1,250 folders on my Win 2K PC main
partition.

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware


Quoted text here. Click to load it

Wouldn't it be better to simply truncate the files? Irfanview would
only ruin any hidden data in the files if it was mixed in with the
image datastreams (which it isn't).


Jim.


Re: A Steganography sample malware

wrote:

Quoted text here. Click to load it

No, IrfanView does truncate the files and remove the extraneous bytes
after the "end of JPG" marker bytes. IOW, it removes appendages.

My thinking on this first go-around with the scanner was that it would
not offer to modify files. That way "power users" at least could look
at the files flagged as suspicious in a hex editor and see what's
going on, so to speak. But now that you bring it up, I think I will
include a option to truncate the files as a convenience to users,
since that would eliminate the need to use Irfan (or other apps).
So far as I can determine, the scanner would only have to find
the first occurance of the "end of JPG" marker bytes and truncate
all bytes after that.

Art
http://home.epix.net/~artnpeg


Re: A Steganography sample malware

On Sat, 01 Jul 2006 10:21:40 GMT, Art wrote:

Quoted text here. Click to load it

No. JFIF containers can have nested data streams. Often your method
would truncate right after a preview picture, deleting the whole
real thing. There can be other stream nestings, too. So the only
possible way is to evaluate one JFIF block after another, parsing
any data stream until EOI and continue the scan through the next
JFIF blocks and data streams. You'd need to detect invalid or
suspicious blocks or data to act properly.

JFIF blocks have size definitions (usually at byte 2 with length
word), while data streams have no size property.

BeAr
--
===========================================================================
= What do you mean with: "Perfection is always an illusion"?              =
===============================================================--(Oops!)===

Re: A Steganography sample malware

On Sat, 1 Jul 2006 19:31:26 +0200, "B. R. 'BeAr' Ederson"

Quoted text here. Click to load it

What file extension(s) is/are used?

Quoted text here. Click to load it

Yes, well it's no surprise that the plot thickens :) BTW, I added a
search for FF D9 anywhere in the file, and two of the ten suspicious
but probably legit JPGs were isolated with this test. I verified using
a hex editor that they indeed had no FF D9 anywhere in the file.
My guess that such files would cause Irfan to just flag them as
corrupted was wrong. Irfan displays them with no complaints. I went
ahead and used Irfan Save on all ten files, and they no longer flag as
suspicious, meaning that they now all have FF D9 as the last two bytes
in the file (as expected).

Art
http://home.epix.net/~artnpeg


Re: A Steganography sample malware

On Sat, 01 Jul 2006 19:02:42 GMT, Art wrote:

Quoted text here. Click to load it

Huh? Usually, *.jpg or *.jpeg. JPEG is a compression scheme. And JFIF
(JPEG File Interchange Format) is the file format mainly used to write
JPEG data.

An extended ISO variant is SPIFF, which supports "directories" inside
the file. Still, you'll encounter such files as *.jpg/*.jpeg. As I
understand the format description, your seemingly valid *.jpg which
don't end with EOI might be totally valid SPIFF files with indirect
data on end. That's data from too large directory entries mapped to
the end of the file. IrfanView may just reorganize the files such,
that the need of these extra entries disappears.

BeAr
--
===========================================================================
= What do you mean with: "Perfection is always an illusion"?              =
===============================================================--(Oops!)===

Site Timeline