A Steganography sample malware - Page 6

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: A Steganography sample malware

The JPG-SCAN program at my web site has been updated
to detect certain narrower specific characteristics that the
Trojanized JPG samples I have display. Deletion of detected
Trojanized JPGs is left up to the user.

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware


Quoted text here. Click to load it

Updated again Sunday afternoon to accomodate additional
Trojanized samples I found. It's quite unlikely that the scanner
will false alarm on non-Trojanized JPGs, so if the picture image
is of little value the file(s) detected should be deleted. If anyone
finds apparent FPs, please send sample(s) of the file(s) to
artsown at epix dot net.

As of this afternoon here in cental Pa., I see Ewido added as the
fourth to to the very short list of av/anti-malware vendors alerting
on the Trojanized files.  

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware


Thread update:

As of today, most vendors are still not alerting on the JPGs.
Some such as TIBS.JPG and WEB.JPG only have one vendor
alerting ...  Symantec. With PROXY.JPG, only Fortinet and
Symantec alert.

I made a attemt to get a idea of which vendors might alert
on a realtime scanner basis. I isolated the appending malicous
code portions of the files, and for five of the eight samples
I was able to also determine the XOR decryptor used. I found
that McAfee in particular didn't alert on the encrypted files
but it did on some of the decrypted files. So to nursemaid
the av products a bit, I only uploaded decrypted files to
VT. Notably, in my other tests using McAfee SCAN,  F-Prot
DOS and KAVDOS32, F-Prot and Kaspersky didn't care if the
files were decrypted or not.  

The details are far too lengthy to report here since they involve
many Virus Total results as well as other details. Suffice it to say
that the results are quite mixed and detection is "spotty". While
some of the better av/antimalware products can be expected to
alert realtime on some of the files (when a new and "unknown"
companion runs the appended malicious code), I wouldn't place
any bets on it in general.

So IMO, the situation is just as peculiar, or worse, as when I
started this thread. Three of my samples, NT1, NT2 and NT3
(the ones I failed to decrypt) aren't detected by any vendors
in their isolated non-JPG form. Yet these are the three that
four vendors alert on in their full JPG form. So we have
reason(s) to expect that the appended code is malicious. I'm
not about to use a companion to extract, decrypt and run
the code (on a goat PC) to see which av alert, if any.

Why the vendors don't alert on the JPGs is beyond me. They
are leaving users at much higher risk, when it would be so
easy for them to provide detection.

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware

My JPG-SCAN program has been speeded up considerably,
and there have been some cosmetic changes done recently.
Detection is now "tight enough" that there should be no
false positives on legit JPG files.

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware

4ax.com:

Quoted text here. Click to load it

Jeeze Art... Are you going to make a gif/tga/bmp scanner too? *grin*



--
Dustin
Author of BugHunter - MalWare Removal Tool
http://bughunter.it-mate.co.uk


Re: A Steganography sample malware

On Wed, 05 Jul 2006 02:15:31 GMT, Dustin Cook

Quoted text here. Click to load it

I sure am, wise ass, if there's a need for it.

Art
http://home.epix.net/~artnpeg



Re: A Steganography sample malware


Art wrote:

Quoted text here. Click to load it

Wiseass? jeeze.. I wasn't trying to be one, it was simply a question.
I've never seen a jpeg scanner until now.

I don't know if somebody spiked your coffee, so make a fresh pot drink
some, wakeup, and then come to usenet.

Have a good one,
Dustin


Re: A Steganography sample malware

On 5 Jul 2006 07:18:56 -0700, "Dustin Cook"

Quoted text here. Click to load it

Ok, I apologize then for the "wise ass" comment. It's just that you've
posted your negative opinion on av scanning the JPGs and I figured
your comment reflected that negative opinion and you were being
a wise ass about it.

I'm convinced that as long as most av turn their backs on detecting
the appended malicious code in the JPGs, they aren't serving their
customers well. As I posted, I've accumulated some evidence that
many av probably won't alert realtime when a new and unknown
companion extracts, decrypts, and runs the appended malicious
code. Many don't even seem to have detection for the various
downloader Trojans and Trojan droppers contained  in the JPGs.
So the JPGs are a sitting time bomb waiting to go off.

It's not that the vendors haven't been fed samples. They have and
they're ignoring them and the malicious code contained within them, it
seems. And all are guilty of it to one extent or another. Of all the
damn things, Kaspersky suddenly started alerting on just one of the
JPG samples I have ... the one named WEB.JPG. Yet Kaspersky
alerts on the emebbed code in five of the JPG samples I have if I
extract it from the JPG and thus isolate it. It's nutty and
inconsistent as hell ... just like much I've seen with other av
in connection with the "froggies" and the appended code.

Bottom line is that as long as av are behaving so erratically
and unreliably, I see a need for something like my "froggy
detector" so that users can be alerted and get rid of them.

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware

While I think of it, Art - what happens if you run Ad-Aware over your JPG
samples, in ADS-test mode??

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com

http://tinyurl.com/6oztj

Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
Quoted text here. Click to load it


Re: A Steganography sample malware

On Wed, 5 Jul 2006 17:10:23 +0100, "Noel Paton"

Quoted text here. Click to load it

Haven't tried it but I will if that mode is available on the free
version or a free-to-try demo.

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware

Yup - it's a little hidden, but it's there all right

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com

http://tinyurl.com/6oztj

Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
Quoted text here. Click to load it


Re: A Steganography sample malware

On Wed, 5 Jul 2006 20:37:08 +0100, "Noel Paton"

Quoted text here. Click to load it

I don't see anything in AdAware SE about a ADS-Test mode.
Exactly what is it that you're talking about and why do you
think AdAware would be of any use in the case of JPGs
containing appended encrypted code when most av products
aren't even alerting?

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware

In Ad-Aware - Scan now
Scan Mode - Scan Volume for ADS (Alternate Data Streams)
Back in Dec/January, when the WMF exploits initially reared their head, one
distinguishing feature of infected files was that they all showed positive
on testing for ADS (even when tested in Win9x, IIRC) using Ad-Aware.
It was an effective discovery tool before the AV's caught up (and
incidentally demonstrated why Win9x wasn't vulnerable to that particular
exploit).

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com

http://tinyurl.com/6oztj

Please read http://dts-l.org/goodpost.htm on how to post messages to NG's
Quoted text here. Click to load it


Re: A Steganography sample malware

On Wed, 5 Jul 2006 21:45:17 +0100, "Noel Paton"

Quoted text here. Click to load it

Ok, set it to scan my entire drive. No alerts.

Quoted text here. Click to load it

Interesting. I missed that tidbit :)

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware


Quoted text here. Click to load it


Reason I asked was quite simple - one common way of creating ADS in a file
(or so I thought) was to put the EOF marker actually before the end of the
file, so fooling the usual app into not bothering with the extra 'code', but
that if you could force another app to read the file, this code could become
visible....
Obviously, I thought wrong (nothing unusual there, then!).

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com

http://tinyurl.com/6oztj

Please read http://dts-l.org/goodpost.htm on how to post messages to NG's


Re: A Steganography sample malware


Art wrote:

Quoted text here. Click to load it

Nah. I disagree with scanning jpegs, sure; but no reason to be a jerk
about it. I have no problem with your program, it's neat. I just never
saw one specifically designed to hunt malware from a jpeg before. :)

Quoted text here. Click to load it

This is where it gets a little foggy for me. If the companion is new
and unknown, why does it even need to extract old code? It already has
the system by the gonads.

Quoted text here. Click to load it

In a way, yes.. I suppose they are, but by the same token, if a new
unknown companion gets on the box to use them, the user is already
hurting.

Quoted text here. Click to load it

The thing is, if the code your extracting is appended, it's not really
Steganography. If the code was hidden properly, would your program
still alert on it? I think I'm going to do a little tinkering and find
out. No worries, no sources, description of how to evade your program
(if any evading is to be done) will be published. I'll email you the
results of my findings.

Quoted text here. Click to load it

If the code is appended, it's not a true steganographic file...

Quoted text here. Click to load it

Understandable. I'm just thinking, if the author properly
steganographed the files, whether your utility would work, I'm thinking
no....


Re: A Steganography sample malware

On 5 Jul 2006 09:20:01 -0700, "Dustin Cook"

Quoted text here. Click to load it

I used to have one just to scan Word docs for embedded Trojans until
the av vendors finally got off their asses and starting alerting on
"known" ones.

Quoted text here. Click to load it

You're ignoring the possibility of companions whos only purpose and
function is to extract and run the code in the JPGs. Now, it may be
that av vendors have developed heuristic/generic detection of that
kind of activity and will block it without specific sigs as
"suspicious". I don't know. If that's that's the way many av vendors
plan to deal with the issue, it certainly doesn't inspire any
confidence with me :)      

Quoted text here. Click to load it

Not if the companion's sole purpose in life is running the code in the
JPGs. Remember that these things are being generated by a
organized mob of hackers.

Quoted text here. Click to load it

I don't know if all experts agree that this "simple" method is a form
of steganography. Some claim that it is. Personally, I'm not the least
bit interested in the semantics as long as we each know what the
other is talking about. In this case, all the samples I have are
simple appendages of encrypted code.    

Quoted text here. Click to load it

Well, I know what you mean by "properly" I think, and the answer
is a very definite NO! My program simply looks for certain
characteristics all of the samples I have have in common. For one
thing, they all have a End of Image marker in the same location
in the file. But I also require that the two bytes following that
marker are match either of the two different byte pairs I've
seen in the samples. So I definitely need samples of any new
froggies to update my signatures :)    

Quoted text here. Click to load it

I've already given that issue some thought and decided it would
be silly to not divulge the very simple method I'm using. It's
not rocket science, to be sure.

Quoted text here. Click to load it

I'm not taking the bait since I don't give a shit one way or
another what various people's opinions are on the semantics
and word definitions.

Quoted text here. Click to load it

That's correct. It wouldn't.  

Art
http://home.epix.net/~artnpeg

Re: A Steganography sample malware


Art wrote:

Quoted text here. Click to load it

Yea, we used one custom here in the shop to kill macros. Some users
didn't like it, but we didn't have much choice back then.

Quoted text here. Click to load it

True, I was ignoring the possiblity from the POV of a former vxer; I
personally wouldn't waste the time coding something that depended on
you being previously infected.

But, I suppose it's possible some malware authors will.

Quoted text here. Click to load it

An organized mob sure, likely stealing code from others. :)

Quoted text here. Click to load it

Nor am I. I was simply going by the definition I was taught in school
was all. I realize things change, however.

Quoted text here. Click to load it

That's what I was thinking your program was doing, but wasn't sure. I
haven't had time to take it apart.

Quoted text here. Click to load it

No bait provided. Simple statement of fact was all. Sorry if I led you
to believe otherwise.

Quoted text here. Click to load it

It's still a good try tho.

As a side note Art, I'm not trying to bait you in any way nor make
wiseass comments concerning your program. I just had a few questions
and you've answered them, thanks.

--
Regards,
Dustin Cook


Re: A Steganography sample malware


Quoted text here. Click to load it

So where's the "need" for jpg scanning? I can see there would be a need
to detect a program that attempts to use jpg data as code, but the need
for scanning data files for possible 'data as code' inclusions escapes me.

Aside from just a mental exercise, and in the process learning more about
the jpeg specs - I think you're wasting time. Any data filetype can contain
data destined to be used as code by a nefarious trojan.



Re: A Steganography sample malware

wrote:

Quoted text here. Click to load it

I've already explained that in my other posts in this thread.  

Quoted text here. Click to load it

Your attitude and opinion escapes me.  

Quoted text here. Click to load it

That why container scanning is important. In practicing safe hex, I
don't rely on some single realtime av. That's far too risky, and in
this particular case it's exceptionally risky for reasons I've pointed
out. I want my scanners to detect malicious code during on-demand
scans of various containers, and in compressed and packed files.

Art
http://home.epix.net/~artnpeg

Site Timeline