Malware disguised as picture file
4 posters
Page 1 of 1
Malware disguised as picture file
I recently came across a malware file that had the extension .jpg and that Windows parsed as a harmless looking picture file. All black-listing applications pretty much detected it as malware (that is, they weren't fooled by file extensions). This malware file could easily have any other file extension, and the black-lister would still label it as malware. This is because (most) black-listers don't look at file extensions (alone).
Essentially I accessed this malware file via IE and managed to find the file in the "Temporary Internet Files" folder:
You can see that it was "Last Modified" on July 13 2010 (making the malware about 2 weeks old - ample time for anti-malware programs to black-list it). A scan by MBAM shows this:
VirusTotal shows this (I don't show it all, but I'm sure you get the idea):
Now of course, executing this malware file as Windows sees it will result in nothing:
However, executing it as DOS sees it will result in the malware running:
The malware then goes on to perform all sorts of malicious looking actions, including writing a payload executable, calling out several times to a dodgy looking IP address, and placing autostart entries in the Windows registry.
Anyway, what interested me wasn't the fact that this malware file was downloaded as a benign looking picture file. Instead, it was the concept of this malware file being able to be executed via the command prompt, and whether various anti-malware mechanisms would block it or not.
In the next post, I'll be testing an old killdisk malware "(WYH Disk killer") that has been disguised as a picture file (basically I've renamed the file extension from .exe to .jpg) and executed via the command prompt. Then we'll see which anti-malware mechanism can block it.
Essentially I accessed this malware file via IE and managed to find the file in the "Temporary Internet Files" folder:
You can see that it was "Last Modified" on July 13 2010 (making the malware about 2 weeks old - ample time for anti-malware programs to black-list it). A scan by MBAM shows this:
VirusTotal shows this (I don't show it all, but I'm sure you get the idea):
Now of course, executing this malware file as Windows sees it will result in nothing:
However, executing it as DOS sees it will result in the malware running:
The malware then goes on to perform all sorts of malicious looking actions, including writing a payload executable, calling out several times to a dodgy looking IP address, and placing autostart entries in the Windows registry.
Anyway, what interested me wasn't the fact that this malware file was downloaded as a benign looking picture file. Instead, it was the concept of this malware file being able to be executed via the command prompt, and whether various anti-malware mechanisms would block it or not.
In the next post, I'll be testing an old killdisk malware "(WYH Disk killer") that has been disguised as a picture file (basically I've renamed the file extension from .exe to .jpg) and executed via the command prompt. Then we'll see which anti-malware mechanism can block it.
Re: Malware disguised as picture file
1. SRP: BLOCKED
"The system cannot execute the specified program".
2. Sandboxie 3.46: BLOCKED
Sandboxie of course contains this malware anyway, but I wanted to test its anti-execution mechanism.
3. AppGuard 1.4.7: BYPASSED
Windows shuts down and can't be rebooted. Even specifically adding the command prompt to AppGuard's list of "Guarded Applications" does not help. AppGuard does block the execution when the file is renamed back to .exe:
"The system cannot execute the specified program".
2. Sandboxie 3.46: BLOCKED
Sandboxie of course contains this malware anyway, but I wanted to test its anti-execution mechanism.
3. AppGuard 1.4.7: BYPASSED
Windows shuts down and can't be rebooted. Even specifically adding the command prompt to AppGuard's list of "Guarded Applications" does not help. AppGuard does block the execution when the file is renamed back to .exe:
Re: Malware disguised as picture file
It just goes to show that any file that comes from the net even an innocent looking picture file should always be run in the sandbox. it reminds me of that thread on wilders about ?can picture jpg contain malware" ?
This is how the average pc user gets infected who only has an AV for their security if they download the image file before their av updates their database.
This is how the average pc user gets infected who only has an AV for their security if they download the image file before their av updates their database.
arran- Member
- Posts : 41
Join date : 2010-05-09
Re: Malware disguised as picture file
Some years ago Windows 2000 & NT source code were leaked and one of the consequences was the finding of a vulnerability in jpg files.
Buster_BSA- Member
- Posts : 87
Join date : 2010-07-21
Re: Malware disguised as picture file
i have seen such malware in past. If you open this .jpg file via double click, it's harmless as it wil not execute. I am however interested if there are .jpg files that can infect the system if opened via double click! Has any one such a malware?
aigle- Member
- Posts : 21
Join date : 2010-07-25
Re: Malware disguised as picture file
aigle wrote:i have seen such malware in past. If you open this .jpg file via double click, it's harmless as it wil not execute. I am however interested if there are .jpg files that can infect the system if opened via double click! Has any one such a malware?
I think that would only happen if there was a specific exploit in the picture viewing program (eg. buffer overflow exploit).
Buster_BSA- Member
- Posts : 87
Join date : 2010-07-21
Re: Malware disguised as picture file
Do you have such a sample?
Thanks
Thanks
aigle- Member
- Posts : 21
Join date : 2010-07-25
Similar topics
» hosts file
» Who said Macs were malware free?
» Windows 7 hidden file extensions
» PowerShell script to handle HOSTS file
» Malware Defender
» Who said Macs were malware free?
» Windows 7 hidden file extensions
» PowerShell script to handle HOSTS file
» Malware Defender
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum