Malware disguised as picture file

Go down

Malware disguised as picture file Empty Malware disguised as picture file

Post by ssj100 on 29/7/2010, 05:05

I recently came across a malware file that had the extension .jpg and that Windows parsed as a harmless looking picture file. All black-listing applications pretty much detected it as malware (that is, they weren't fooled by file extensions). This malware file could easily have any other file extension, and the black-lister would still label it as malware. This is because (most) black-listers don't look at file extensions (alone).

Essentially I accessed this malware file via IE and managed to find the file in the "Temporary Internet Files" folder:
Malware disguised as picture file 20343871

You can see that it was "Last Modified" on July 13 2010 (making the malware about 2 weeks old - ample time for anti-malware programs to black-list it). A scan by MBAM shows this:
Malware disguised as picture file 48132930

VirusTotal shows this (I don't show it all, but I'm sure you get the idea):
Malware disguised as picture file 86875790

Now of course, executing this malware file as Windows sees it will result in nothing:
Malware disguised as picture file 66145272

However, executing it as DOS sees it will result in the malware running:
Malware disguised as picture file 87164524
Malware disguised as picture file 29831938
The malware then goes on to perform all sorts of malicious looking actions, including writing a payload executable, calling out several times to a dodgy looking IP address, and placing autostart entries in the Windows registry.

Anyway, what interested me wasn't the fact that this malware file was downloaded as a benign looking picture file. Instead, it was the concept of this malware file being able to be executed via the command prompt, and whether various anti-malware mechanisms would block it or not.

In the next post, I'll be testing an old killdisk malware "(WYH Disk killer") that has been disguised as a picture file (basically I've renamed the file extension from .exe to .jpg) and executed via the command prompt. Then we'll see which anti-malware mechanism can block it.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
ssj100
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.forumotion.com

Back to top Go down

Malware disguised as picture file Empty Re: Malware disguised as picture file

Post by ssj100 on 29/7/2010, 05:07

1. SRP: BLOCKED
Malware disguised as picture file 40575674
"The system cannot execute the specified program".

2. Sandboxie 3.46: BLOCKED
Malware disguised as picture file 43064539
Sandboxie of course contains this malware anyway, but I wanted to test its anti-execution mechanism.

3. AppGuard 1.4.7: BYPASSED
Windows shuts down and can't be rebooted. Even specifically adding the command prompt to AppGuard's list of "Guarded Applications" does not help. AppGuard does block the execution when the file is renamed back to .exe:
Malware disguised as picture file 59470057

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
ssj100
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.forumotion.com

Back to top Go down

Malware disguised as picture file Empty Re: Malware disguised as picture file

Post by arran on 29/7/2010, 11:50

It just goes to show that any file that comes from the net even an innocent looking picture file should always be run in the sandbox. it reminds me of that thread on wilders about ?can picture jpg contain malware" ?

This is how the average pc user gets infected who only has an AV for their security if they download the image file before their av updates their database.
arran
arran
Member
Member

Posts : 41
Join date : 2010-05-09

View user profile

Back to top Go down

Malware disguised as picture file Empty Re: Malware disguised as picture file

Post by Buster_BSA on 29/7/2010, 11:59

Some years ago Windows 2000 & NT source code were leaked and one of the consequences was the finding of a vulnerability in jpg files.
Buster_BSA
Buster_BSA
Member
Member

Posts : 87
Join date : 2010-07-21

View user profile

Back to top Go down

Malware disguised as picture file Empty Re: Malware disguised as picture file

Post by aigle on 29/7/2010, 13:19

i have seen such malware in past. If you open this .jpg file via double click, it's harmless as it wil not execute. I am however interested if there are .jpg files that can infect the system if opened via double click! Has any one such a malware?
aigle
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

View user profile

Back to top Go down

Malware disguised as picture file Empty Re: Malware disguised as picture file

Post by ssj100 on 29/7/2010, 13:24

aigle wrote:i have seen such malware in past. If you open this .jpg file via double click, it's harmless as it wil not execute. I am however interested if there are .jpg files that can infect the system if opened via double click! Has any one such a malware?

I think that would only happen if there was a specific exploit in the picture viewing program (eg. buffer overflow exploit).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
ssj100
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.forumotion.com

Back to top Go down

Malware disguised as picture file Empty Re: Malware disguised as picture file

Post by aigle on 3/8/2010, 13:01

Do you have such a sample?

Thanks
aigle
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

View user profile

Back to top Go down

Malware disguised as picture file Empty Re: Malware disguised as picture file

Post by Sponsored content


Sponsored content


Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum