Malware disguised as picture file

View previous topic View next topic Go down

Malware disguised as picture file

Post by ssj100 on 29/7/2010, 05:05

I recently came across a malware file that had the extension .jpg and that Windows parsed as a harmless looking picture file. All black-listing applications pretty much detected it as malware (that is, they weren't fooled by file extensions). This malware file could easily have any other file extension, and the black-lister would still label it as malware. This is because (most) black-listers don't look at file extensions (alone).

Essentially I accessed this malware file via IE and managed to find the file in the "Temporary Internet Files" folder:


You can see that it was "Last Modified" on July 13 2010 (making the malware about 2 weeks old - ample time for anti-malware programs to black-list it). A scan by MBAM shows this:


VirusTotal shows this (I don't show it all, but I'm sure you get the idea):


Now of course, executing this malware file as Windows sees it will result in nothing:


However, executing it as DOS sees it will result in the malware running:


The malware then goes on to perform all sorts of malicious looking actions, including writing a payload executable, calling out several times to a dodgy looking IP address, and placing autostart entries in the Windows registry.

Anyway, what interested me wasn't the fact that this malware file was downloaded as a benign looking picture file. Instead, it was the concept of this malware file being able to be executed via the command prompt, and whether various anti-malware mechanisms would block it or not.

In the next post, I'll be testing an old killdisk malware "(WYH Disk killer") that has been disguised as a picture file (basically I've renamed the file extension from .exe to .jpg) and executed via the command prompt. Then we'll see which anti-malware mechanism can block it.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Malware disguised as picture file

Post by ssj100 on 29/7/2010, 05:07

1. SRP: BLOCKED

"The system cannot execute the specified program".

2. Sandboxie 3.46: BLOCKED

Sandboxie of course contains this malware anyway, but I wanted to test its anti-execution mechanism.

3. AppGuard 1.4.7: BYPASSED
Windows shuts down and can't be rebooted. Even specifically adding the command prompt to AppGuard's list of "Guarded Applications" does not help. AppGuard does block the execution when the file is renamed back to .exe:

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Malware disguised as picture file

Post by arran on 29/7/2010, 11:50

It just goes to show that any file that comes from the net even an innocent looking picture file should always be run in the sandbox. it reminds me of that thread on wilders about ?can picture jpg contain malware" ?

This is how the average pc user gets infected who only has an AV for their security if they download the image file before their av updates their database.
avatar
arran
Member
Member

Posts : 41
Join date : 2010-05-09

View user profile

Back to top Go down

Re: Malware disguised as picture file

Post by Buster_BSA on 29/7/2010, 11:59

Some years ago Windows 2000 & NT source code were leaked and one of the consequences was the finding of a vulnerability in jpg files.
avatar
Buster_BSA
Member
Member

Posts : 87
Join date : 2010-07-21

View user profile

Back to top Go down

Re: Malware disguised as picture file

Post by aigle on 29/7/2010, 13:19

i have seen such malware in past. If you open this .jpg file via double click, it's harmless as it wil not execute. I am however interested if there are .jpg files that can infect the system if opened via double click! Has any one such a malware?
avatar
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

View user profile

Back to top Go down

Re: Malware disguised as picture file

Post by ssj100 on 29/7/2010, 13:24

aigle wrote:i have seen such malware in past. If you open this .jpg file via double click, it's harmless as it wil not execute. I am however interested if there are .jpg files that can infect the system if opened via double click! Has any one such a malware?

I think that would only happen if there was a specific exploit in the picture viewing program (eg. buffer overflow exploit).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Malware disguised as picture file

Post by aigle on 3/8/2010, 13:01

Do you have such a sample?

Thanks
avatar
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

View user profile

Back to top Go down

Re: Malware disguised as picture file

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum