malware enbeded in .jpg, .doc

Do most AV's detect this? How about Prevx or Mamutu ? What solution do you have for this, besides not downloading .jpg's or .doc's?

I see my question switched to another subject (.jpg's etc...)in my last post: "Defensewall and Sanboxie"

Wanted to start this anew, about malware protection in .jpg's or .doc's.
I asked Prevx, haven't had a response.

[StevieO]

As far as i'm aware all good Anti's should detect things like you suggest.

Quote:

Originally Posted by StevieO

As far as i'm aware all good Anti's should detect things like you suggest.

Do you know if they detect as you download and save them, or when you open them? Or does it matter?

[StevieO]

Rabiddog

A good Anti should detect as your downloading, and often before, especially if it reads dodgy code in the webpage that's waiting to pounce on people.

If the Malware is what's called Packed/Compressed with something like UPX for eg, then you might download without an Anti detect, sometimes it/they will though, but as soon as you try to run it then it/they should jump in and prevent/delete it.

ssj100 is right to quote what Rmus says. But i didn't get blasted with ANY .wmf exploits when they were out a few years back, no matter how many i tried. As well as a good AV/AT/AE i also had my 98SE + IE6 locked down securely, and as it turned out 98SE wasn't vulnerable lol. I'm now on XP + IE6 + FF also locked down in a similar fashion.

Quote:

Originally Posted by StevieO

Rabiddog

A good Anti should detect as your downloading, and often before, especially if it reads dodgy code in the webpage that's waiting to pounce on people.

If the Malware is what's called Packed/Compressed with something like UPX for eg, then you might download without an Anti detect, sometimes it/they will though, but as soon as you try to run it then it/they should jump in and prevent/delete it.

ssj100 is right to quote what Rmus says. But i didn't get blasted with ANY .wmf exploits when they were out a few years back, no matter how many i tried. As well as a good AV/AT/AE i also had my 98SE + IE6 locked down securely, and as it turned out 98SE wasn't vulnerable lol. I'm now on XP + IE6 + FF also locked down in a similar fashion.

So you're saying that your AV blocked it all mate? I'm not sure what you mean by AT, and I'm guessing AE is anti-executable? Also, since 98SE wasn't vulnerable, how could it be a real test of the malware? And what do you mean exactly by the terms "locked down"? Thanks for your help.

Doesn't a long ago released MS patch as discussed here address this exploit?

[StevieO]

ssj100

No mate, i'm not saying my " AV blocked it all " or would have, not until it got the updated DEF's anyway. But if i remember correctly, some of the later WMF's were then blocked heuristically.

AT = AntiTrojan which at the time was BoClean

AE = anti-executable correct, which at the time was WinSonar

We only discovered that 98SE probably wasn't vulnerable a week or two into the testing. Myself Rmus + others conducted tests on a daily basis as soon as new .WMF's were discovered. Still as nothings 100% 98SE still could have been vulnerable in some way/s, and the only to find out was to test. This was with + without Anti's, but not one worked.

I even tried running them with XnView, as just mentioned by wat0114, still nothing !

Locked down =

OS -

Disabling all unnesessary startups and services etc and things like Telnet, wscript etc etc that i didn't need that could be used by Malware. Installing Script Defender which not only blocks Scripts, but ANY other.Extension you care to add in too.

Browsers -

Disabling ActiveX/Scripting/Java/iframes etc etc. Enabling the My Computer Zone in IE Options via the Reg and disabling/prompt the aforementiond items. This particular Zone has nothing to do with Internet duties, but helps to protect the OS.

Thanks for your reply. Unfortunately, "locking down" would sacrifice a lot of usability/convenience for 99.9% of people. Right?

[StevieO]

ssj100

Re " locking down" would sacrifice "

I can't speak for everyone else out there in www land. But i do know from practical experience in trying to help others over the years, in the real world, lots of people just can't be bothered with security. That's either to learn how to better secure, or how to properly clean up after the inevitable multiple infections they get, and keep getting !

They see it as either too much trouble, or as is more often the case, they just can't absorb even small amounts of info, and/or forget. And these arn't all dumbo people, or kids.

So running as you do in a Sandbox is a good idea for people like that, but as i've found, they find things like that just too complicated. Something like Returnil or Deep Freeze would be easier, but they would still have to know how to set it up and then daily etc save stuff to a seperate place so it wouldn't get wiped. And even doing these things is too much for many !

If Returnil solved the System Restore problem i'd start using it again tomorrow, so i how they get it sorted ASAP.

[Dregg Heda]

Wouldnt an anti-executable stop GDI32.DLL from loading? Or is it a trusted executable?

[EraserHW]

Quote:

Originally Posted by Rabiddog

Do most AV's detect this? How about Prevx or Mamutu ? What solution do you have for this, besides not downloading .jpg's or .doc's?

We have seen a number of executables embedded inside JPGs/DOCs/any other file format. Be careful: when you double click on a JPG or any other non-executable file which has an executable file embedded in it, the one which will be opened is the non-executable file.

An example: if you open a JPEG file which has an embedded executable file it it, the JPEG image will be shown. The executable will not be executed at all.

To be executed, the executable needs a loader - a part of the malware which is already on the infected pc -which extracts the embedded executable from the JPEG image and run it.

This is the important step, and this is where Prevx detects the embedded executable.

[Franklin]

Detections when I first came across brkmail.jpg:

Quote:

File brkmail.jpg received on 2009.06.05 08:23:18
Result: 10/40 (25.00%)
Trojan-Banker.Win32.Banker.aiui

Detections now:

Quote:

File brkmail.jpg received on 2009.08.26 08:02:27
Result: 33/41 (80.49%)
High Risk System Back Door

[EraserHW]

Quote:

Originally Posted by Franklin

Detections when I first came across brkmail.jpg:

Detections now:

Well, that's because most likely this is not a jpeg, but an executable with wrong extension (jpg instead of exe)

[EraserHW]

Well, usually an executable is embedded inside a jpg file to evade some basic security filters. It's a common way used by malwares to download malicious components from the web. So, often if you catch on a PC a jpg with an executable file inside it, there should be another running infection which downloaded it.

This doesn't mean that it is the only way for an embedded executable file to get executed. Technically the JPG could exploit some flaw and run the executable. But usually exploit files don't contain embedded files.

If you see a jpg with embedded executable, it's unlikely to be an exploit attack but instead there is most likely another infection running on the system.

[Franklin]

Quote:

Filename: pereca.gif
Scan finished. 4 out of 21 scanners reported malware.
Scan taken on: Sat 8 Aug 2009 09:26:47

And rescanned just now with good results:

Quote:

Filename: pereca.gif
Scan finished. 20 out of 21 scanners reported malware.
Scan taken on: Wed 26 Aug 2009 10:30:07

[EraserHW]

Quote:

Originally Posted by Franklin

And rescanned just now with good results:

as said before, or it's an executable file with wrong extension or it is a real gif image with embedded executable inside it. If it's just a gif with embedded executable, it's not all that important to detect the whole image as malware, because if you run it the only thing that will happen is displaying the imagae itself (unless it's an exploit, but it that case it should be detected as exploit)

[Franklin]

ANY file can have malware included.

Merging the files together is known as steganography.

[Dregg Heda]

Ah I see. In that case wouldnt a HIPS help against this?