Downloading viruses and trojans

is it possible to conceal a virus or a trojan in an mp3 or jpeg or mpeg or animated gif?

 

I heard of malware being hidden in gif files, not sure if Microsoft released a patch sometime ago due to this? I know that mp3 and jpegs are safe most of the time, but i am atill very cautious,
T

 

had a bit of a search and found this Tom

 

Toploader,

Short answer is YES, most definitely. jpegs and mp3/mpeg/etc. yep. Very much so I am afraid.

Here are couple of links for you to read.

jpeg:
Semantec - W32.Perrun
mpeg:
Semantic - W32.KlezH@mm
gif (vbs file)
McAfee - VBS/Mill.g
mp3 (pif file)
McAfee - W32/Badtrans@mm

small extract from Symantec:

Cheers, TAS

 

Thanks Tassie - to think that Britney Spears could be infected

 

This is just an excerpt from an article from 2002 here so you can see they have been around a while although not very prevelent

 

LOL, I'll leave that one alone mate.

Also Paris Hilton.. ouch...

As Bigc pointed out that they've been around for a while, so that's why no matter what file I get, I scan it with everything I can first until it's so giddy it wouldn't dare infect me.

Cheers, TAS

 

i seem to remember reading that video and music files downloaded from file sharing programs like Grokster BitTorrent and Kazaa are sometimes infected with trojans and spyware.

had a search and found this article from Panda

PandaLabs has detected the appearance of two new Trojans, Trj/WmvDownloader.A and Trj/WmvDownloader.B, which are spreading through P2P networks in video files. These Trojans take advantage of the new technology incorporated in Microsoft Windows Media player called Windows Media Digital Rights Management (DRM), designed to protect the intellectual property rights of multimedia content. When a user tries to play a protected Windows media file, this technology demands a valid license. If the license is not stored on the computer, the application will look for it on the Internet, so that the user can acquire it directly or buy it. This new technology is incorporated through the Windows XP Service Pack 2 + Windows Media Player 10 update.

The video files infected by these Trojans have a .wmv extension and are protected by licenses, supposedly issued by the companies overpeer (for Trj/WmvDownloader.A), or protectedmedia (for Trj/WmvDownloader.B). If the user runs a video file that is infected by one of these Trojans, they pretend to download the corresponding license from certain web pages. However, what they actually do is redirect the user to other Internet addresses from which they download a large number adware (programs that display advertisements on screen), spyware, dialers (applications that dial-up high rate toll numbers) and other viruses. Below are some examples of the malicious programs and viruses these Trojans download:

Adware/Funweb
Adware/MydailyHoroscope
Adware/MyWay
Adware/MyWebSearch
Adware/Nsupdate
Adware/PowerScan
Adware/Twain-Tech
Dialer Generic
Dialer.NO
Spyware.AdClicker
Spyware/BetterInet
Spyware/ISTbar
Trj/Downloader.GK

Even though these Trojans have been detected in video files with extremely variable names which can be downloaded through P2P networks like KaZaA or eMule, bear in mind that they can also be distributed through other means, such as files attached to email messages, FTP or Internet downloads, floppy disks, CD-ROM, etc. Panda Software has made the corresponding updates to its anti-malware solutions available to its clients to detect and disinfect any video file protected by the licenses used by Trj/WmvDownloader.A and Trj/WmvDownloader.B to carry out their malicious actions. Similarly, the Panda Software solutions protect users against the malware that these Trojans try to install on computers.

For further information about Trj/WmvDownloader.A, Trj/WmvDownloader.B or the malicious programs and viruses these Trojans try to download, visit Panda Software’s Virus Encyclopedia

 

not Paris Hilton too!!

 

When I was deciding whether or not to use P2P, I was also concerned about whether malware could be embedded in audio and video files. There's little evidence of that. The only information I could find concerned your Trj/WmvDownloader.A and Trj/WmvDownloader.B, which a) only apply to the wmv format b) would only work with Windows Media Player and c) require user confirmation to do the dirty.

 

i'm surprised it's not one of the main ways of getting infected Meltdown - must be more difficult to code than i thought.

 

found this on CNET

Purveyors of the applications that produce pop-up ads on PC screens and track browsing habits have discovered BitTorrent as a new distribution channel. According to observers of the trend, videos and music that hide adware and spyware are increasingly being offered for download on various BitTorrent Web sites. BitTorrent has grown into one of the most widely used means of downloading files such as movies or software. Unlike peer-to-peer networks such as Kazaa, eDonkey and the original Napster, no central search technology exists for BitTorrent. Instead, links to specific files are posted on Web sites. While applications such as Kazaa have long been associated with adware and spyware, BitTorrent has not. Until now, that is. Chris Boyd, a security researcher who runs the Vital Security Web site, said he found adware and spyware hiding in BitTorrent files.

In one case, an episode of the Fox TV show "Family Guy" was bundled with several pieces of known adware, according to Boyd. "Under that kind of load, a midrange PC can easily go under," Boyd said. Both spyware and adware are known to hurt PC performance because they use PC resources to run. In other examples, music files and porn videos came bundled with adware or spyware, Boyd said in an e-mail interview. He suspects that online marketers have launched campaigns to get their software installed on more desktops using BitTorrent.

"This is one of the most egregious spyware infestations that we have seen," said Alex Eckelberry, president of Sunbelt Software, a maker of anti-spyware software. "It is a major concern. It is going to riddle your system with pop-ups, slow your system down and potentially cause system instability."

The downloaded files typically were self-extracting archives that would also install the unwanted software, Boyd said. In most cases, users would be presented with a dialog box advising that the extra software was about to be installed and given the impression that the install was needed to get access to the desired content, he said. However, Boyd found, it was possible to get access to the entertainment the user wanted without installing the adware or spyware. Simply declining the adware and spyware license a couple of times gives access to the content, he said.

On his Web site, Boyd listed a Canadian company as one of the businesses that send out adware and spyware on BitTorrent. That company's Web site appeared to have been hacked Thursday, with the front page replaced with a picture and a profane message stating that the company should leave BitTorrent alone.

 

these links too regarding BitTorrent

http://www.pcpitstop.com/spycheck/badtorrent.asp

http://www.pcpitstop.com/news/dave/2005-07.asp

 

Thanks for the links. I've seen such files on public torrent trackers. As with the trojans mentioned earlier, this is something that can catch out the unwary user, but shouldn't present problems for the more informed - there is no good reason for torrents to download as compressed archives, let alone self-extracting compressed archives. A .zip or .rar or .exe file is automatically suspect.

 

when it comes to P2P i play it safe - i would only use an internet cafe (on dialup it isn't really practical anyhoo)

 

a trojan in a non exe.com.pif.bat file is quite rare and worth a bit of money. All virus and trojan that run in a non executable file are exploits that are exploiting windows then allowing the trojan/virus code to be run/EXECUTED. I remember the jpeg exploiter which was patched about 2 years ago. Its very unlikely you will encounter a trojan that has a genuine mp3,jpg extention mp3 and jpeg files are read not executed. As i said things like this a rare and your much more likely to incounter a trojan in an executeable file. not to long ago thier was an exploit for msn display pictures that caused a buffer overflow and allowed code to be executed so they do pop up from time to time 2 years ago prorat a comman trojan had the jpeg exploiter but it wasnt free $100 lol mp3 and jpeg executing trojans would appear safe to almost all users thierfore they are a powerfull tool and worth $$$

 

Last year the Internet Storm Center issued a warning that a new Trojan is posing a threat to online banking customers.

The carrier of the threat, "img1big.gif," poses as an image file. The file is not an image at all, but a file-dropper Trojan composed of a pair of Win32 executable programs compressed together using the Open Source executable compressor UPX.

The trojan installs a Browser Helper Object (BHO) on Internet Explorer version 4.X and higher. One of the two sets of code performs the initial install, the other performs the BHO install. Once the BHO is up, it looks for secure access to the URLs of several dozen banking and financial sites around the globe and "grabs any outbound POST/GET data from within IE before it is encrypted by SSL," according to Storm Center handler John Bambenek.

The outbound data - including user names and passwords - is sent over an HTTP connection created by the Trojan to the address xxxx://www.refestltd.com/cgi-bin/yes.pl