Can someone teach me about malware please?

Discussion in 'malware problems & news' started by Scoobs, May 27, 2008.

Thread Status:
Not open for further replies.
  1. Scoobs

    Scoobs Registered Member

    Joined:
    Sep 21, 2005
    Posts:
    110
    I have been given a harddisk of random games, music, films, and software, and I’m wondering how to go about having a look at it.

    As I understand it viruses can be hidden as all sorts of file, so how can hooking this HDD up to my computer infest my machine?

    Can playing a virus hidden as an MP3 file do it? Would it only infect me if it is set to combine with a certain media player, and I use that media player to open it?

    Will a scan with SAS, or Antivir (or both) suffice to check it? Will they scan compressed folders?

    I guess I’m looking for a introduction to the basics of how infections come about.

    Thanks for any help.
     
  2. HyperFlow

    HyperFlow Registered Member

    Joined:
    Mar 21, 2008
    Posts:
    115
  3. Scoobs

    Scoobs Registered Member

    Joined:
    Sep 21, 2005
    Posts:
    110
    Thanks Hyperflow, that link's the sort of thing I was after - some references to read about.
     
  4. ccsito

    ccsito Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1,579
    Location:
    Nation's Capital
    Unfortunately, the best person(s) to teach you about malware are the authors themselves. :blink:
     
  5. HyperFlow

    HyperFlow Registered Member

    Joined:
    Mar 21, 2008
    Posts:
    115
    100% true and i have been in that class room before unfortunately:cautious:
     
  6. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
  7. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Scoobs, maybe you could try forcing anything that runs from that drive to run sandboxed... but I can't remember if you can do that with the free version o_O

    I once downloaded a video file from limewire (cant remember the filetype), and when I played it in winamp it frozed and after that the file couldn't be deleted. Don't know if it was a virus, it was format time anyways so I didn't bother to find out.
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
  9. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Scoobs

    I did a scan with CureIt today on my girlfriend's laptop, and it flagged an mp3 file as being infected with a trojan.infector

    Sadly I didn't had mi flashdrive with me, so I couldn't test it on my computer and have not idea of what it does or how it operates.
     
  10. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
  12. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    That was the one!
     
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    So, your girlfriend's laptop had the dropper but it's clean from the payload (the rogue app)?
     
  14. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yes, I don't think she ever got to open that mp3.
    She has NOD32 and BOClean real-time.
    Today I performed 3 scans: CureIt, SAS and MBAM.
    Found another couple of things but I don't think they where related to that mp3.
    Maybe tomorrow I'll check NOD32 and BOClean's logs...
     
  15. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Interesting :)
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    A "MP3" containing a malware, even MP3's can't be trusted anymore. Indeed very interesting. I'm lucky I don't download that stuff anymore. I don't download much nowadays, I use internet more like a TV.
     
  17. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    If this form of malware starts being popular, it would be a big help for anti-piracy. Hhhmmm new conspiracy anyone? :D :D

    Anyways, whats more concerning is that this type of file would go directly to my data partition, and Returnil would do nothing about it....

    Time to set up a new sandbox for winamp...
     
  18. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    They're fake MP3s. They seem spoofed executables according to McAfee's analysis.
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s-running-rampant
    It would be interesting to see how these rogue files were offered. Do people just click at random on any music/video file they encounter?

    It doesn't make sense to me.

    EDIT:

    It's evident that this is a user problem, and not a remote code execution exploit.

    Big difference, that the OP should consider in answers to his question about malware.

    ----
    rich
     
    Last edited: May 31, 2008
  20. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I agree, but malware can evolve with time... maybe in future we'll see real exploits in this form.
    If I play an mp3 and a screen offers to download some exe, the answer will be an inmediate deny... but some people are just happy-clickers.
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can you explain what you mean?

    Why is this not a real exploit?

    From the link quoted in MrBrian's post:


    ----
    rich
     
  22. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I ment that this seems like an executable faked as an mp3. Maybe in future we'll see some mp3 which actually ARE mp3's and have some malicious code embedded.
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I see what you mean.

    Don't think that will actually make it easier to prevent?, since the malware can be automatically stopped from installing by a HIPS product, or Software Restriction Policies.

    Meanwhile, this exploit in its present form isn't lacking for business!

    ----
    rich
     
  24. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    So I'm checking NOD32 logs at my GF's laptop.
    Apparently the file was downloaded with LimeWire.
    NOD32 detected it, but wasn't able to clean it and didn't quarantine it neither.

    Some file named setup.exe located in the temp folder tried to access the file several times.
    BOClean's log is empty.
     
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The files used were Windows Media files that have the scripting capability to load a webpage. Some were misnamed as other files types such as mp3.

    http://blog.threatfire.com/2008/05/risk-from-p2p-networks.html
     
    Last edited: Jun 1, 2008
Loading...
Thread Status:
Not open for further replies.