Strange Shockwave File with Surprising Attachments

Published: 2011-03-27
Last Updated: 2011-03-27 20:20:24 UTC
by Guy Bruneau (Version: 1)
15 comment(s)

In the past month or so, I have observed some strange Shockwave files that surprisingly, contain 2 other files attached inside the end of the file. First, an EICAR test file is found at the end of the Shockwave file portion which is immediately followed by a Window executable. Most IDS would trigger on that window binary transfer, including Snort. The shockwave file portion did not contain any malware.

The EICAR test file found X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* is a typical ANTIVIRUS test file. [1]

However, after carving the Windows binary and submitting its MD5 for analysis to VirusTotal, it returned some surprising results. The MD5 of this file is 22a0c9e8f8c83f70caf04d757732eb21 and shows if this file manages to run, it could compromise to the client.


Have you seen anything like this? Let us know via our contact form.
 

[1] http://www.eicar.org/anti_virus_test_file.htm

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

15 comment(s)

Comments

Some people have their corporate AV setup to ignore EICAR files. Perhaps the file's author was hoping that the embedded EICAR would trigger this behavior?
@Michael:
Why in the world would anybody configure his AV to ignore EICAR?
I know of setups where a daily dose of EICAR is sent for testing purposes (is my AV still alive?)...
Alex - Overworked IT, Lazy IT and dumb IT. These three are the major things that result in AV logs getting ignored.
I suspect this targets less the corporate setup but more the end user.. if the AV pops up a message that it found an EICAR signature, it is usually accompanied with a link to more in-depth info, all of which tells the user that those signatures are harmless.
In the end, it might be a new trick to entice the user to click the "allow" button.
Maybe I'm totally wrong but I think bad guys are sharpening their knives. I did some test using Kaspersky Antivirus 2010 and I see a strange behaviour. First I used an infected file, then I append to the end of this file the EICAR signature and... take a look to the log:

"Original" infected file:

Scansione Anti-Virus: processo completato <1 minuto fa (eventi: , oggetti: 1, ora: 00:00:05)
28/03/2011 12:32:35 Rilevato: Trojan.Win32.Genome.rxuu C:\test\TROJAN.exe
28/03/2011 12:32:39 Attività completata
28/03/2011 12:32:34 Attività avviata


"Modified" infected file:

Scansione Anti-Virus: processo completato <1 minuto fa (eventi: , oggetti: 2, ora: 00:00:03)
28/03/2011 12:33:58 Rilevato: EICAR-Test-File C:\test\TROJAN.exe/#
28/03/2011 12:34:01 Non eliminato: EICAR-Test-File C:\test\TROJAN.exe Impossibile trovare l'oggetto
28/03/2011 12:34:01 Attività completata
28/03/2011 12:33:58 Attività avviata

See something strange? Why the first time it's a trojan and the next step is just an EICAR-Test-File? It's too bad! If I believe to KAV, I can run the executable, it's just an EICAR test, so nothing dangerous.
In this case, the file format (swf, I suppose), could be just a way to deploy the malware or to completely avoid antivirus to detect the malware. I think I will continue testing.
I am inclined to agree with shinnai on this one. Many AV products probably don't look past the first hit on malware embedded in some file types, SWF included, which makes this a simple yet brilliant evasion technique. PDF scanning is probably just as vulnerable.
I tested the file with the EICAR file attached as the header and when I scanned it, it missed the malware
The author is not stating that this could be an AV evasion technique is he?
Good thing our AV already treats EICAR like it's Satan's own code and removes it before the data even gets written to disk. The bad guys are getting more and more cunning every day and I wonder how long it will take the major vendors to patch around the end-on-first-hit scanning behaviour. I don't think it's something they can fix with an definition update, unless they use one to remove EICAR detection in the interim.
I'll echo some of the others here; it could be an attempt to get users or inexperienced IT to ignore the detection and/or whitelist it.

The other idea that popped into mind might be related to targeting buggy antivirus software/ or mail/http gateways (and thus forcing a specific detection to make conditions ripe for a given exploit/payload).

*shrug* Dunno.

Diary Archives