In the past month or so, I have observed some strange Shockwave files that surprisingly, contain 2 other files attached inside the end of the file. First, an EICAR test file is found at the end of the Shockwave file portion which is immediately followed by a Window executable. Most IDS would trigger on that window binary transfer, including Snort. The shockwave file portion did not contain any malware. The EICAR test file found X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* is a typical ANTIVIRUS test file. [1] However, after carving the Windows binary and submitting its MD5 for analysis to VirusTotal, it returned some surprising results. The MD5 of this file is 22a0c9e8f8c83f70caf04d757732eb21 and shows if this file manages to run, it could compromise to the client.
[1] http://www.eicar.org/anti_virus_test_file.htm ----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu |
Guy 522 Posts ISC Handler Mar 27th 2011 |
Thread locked Subscribe |
Mar 27th 2011 1 decade ago |
Some people have their corporate AV setup to ignore EICAR files. Perhaps the file's author was hoping that the embedded EICAR would trigger this behavior?
|
Michael 32 Posts |
Quote |
Mar 28th 2011 1 decade ago |
@Michael:
Why in the world would anybody configure his AV to ignore EICAR? I know of setups where a daily dose of EICAR is sent for testing purposes (is my AV still alive?)... |
Alex 13 Posts |
Quote |
Mar 28th 2011 1 decade ago |
Alex - Overworked IT, Lazy IT and dumb IT. These three are the major things that result in AV logs getting ignored.
|
Michael 32 Posts |
Quote |
Mar 28th 2011 1 decade ago |
I suspect this targets less the corporate setup but more the end user.. if the AV pops up a message that it found an EICAR signature, it is usually accompanied with a link to more in-depth info, all of which tells the user that those signatures are harmless.
In the end, it might be a new trick to entice the user to click the "allow" button. |
Visi 41 Posts |
Quote |
Mar 28th 2011 1 decade ago |
Maybe I'm totally wrong but I think bad guys are sharpening their knives. I did some test using Kaspersky Antivirus 2010 and I see a strange behaviour. First I used an infected file, then I append to the end of this file the EICAR signature and... take a look to the log:
"Original" infected file: Scansione Anti-Virus: processo completato <1 minuto fa (eventi: , oggetti: 1, ora: 00:00:05) 28/03/2011 12:32:35 Rilevato: Trojan.Win32.Genome.rxuu C:\test\TROJAN.exe 28/03/2011 12:32:39 Attività completata 28/03/2011 12:32:34 Attività avviata "Modified" infected file: Scansione Anti-Virus: processo completato <1 minuto fa (eventi: , oggetti: 2, ora: 00:00:03) 28/03/2011 12:33:58 Rilevato: EICAR-Test-File C:\test\TROJAN.exe/# 28/03/2011 12:34:01 Non eliminato: EICAR-Test-File C:\test\TROJAN.exe Impossibile trovare l'oggetto 28/03/2011 12:34:01 Attività completata 28/03/2011 12:33:58 Attività avviata See something strange? Why the first time it's a trojan and the next step is just an EICAR-Test-File? It's too bad! If I believe to KAV, I can run the executable, it's just an EICAR test, so nothing dangerous. In this case, the file format (swf, I suppose), could be just a way to deploy the malware or to completely avoid antivirus to detect the malware. I think I will continue testing. |
Anonymous |
Quote |
Mar 28th 2011 1 decade ago |
I am inclined to agree with shinnai on this one. Many AV products probably don't look past the first hit on malware embedded in some file types, SWF included, which makes this a simple yet brilliant evasion technique. PDF scanning is probably just as vulnerable.
|
e.b. 17 Posts |
Quote |
Mar 28th 2011 1 decade ago |
I tested the file with the EICAR file attached as the header and when I scanned it, it missed the malware
|
Guy 522 Posts ISC Handler |
Quote |
Mar 28th 2011 1 decade ago |
The author is not stating that this could be an AV evasion technique is he?
|
Guy 2 Posts |
Quote |
Mar 28th 2011 1 decade ago |
Good thing our AV already treats EICAR like it's Satan's own code and removes it before the data even gets written to disk. The bad guys are getting more and more cunning every day and I wonder how long it will take the major vendors to patch around the end-on-first-hit scanning behaviour. I don't think it's something they can fix with an definition update, unless they use one to remove EICAR detection in the interim.
|
Guy 12 Posts |
Quote |
Mar 28th 2011 1 decade ago |
I'll echo some of the others here; it could be an attempt to get users or inexperienced IT to ignore the detection and/or whitelist it.
The other idea that popped into mind might be related to targeting buggy antivirus software/ or mail/http gateways (and thus forcing a specific detection to make conditions ripe for a given exploit/payload). *shrug* Dunno. |
Guy 1 Posts |
Quote |
Mar 28th 2011 1 decade ago |
CA, I'm not sure it is an AV evasion technique since I only have a limited number of ways to test this. This would have to be confirmed by various AV vendors to see how to react.
|
Guy 522 Posts ISC Handler |
Quote |
Mar 28th 2011 1 decade ago |
It would be interesting to see what virustotal reports for shinnai's modified malware.
|
Guy 2 Posts |
Quote |
Mar 28th 2011 1 decade ago |
Thanks for the info Guy. If you find anything further please update us. I would also like to see how virustotal reports the original Shockwave file.
|
Guy 2 Posts |
Quote |
Mar 29th 2011 1 decade ago |
Emerging Threats added a signature to detect this activity. The signature ID is 2012591: doc.emergingthreats.net/…
|
Guy 522 Posts ISC Handler |
Quote |
Mar 29th 2011 1 decade ago |
The original file that I used for this diary is was submitted to VirusTotal and only one AV had some form of detection. The result is here: virustotal.com/file-scan/…
|
Guy 522 Posts ISC Handler |
Quote |
Mar 29th 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!