Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Strange Shockwave File with Surprising Attachments - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Strange Shockwave File with Surprising Attachments

In the past month or so, I have observed some strange Shockwave files that surprisingly, contain 2 other files attached inside the end of the file. First, an EICAR test file is found at the end of the Shockwave file portion which is immediately followed by a Window executable. Most IDS would trigger on that window binary transfer, including Snort. The shockwave file portion did not contain any malware.

The EICAR test file found X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* is a typical ANTIVIRUS test file. [1]

However, after carving the Windows binary and submitting its MD5 for analysis to VirusTotal, it returned some surprising results. The MD5 of this file is 22a0c9e8f8c83f70caf04d757732eb21 and shows if this file manages to run, it could compromise to the client.


Have you seen anything like this? Let us know via our contact form.
 

[1] http://www.eicar.org/anti_virus_test_file.htm

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Guy

422 Posts
ISC Handler
Some people have their corporate AV setup to ignore EICAR files. Perhaps the file's author was hoping that the embedded EICAR would trigger this behavior?
Michael

32 Posts Posts
@Michael:
Why in the world would anybody configure his AV to ignore EICAR?
I know of setups where a daily dose of EICAR is sent for testing purposes (is my AV still alive?)...
Alex

13 Posts Posts
Alex - Overworked IT, Lazy IT and dumb IT. These three are the major things that result in AV logs getting ignored.
Michael

32 Posts Posts
I suspect this targets less the corporate setup but more the end user.. if the AV pops up a message that it found an EICAR signature, it is usually accompanied with a link to more in-depth info, all of which tells the user that those signatures are harmless.
In the end, it might be a new trick to entice the user to click the "allow" button.
Visi

41 Posts Posts
Maybe I'm totally wrong but I think bad guys are sharpening their knives. I did some test using Kaspersky Antivirus 2010 and I see a strange behaviour. First I used an infected file, then I append to the end of this file the EICAR signature and... take a look to the log:

"Original" infected file:

Scansione Anti-Virus: processo completato <1 minuto fa (eventi: , oggetti: 1, ora: 00:00:05)
28/03/2011 12:32:35 Rilevato: Trojan.Win32.Genome.rxuu C:\test\TROJAN.exe
28/03/2011 12:32:39 Attività completata
28/03/2011 12:32:34 Attività avviata


"Modified" infected file:

Scansione Anti-Virus: processo completato <1 minuto fa (eventi: , oggetti: 2, ora: 00:00:03)
28/03/2011 12:33:58 Rilevato: EICAR-Test-File C:\test\TROJAN.exe/#
28/03/2011 12:34:01 Non eliminato: EICAR-Test-File C:\test\TROJAN.exe Impossibile trovare l'oggetto
28/03/2011 12:34:01 Attività completata
28/03/2011 12:33:58 Attività avviata

See something strange? Why the first time it's a trojan and the next step is just an EICAR-Test-File? It's too bad! If I believe to KAV, I can run the executable, it's just an EICAR test, so nothing dangerous.
In this case, the file format (swf, I suppose), could be just a way to deploy the malware or to completely avoid antivirus to detect the malware. I think I will continue testing.
Anonymous
Posts
I am inclined to agree with shinnai on this one. Many AV products probably don't look past the first hit on malware embedded in some file types, SWF included, which makes this a simple yet brilliant evasion technique. PDF scanning is probably just as vulnerable.
e.b.

16 Posts Posts
I tested the file with the EICAR file attached as the header and when I scanned it, it missed the malware
Guy

422 Posts Posts
ISC Handler
The author is not stating that this could be an AV evasion technique is he?
Anonymous
Posts
Good thing our AV already treats EICAR like it's Satan's own code and removes it before the data even gets written to disk. The bad guys are getting more and more cunning every day and I wonder how long it will take the major vendors to patch around the end-on-first-hit scanning behaviour. I don't think it's something they can fix with an definition update, unless they use one to remove EICAR detection in the interim.
Anonymous
Posts
I'll echo some of the others here; it could be an attempt to get users or inexperienced IT to ignore the detection and/or whitelist it.

The other idea that popped into mind might be related to targeting buggy antivirus software/ or mail/http gateways (and thus forcing a specific detection to make conditions ripe for a given exploit/payload).

*shrug* Dunno.
Anonymous
Posts
CA, I'm not sure it is an AV evasion technique since I only have a limited number of ways to test this. This would have to be confirmed by various AV vendors to see how to react.
Guy

422 Posts Posts
ISC Handler
It would be interesting to see what virustotal reports for shinnai's modified malware.
Anonymous
Posts
Thanks for the info Guy. If you find anything further please update us. I would also like to see how virustotal reports the original Shockwave file.
Anonymous
Posts
Emerging Threats added a signature to detect this activity. The signature ID is 2012591: doc.emergingthreats.net/…
Guy

422 Posts Posts
ISC Handler
The original file that I used for this diary is was submitted to VirusTotal and only one AV had some form of detection. The result is here: virustotal.com/file-scan/…
Guy

422 Posts Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!