ISC Diary

Strange Shockwave File with Surprising Attachments

Published: 2011-03-27,
Last Updated: 2011-03-27 20:20:24 UTC
by Guy Bruneau (Version: 1)

In the past month or so, I have observed some strange Shockwave files that surprisingly, contain 2 other files attached inside the end of the file. First, an EICAR test file is found at the end of the Shockwave file portion which is immediately followed by a Window executable. Most IDS would trigger on that window binary transfer, including Snort. The shockwave file portion did not contain any malware.

The EICAR test file found X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* is a typical ANTIVIRUS test file. [1]

However, after carving the Windows binary and submitting its MD5 for analysis to VirusTotal, it returned some surprising results. The MD5 of this file is 22a0c9e8f8c83f70caf04d757732eb21 and shows if this file manages to run, it could compromise to the client.

Have you seen anything like this? Let us know via our contact form.

[1] http://www.eicar.org/anti_virus_test_file.htm

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Keywords: EICAR Shockwave windows binary

15 comment(s)

Top of page

Comments

Some people have their corporate AV setup to ignore EICAR files. Perhaps the file's author was hoping that the embedded EICAR would trigger this behavior?

posted by Michael, Mon Mar 28 2011, 05:41

@Michael:
Why in the world would anybody configure his AV to ignore EICAR?
I know of setups where a daily dose of EICAR is sent for testing purposes (is my AV still alive?)...

posted by Alex, Mon Mar 28 2011, 08:32

Alex - Overworked IT, Lazy IT and dumb IT. These three are the major things that result in AV logs getting ignored.

posted by Michael, Mon Mar 28 2011, 09:29

I suspect this targets less the corporate setup but more the end user.. if the AV pops up a message that it found an EICAR signature, it is usually accompanied with a link to more in-depth info, all of which tells the user that those signatures are harmless.
In the end, it might be a new trick to entice the user to click the "allow" button.

posted by Woo, Mon Mar 28 2011, 09:31

Maybe I'm totally wrong but I think bad guys are sharpening their knives. I did some test using Kaspersky Antivirus 2010 and I see a strange behaviour. First I used an infected file, then I append to the end of this file the EICAR signature and... take a look to the log:

"Original" infected file:

Scansione Anti-Virus: processo completato <1 minuto fa (eventi: , oggetti: 1, ora: 00:00:05)
28/03/2011 12:32:35 Rilevato: Trojan.Win32.Genome.rxuu C:\test\TROJAN.exe
28/03/2011 12:32:39 Attività completata
28/03/2011 12:32:34 Attività avviata

"Modified" infected file:

Scansione Anti-Virus: processo completato <1 minuto fa (eventi: , oggetti: 2, ora: 00:00:03)
28/03/2011 12:33:58 Rilevato: EICAR-Test-File C:\test\TROJAN.exe/#
28/03/2011 12:34:01 Non eliminato: EICAR-Test-File C:\test\TROJAN.exe Impossibile trovare l'oggetto
28/03/2011 12:34:01 Attività completata
28/03/2011 12:33:58 Attività avviata

See something strange? Why the first time it's a trojan and the next step is just an EICAR-Test-File? It's too bad! If I believe to KAV, I can run the executable, it's just an EICAR test, so nothing dangerous.
In this case, the file format (swf, I suppose), could be just a way to deploy the malware or to completely avoid antivirus to detect the malware. I think I will continue testing.

posted by shinnai, Mon Mar 28 2011, 10:46

I am inclined to agree with shinnai on this one. Many AV products probably don't look past the first hit on malware embedded in some file types, SWF included, which makes this a simple yet brilliant evasion technique. PDF scanning is probably just as vulnerable.

posted by elazar, Mon Mar 28 2011, 16:38

I tested the file with the EICAR file attached as the header and when I scanned it, it missed the malware

posted by Guy, Mon Mar 28 2011, 17:29

The author is not stating that this could be an AV evasion technique is he?

posted by CA, Mon Mar 28 2011, 18:00

Good thing our AV already treats EICAR like it's Satan's own code and removes it before the data even gets written to disk. The bad guys are getting more and more cunning every day and I wonder how long it will take the major vendors to patch around the end-on-first-hit scanning behaviour. I don't think it's something they can fix with an definition update, unless they use one to remove EICAR detection in the interim.

posted by Genima, Mon Mar 28 2011, 19:17

I'll echo some of the others here; it could be an attempt to get users or inexperienced IT to ignore the detection and/or whitelist it.

The other idea that popped into mind might be related to targeting buggy antivirus software/ or mail/http gateways (and thus forcing a specific detection to make conditions ripe for a given exploit/payload).

*shrug* Dunno.

posted by Kurt, Mon Mar 28 2011, 20:46

CA, I'm not sure it is an AV evasion technique since I only have a limited number of ways to test this. This would have to be confirmed by various AV vendors to see how to react.

posted by Guy, Mon Mar 28 2011, 20:53

It would be interesting to see what virustotal reports for shinnai's modified malware.

posted by GL, Mon Mar 28 2011, 21:37

Thanks for the info Guy. If you find anything further please update us. I would also like to see how virustotal reports the original Shockwave file.

posted by CA, Tue Mar 29 2011, 14:20

Emerging Threats added a signature to detect this activity. The signature ID is 2012591: http://doc.emergingthreats.net/2012591

posted by Guy, Tue Mar 29 2011, 18:04

The original file that I used for this diary is was submitted to VirusTotal and only one AV had some form of detection. The result is here: http://www.virustotal.com/file-scan/report.html?id=7a56c52fa5cb3562f4b4e9035548d4de7e1091ed52384180e97f233bf7060f92-1301440226

posted by Guy, Tue Mar 29 2011, 23:13

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form