Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - When is a DMG file not a DMG file InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

When is a DMG file not a DMG file

Published: 2008-04-02
Last Updated: 2008-04-02 23:38:16 UTC
by Adrien de Beaupre (Version: 2)
0 comment(s)

When it is malware?

Steve (a fellow handler) sent in a link to a DMG file. Several of us wondered how to analyze it and what it might contain. While we searched our memory I downloaded it and it was discovered not to be a DMG file at all.

 adrien@tester:~/bad$ file jetcodec1000.dmg
jetcodec1000.dmg: PE executable for MS Windows (GUI) Intel 80386 32-bit, Nullsoft Installer self-extracting archive

Virustotal results aren't the greatess:

File jetcodec1000.dmg received on 04.03.2008 00:49:47 (CET)
Antivirus    Version    Last Update    Result
AhnLab-V3    2008.4.1.2    2008.04.02    -
AntiVir    2008.04.02    DR/Dldr.DNSChanger.Gen
AVG    2008.04.02    DNSChanger.AA
BitDefender    7.2    2008.04.03    Dropped:Trojan.Downloader.Zlob.ABOU
ClamAV    0.92.1    2008.04.02    Trojan.Zlob-2395
F-Prot    2008.04.02    W32/Trojan2.AIES
F-Secure    6.70.13260.0    2008.04.02    W32/Malware
Kaspersky    2008.04.03    Trojan.Win32.DNSChanger.arn
Norman    5.80.02    2008.04.02    W32/Malware
Prevx1    V2    2008.04.03    Generic.Dropper.xCodec
Symantec    10    2008.04.03    Trojan.Zlob
VBA32    2008.03.25    MalwareScope.Trojan.DnsChange.2
Webwasher-Gateway    6.6.2    2008.04.02    Trojan.Dropper.Dldr.DNSChanger.Gen
Additional information
File size: 232561 bytes
MD5: 7db1dded58e7856c4d0dcae14b3b870f
SHA1: 6dbc5ae729102e37a77735712dc17daef6b46916

The exe also has the same characteristics:

adebeaupre@host032:~/bad$ md5sum jetcodec1000.exe
555a43e71a62453b445087ef50781193  jetcodec1000.exe
adebeaupre@host032:~/bad$ md5sum jetcodec1000.dmg
555a43e71a62453b445087ef50781193  jetcodec1000.dmg


Obviously NOT a DMG file! Interesting that the site the file was downloaded from contained the following advertising blurbs:

XX is a multimedia software that allows access to Windows collection of multimedia drivers and integrates with any application using DirectShow and Microsoft Video for Windows. XX will highly increase quality of video files you play.

XX enhances your music listening experience by improving the sound quality of video files sound, MP3, internet radio, Windows Media and other music files. Renew stereo depth, add 3D surround sound, restore sound clarity, boost your audio levels, and produce deep, rich bass sounds.

Sounds like fun. Delivery via social engineering.

Adrien de Beaupré
Bell Canada


Keywords: Mac malware Microsoft
0 comment(s)
Diary Archives