Strange Shockwave File with Surprising Attachments
In the past month or so, I have observed some strange Shockwave files that surprisingly, contain 2 other files attached inside the end of the file. First, an EICAR test file is found at the end of the Shockwave file portion which is immediately followed by a Window executable. Most IDS would trigger on that window binary transfer, including Snort. The shockwave file portion did not contain any malware.
The EICAR test file found X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* is a typical ANTIVIRUS test file. [1]
However, after carving the Windows binary and submitting its MD5 for analysis to VirusTotal, it returned some surprising results. The MD5 of this file is 22a0c9e8f8c83f70caf04d757732eb21 and shows if this file manages to run, it could compromise to the client.
Have you seen anything like this? Let us know via our contact form.
[1] http://www.eicar.org/anti_virus_test_file.htm
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Comments
Michael
Mar 28th 2011
1 decade ago
Why in the world would anybody configure his AV to ignore EICAR?
I know of setups where a daily dose of EICAR is sent for testing purposes (is my AV still alive?)...
Alex
Mar 28th 2011
1 decade ago
Michael
Mar 28th 2011
1 decade ago
In the end, it might be a new trick to entice the user to click the "allow" button.
Woo
Mar 28th 2011
1 decade ago
"Original" infected file:
Scansione Anti-Virus: processo completato <1 minuto fa (eventi: , oggetti: 1, ora: 00:00:05)
28/03/2011 12:32:35 Rilevato: Trojan.Win32.Genome.rxuu C:\test\TROJAN.exe
28/03/2011 12:32:39 Attività completata
28/03/2011 12:32:34 Attività avviata
"Modified" infected file:
Scansione Anti-Virus: processo completato <1 minuto fa (eventi: , oggetti: 2, ora: 00:00:03)
28/03/2011 12:33:58 Rilevato: EICAR-Test-File C:\test\TROJAN.exe/#
28/03/2011 12:34:01 Non eliminato: EICAR-Test-File C:\test\TROJAN.exe Impossibile trovare l'oggetto
28/03/2011 12:34:01 Attività completata
28/03/2011 12:33:58 Attività avviata
See something strange? Why the first time it's a trojan and the next step is just an EICAR-Test-File? It's too bad! If I believe to KAV, I can run the executable, it's just an EICAR test, so nothing dangerous.
In this case, the file format (swf, I suppose), could be just a way to deploy the malware or to completely avoid antivirus to detect the malware. I think I will continue testing.
shinnai
Mar 28th 2011
1 decade ago
elazar
Mar 28th 2011
1 decade ago
Guy
Mar 28th 2011
1 decade ago
CA
Mar 28th 2011
1 decade ago
Genima
Mar 28th 2011
1 decade ago
The other idea that popped into mind might be related to targeting buggy antivirus software/ or mail/http gateways (and thus forcing a specific detection to make conditions ripe for a given exploit/payload).
*shrug* Dunno.
Kurt
Mar 28th 2011
1 decade ago