About Me

Geok Meng Ong

Geok Meng Ong
Senior Research Manager

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Obfuscating Image Files for Fun and Profit

Monday, April 9, 2007 at 6:57am by Geok Meng Ong
Geok Meng Ong

Just when you think you have had enough of obfuscation in executable files and web scripts, McAfee Avert Labs has been tracking a series malformed image files in the current wave of 0-day ANI exploits since the wild fire started burning about 2 weeks ago. Some of these ANI exploits introduce what I would like to call obfuscation in image files.

ANI files are cursor icon images that are commonly used on the Windows platform of which its format specifications based on Resource Interchange File Format (RIFF) are public and open. In the ANI exploit code that were made public, we found common ANI headers that were modified and redundant noise prepended, in an attempt to circumvent detection in most traditional content filtering and anti-virus products that lacks proper scanning, in the context of the threat, and proactive exploit protection.

All of these “malformed” image files are rendered by Internet Explorer and can cause remote code execution or memory corruption in unpatched Windows systems, in our tests.

In this sample, the ANI exploit generated by a popular free-for-all toolkit, uses a lot of random tags such as “gIZU”, a nonsense RIFF tag. It looks like it was inspired by “TSIL”, a reversed “LIST”, found in the first variants of the 0-day to be discovered. The RIFF specifications does not forbid 4-byte ASCII identifiers outside the common list of ANI tags and most image viewers including Internet Explorer parses them without any problems until it hits upon the relevant parts that causes the buffer overflow issue to occur.

As of today, approximately 10 days after the initial reports of the original Windows ANI 0-day vulnerability having reached public domain, many exploits generated and obfuscated using freely available toolkits still go undetected by a majority of anti-virus products tested.

(click here for full size image)

Just as ambiguity and variations in specifications and implementation can lead to bugs and security issues, they can also be exploited by malware authors to circumvent conventional detection. This presents a new challenge to security products that scan image files for malicious content using basic methods that ignore the context of the threat.

Windows users are once again reminded to install the security patch for this vulnerability from Microsoft.

Š

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (3)

  • Geok Meng Ong April 29, 2007 6:35PM

    Late is better than never, more traditional security vendors are now providing protection recently. McAfee customers are protected from these obfuscation methods since DATs 5002 (April 5th, 2007).

    Reply
  • Info-Point-Security Infoboard - McAfee: "Proof of Concept" Code für ANI Schwachstelle im Internet Explorer entdec April 27, 2007 7:34AM

    [..] Der McAfee Sicherheitsspezialist Geok Meng Ong beschreibt im McAfee Weblog eine in letzter Zeit beobachtete Taktik der Malware Autoren, durch konfus manipulierten “Animated Cursor” Code die ANI [..]

    Reply
  • Computerworld - Patch be damned: ANI attacks on the rise April 27, 2007 7:23AM

    [..] Over at McAfee’s Avert Labs, meanwhile, researcher Geok Meng Ong spelled out obfuscation techniques that some ANI exploits were using to sneak by defenses. In one sample, [..]

    Reply