[ale] encryption/obfuscation (Was: No, wait- Leonard ...)

SanMillan, Todd tis3 at cdc.gov
Wed Jul 10 09:13:14 EDT 2002 

   The proof of concept was a two parter.  The .JPG carried infected code,
but it had to be fed to a special executable.  The second file (the
executable) was the real infection, the .JPG just carried the payload.  The
executable still had all the familiar limitations, i.e. you had to be
tricked into executing malicious code, if you weren't accessing the machine
with full admin privileges (root or administrator) you would limit the
damage, unlikely to work cross-platform, etc.

   According to wepobedia
(http://www.pcwebopaedia.com/TERM/s/steganography.html) Steganography is the
"art and science of hiding information by embedding messages within other,
seemingly harmless messages. Steganography works by replacing bits of
useless or unused data in regular computer files (such as graphics, sound,
text, HTML, or even floppy disks ) with bits of different, invisible
information. This hidden information can be plain text, cipher text, or even
images."  so I would consider this steganography, if not exactly a classical
application of it.


-----Original Message-----
From: Jeff Hubbs [mailto:hbbs at attbi.com]
To: ale at ale.org
Sent: Wednesday, July 10, 2002 1:17 AM
To: fgz
Cc: ale at ale.org
Subject: Re: [ale] encryption/obfuscation (Was: No, wait- Leonard ...)


Brian -

In this case, you'd have a legal .JPG file that looked like a real image
of something but, if you executed it as though it were an executable
program :-/ bad stuff would happen.  I'm not quite sure how you'd go
about doing that, but, since it's possible to stick executable code into
buffers so as to overflow them and get the code to execute, there may
well be a way.  I haven't tried hex-editing a .JPG file or a Linux
executable before, so I'm kinda just handwaving if y'all'll excuse me.

On Wed, 2002-07-10 at 00:36, fgz wrote:
> 
> From: "Brian" <brianb_ale at yahoo.com>
> To: <ale at ale.org>
> Sent: Tuesday, July 09, 2002 11:22 PM
> Subject: Re: [ale] encryption/obfuscation (Was: No, wait- Leonard ...)
> 
> 
> > It might also be worth noting that there was a proof
> > of concept virus (W32:Perrun virus) that was believed
> > to have originated from the Philippines that hides in
> > a jpeg file. Is this considered steganography?
> > 
> 
> Meaning, what? That displaying a jpg could trigger
> the virus/trojan? Or, that the jpg was simply the
> carrier of it, or, in the context of this discussion,
> the messenger?
> 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should
be 
> sent to listmaster at ale dot org.
> 



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be

sent to listmaster at ale dot org.

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list