Tuesday, April 10, 2007 8:24 AM
cmosby
McAfee Avert Labs Blog - Obfuscating Image Files for Fun and Profit
Obfuscating Image Files for Fun and Profit
Monday April 9, 2007 at 6:57 am CST
Posted by Geok Meng Ong
Trackback
Just when you think you have had enough of obfuscation in executable files and web scripts, McAfee Avert Labs has been tracking a series malformed image files in the current wave of 0-day ANI exploits since the wild fire started burning about 2 weeks ago. Some of these ANI exploits introduce what I would like to call obfuscation in image files.
ANI files are cursor icon images that are commonly used on the Windows platform of which its format specifications based on Resource Interchange File Format (RIFF) are public and open. In the ANI exploit code that were made public, we found common ANI headers that were modified and redundant noise prepended, in an attempt to circumvent detection in most traditional content filtering and anti-virus products that lacks proper scanning, in the context of the threat, and proactive exploit protection.
All of these “malformed” image files are rendered by Internet Explorer and can cause remote code execution or memory corruption in unpatched Windows systems, in our tests.
In this sample, the ANI exploit generated by a popular free-for-all toolkit, uses a lot of random tags such as “gIZU”, a nonsense RIFF tag. It looks like it was inspired by “TSIL”, a reversed “LIST”, found in the first variants of the 0-day to be discovered. The RIFF specifications does not forbid 4-byte ASCII identifiers outside the common list of ANI tags and most image viewers including Internet Explorer parses them without any problems until it hits upon the relevant parts that causes the buffer overflow issue to occur.
As of today, approximately 10 days after the initial reports of the original Windows ANI 0-day vulnerability having reached public domain, many exploits generated and obfuscated using freely available toolkits still go undetected by a majority of anti-virus products tested.
(click here for full size image)
Just as ambiguity and variations in specifications and implementation can lead to bugs and security issues, they can also be exploited by malware authors to circumvent conventional detection. This presents a new challenge to security products that scan image files for malicious content using basic methods that ignore the context of the threat.
Windows users are once again reminded to install the security patch for this vulnerability from Microsoft.
Source: Computer Security Research - McAfee Avert Labs Blog
Filed under: Security and Anti-Virus, Patch Management, Browser Wars, AntiVirus Information, Internet Explorer, Internet Hacks