Jump to content
Sign in to follow this  
Inferniel Solvang

Skype and Secondlife related virus!

Recommended Posts

It's pretty easy to get caught by something like this, because friends pass pictures to each other all the time on Skype and this looks like any other picture at casual glance.

A friend's hacked account sent this to me and I noticed it because the icon was different and windows reported the type as a scr (which is really an executable under the hood). Even the filename showed as .png, it was a pretty clever little trick.

Also for people relying on antivirus? I can tell you that mine didn't catch it, and when I uploaded to a tester site only about 25% of the engines picked it up. Would more have caught it once the payload was decrypted and it tried to go into memory? I dunno... maybe. I wasn't about to spin up a VM to test it because I wasn't that curious to find out what it did.

In any case, I sent the sample to the AV company so they can hopefully add it to their signatures soon.

 

Share this post


Link to post
Share on other sites

 

The aging method of changing filenames to trick people on PCs has been around since 2002, it's not new and while it can be a bad experience for some, specially with windows hiding most known filetypes as standard, it also boils down to commonsense to prevent it and learn from it.

Portable network graphic (.png) files are not executable files but screen saver (.scr) are executable.

Skype warns all users of the dangers of accepting fails, even from friends, as soon as you click that's ok, continue, you're putting yourself in position to be infected.

Any decent Anti virus will detect this form of virii and that is regardless of filetype and that goes for the majority of free Anti virus programs out there, the tech savy amongst you can check the filetype hex below before executing.

 

  • Hex: 4D 5A , ASCII: MZ

 

You can if you wish to be that little bit more cautious, disable the screensavers executable filetype or the png filetype via a group security policy such as software resrtriction policy which can be read intomore detail at http://www.mechbgon.com/srp/

 

But i'd suggest just getting an anti virus, there are lots of great free ones out there if your pocket is empty, to name a few...

 

AVG, Comodo, avast, baidu

 

Share this post


Link to post
Share on other sites

.scr isn't executable on a Mac, and the default setting for execution of downloaded code on a Mac is to throw a warning dialog and require user (name/password) authentication to enable execution. So this type of malware is not a threat to Mac users.

But, if the following example works, this is a way to slip banned words into the forum...

‮!ekyD naV kciD yas nac ew won ,ooh ooW

Share this post


Link to post
Share on other sites

If I've properly understood this, shouldn't I start to smell a rat when I download this ,png file, try to open it, and, rather than seeing Picasa start to open, I get a warning message from Windows 7 that I'm trying to run an executable file downloaded from the internet (and probably that it wants to make changes to my PC, as well)?

 

Share this post


Link to post
Share on other sites


DigitaL Scribe wrote:

 
<snip>

But i'd suggest just getting an anti virus, there are lots of great free ones out there if your pocket is empty, to name a few...

 

AVG, Comodo, avast, baidu

 

The Unicode Consortium actually has a published paper on this subject, Unicode Security Considerations.

 

I can't imagine any half way reputable AV ignoring their recommendations in section 2.6 about syntax spoofing.  Especially when it's been around this long.

Share this post


Link to post
Share on other sites


Innula Zenovka wrote:

If I've properly understood this, shouldn't I start to smell a rat when I download this ,png file, try to open it, and, rather than seeing Picasa start to open, I get a warning message from Windows 7 that I'm trying to run an executable file downloaded from the internet (and probably that it wants to make changes to my PC, as well)?

 

It is pretty well established how much the prospect of seeing naked pictures of Anna Kournikova overrode people's better sense.

Share this post


Link to post
Share on other sites

 

Yes the intended victim in this virii is windows users not mac users and .scr is a screensaver executable.

Mac osx is basically unix in a skirt so it and linux distros would not be susceptable to this infection.

However this would not stop them passing it on to their friends who are windows users.

Most anti virus scan engines have heuristical methods and smart sandbox functions for this very type of file manipulation.

The best methods however is your own commonsense, be weary of random strangers sending you pictures, be weary of avatars coming on strong with no pre-emptive motives, examine links sent, ask them to put the picture in their profile or on a image host, examine avatar creation dates, scan file(s) if possible on multiple free available multiple virus engine scan sites online like the two below for example. 

http://www.virustotal.com

http://virusscan.jotti.org/en

Share this post


Link to post
Share on other sites

DigitaL Scribe wrote:be
weary
of random strangers sending you pictures, be
weary
of avatars coming on strong with no pre-emptive motives

I'm pretty tired of people who post hyperbolised scare messages about the same old online threats.

© The Judge

Share this post


Link to post
Share on other sites


DigitaL Scribe wrote:

 

Skype warns all users of the dangers of accepting fails

 

Failure is NOT an option!

© The Judge

Share this post


Link to post
Share on other sites

 

Indeed my typing failed me there, "Fail" should have being "File", pardon the pun.

"I'm pretty tired of people who post hyperbolised scare messages about the same old online threats."

Yeah, we should bury our heads in the sand instead, right?

The OPs message was clear and can be seen as just a fellow community member giving awareness to a particular threat

it's always good to knew of a old or new threat once it's still active and been used on this platform and relevant.

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...