NEWS FROM THE LAB - Wednesday, October 8, 2008

The Art of the Hidden File Posted by Response @ 02:51 GMT

The art of hiding codes via XOR is simple, easy and extremely ancient. Despite its antiquity though, it is still in use today.

Here's a great example: Trojan-Downloader:W32/Tibs.VX. It performs a very simple operation to hide its executable components inside six JPEG files. Since the JPEG files also contain valid pictures, they can be easily dismissed. The trojan then downloads the JPEG files, saves them temporarily on the system, retrieves the executables and installs them.

If any of the files are opened with an image viewer, this image is displayed:

Innocent looking JPEG image

Perfectly innocent, right? But after performing the XOR operation, the executable file becomes evident:

Hidden EXE in the JPEG

This is not a very common tactic, though we've seen it before in Rogue:W32/AntivirusXP2008 variants. Still, even tricks as simple as a single assembly language opcode never really get old.

Response team post by — Christine