RE: stego and executable files

["Tomas Wolf" <tomas () skip cz>]

I believe that JPG embended trojans must be put into an environment that executes the code no mather what. Yes, I would 
think that most of us know that MS Outlook (Express) is one of these environments.

So to embend an executable code within the picture, one would have to exchange some of the code for executable (or some 
script). The other question would be -- will the program pass the executable or just mallform the picture? How does the 
enviroment hanldes such situations seems to be entirely dependent on the environment (program).

For example if the environment will be "Exif Viewer", then it might just show garbage (if the graphic is destroyed) or 
normal picture. Since this program only reads the values in palette to know the values of colors... But for 
multi-executable environment, where it doesn't matter wheter it is picture or executable, there might be some sort of 
chance embending the code inside a picture. But why to go into such a trouble while one can embend just "invisible" VB 
script.

I hope that make sense :-)
Good luck -- Tomas


> I saw the speech at defcon10, guy's name was Mike, he was
> located in Baltimore, but now no longer works for the company
> that he was with (have already called). They were working on .jpg
> style trojans at the time...
>
> The .jpg file I found had a self extracting executable...
> stego embedded...
> (basically a "dial home script" that enabled modem)
> script was buggy...
>
> This really intriques me and I really would like to know if
> someone has finally made this work...it shines a new day on security exploits,
> as well as security precautions !
>
> Again, thanks for any and all info.
>
> Rockit
>
> --- Michael LaSalvia <mike () genxweb net> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > I be shocked if you did. The idea was getting thrown around about two
> > years ago at defcon 10 that one day it be possible to embed Trojans
> > in stego that  will auto execute when viewed or watched. That was the
> > first and last I heard of it. The speech was given by a guy from the
> > black hat community.
> >
> > Here is lead that might help do a google for defcon 10 and stego. See
> > who were the speakers that did a presentation then search for them. I
> > would tell you but I can't remember. There was two of them a guy and
> > some really famous women that dedicated her whole life to stego.
> >
> > Hopefully that helps.
> >
> > - -----Original Message-----
> > From: Rockit [mailto:speech_freedom2002 () yahoo com]
> > Sent: Friday, August 15, 2003 11:03 AM
> > To:
> > Subject: stego and executable files
> >
> > I have just had what I believe is my first encounter with
> > a .jpg stego embedded executable file.
> > I know that there has been success embedding stego executables
> > in .mp3 and .avi files, but was unawares that someone had developed
> > a way to do .jpgs......
> > Can someone please provide detailed info on this ??
> > (and yes, I've googled)
> > Thanks in advance.
> >
> > Rockit
> >
> > =====
> > www.interz0ne.com
> >
> > __________________________________
> > Do you Yahoo!?
> > The New Yahoo! Search - Faster. Easier. Bingo.
> > http://search.yahoo.com
> >
> > - ----------------------------------------------------------------------
> > - -----
> > - ----------------------------------------------------------------------
> > - ------
> >
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
> >
> > iQA/AwUBPz07unAnVb+gRdsVEQIqsACfe7afegDq1yks9ugq1aMno8HOtQ0AoP7g
> > Ger1X0k46U93vpgCWm8da2Hn
> > =V31L
> > -----END PGP SIGNATURE-----
>
>
> =====
> www.interz0ne.com
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------