Malware Hidden Inside JPG EXIF Headers

[NZRADAR]

Good Evening all

2 Questions

I would like to know how well ESET does in detection of Malware Hidden Inside JPG EXIF Headers

I have had ESET SS in Virtual Machine and I have tried some links from
scumware with some New Zealand compromised sites and found ESET did not have a response where a number of other products I have in VM's detect this sort of malware.

I would be interested to know if anyone here can verify the effectiveness off ESET in relation to this specific malware and inform me of there results

I had put ESET on the higheset of all the real time protection settings I could find

Please take this as just a simple question as I have know doubt that ESET is a very capable product its just I over the some testing time had no detection of the type in the link posted in virus exchange

I have posted link on Virus exchange for sample

Besides this how does one go about getting an activation for the trial
I had one activated recently with my email and after a bit of testing in the Virtual Machine I deleted the VM before the activation had finished

Now on a fresh VM ESET won't allow me to activate trial with same email
any pointers appreciated

Kind regards

NZRADAR

 

[Gnosis]

I cannot truly answer your question, but I rate ESET up there with Emsisoft, and F-Secure, as far as paid anti-malware products go.
I have always heard that ESET HIPS should be set to "policy based".

 

[illumination]

Can you be a little more specific please? Are you stating the web guard did not detect the malicious url's, or did the malware acutally install on the system bypassing Eset?

 

[Ink]

Here's a post by Sucuri Research on this subject.
http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html

 

[NZRADAR]

Can you be a little more specific please? Are you stating the web guard did not detect the malicious url's, or did the malware acutally install on the system bypassing Eset?

Hi and thanks for your reply

 

[NZRADAR]

Can you be a little more specific please? Are you stating the web guard did not detect the malicious url's, or did the malware acutally install on the system bypassing Eset?

Hi illumination , sorry about my late reply , at the time I was testing different products in VM's and most of the links were on scumware and I sorry I cannot find them again. The most specific info I can give you was that maybe 4 of the sites at the time led to just an image page, just a jpg in the screen centre and I had no url warning or av detection going on in ESET where some other products identified risks Avira Avast and AVG. Now the link that I posted in virus exchange for me had no detection with ESET but as I have seen in further replys to my question there, ESET did for them detect the Malicious code on the sample page , so maybe my VM was infected ,I cannot say for sure . I am likely to test again this type of malware with ESET and see what I get. Not greatly specific info for you i'm afraid.

But I can say for sure after visiting the pages at the time with ESET I had no blocking happening or in on demand scans afterward no evidence of malware. I have concluded so far that I didnt conduct a proper test to evaluate vms infection status or not. I do recall now being infected in the VM with Trojan.Win32.Scar as Hitmanpro revealed at the time and this was not picked up at the time by ESET

Sorry for my long winded answer

Kind Regards
NZRADAR

 

[illumination]

Can you be a little more specific please? Are you stating the web guard did not detect the malicious url's, or did the malware acutally install on the system bypassing Eset?

Hi illumination , sorry about my late reply , at the time I was testing different products in VM's and most of the links were on scumware and I sorry I cannot find them again. The most specific info I can give you was that maybe 4 of the sites at the time led to just an image page, just a jpg in the screen centre and I had no url warning or av detection going on in ESET where some other products identified risks Avira Avast and AVG. Now the link that I posted in virus exchange for me had no detection with ESET but as I have seen in further replys to my question there, ESET did for them detect the Malicious code on the sample page , so maybe my VM was infected ,I cannot say for sure . I am likely to test again this type of malware with ESET and see what I get. Not greatly specific info for you i'm afraid.

But I can say for sure after visiting the pages at the time with ESET I had no blocking happening or in on demand scans afterward no evidence of malware. I have concluded so far that I didnt conduct a proper test to evaluate vms infection status or not. I do recall now being infected in the VM with Trojan.Win32.Scar as Hitmanpro revealed at the time and this was not picked up at the time by ESET

Sorry for my long winded answer

Kind Regards
NZRADAR

It is ok, thank you for responding, as i was curious of the process.. After you run the test again, please respond with the results.

 

[Neiltullio]

I'm not sure if you really understand this particular threat.
Such images are specially crafted to be part of backdoor on server side, not to attack people visiting site/opening image.
And I have seen on youtube ESET detecting such images

 

[Prorootect]

To look on EXIF data in the pictures and eventually remove these, you have some good links in MT read : Remove Exif online - Free online image analysis : http://malwaretips.com/threads/remove-exif-online-free-online-image-analysis.14412/

 

[Neiltullio]

I was playing with http://www.sno.phy.queensu.ca/~phil/exiftool
It's really cool soft worth recommending.

 

[Prorootect]

Thank you Neil, I will add your link in my topic ..