.gif Files Presenting a Not so Pretty Picture

SANS ISC InfoSec Forums

.gif Files Presenting a Not so Pretty Picture
A Storm Center subscriber has just submitted malware embedded in .gif image files, downloaded from the image site 4chan.org. For the sake of expediency, and because this person did such a good write up, here is the analysis provided: "The .gif files were found the "random" board of the image board site 4chan. The files contain a large picture with instructions to save the file with a .jse extension and run it. The .out files are the result of applying scrdec to the gifs to reveal the encoded script. It appears to: (1) copy itself somewhere as 'sys.jse' (2) add itself to a Run key in the registry (3) (a) fetch the index to 4chan's /b forum (b) download the first image (c) save it as 'j.jse' (d) attempt to run 'j.jse' (4) construct a POST request containing the image as payload (5) upload itself as a new post on 4chan (6) point an instance of IE at site it came from (3)-(6) are in an infinite loop." To the subscriber who did the legwork on tihs one, my thanx for the excellent work I will provide more data as it develops.......	Tony 150 Posts ISC Handler Feb 7th 2009
Thread locked Subscribe	Feb 7th 2009 1 decade ago