SANS ISC: .gif Files Presenting a Not so Pretty Picture - Internet Security | DShield

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

A Storm Center subscriber has just submitted malware embedded in .gif image files, downloaded from the image site 4chan.org.  For the sake of expediency, and because this person did such a good write up, here is the analysis provided:

"The *.gif files were found the "random" board of the image board site 4chan.  The files contain a large picture with instructions to save the file with a .jse extension and run it.

The *.out files are the result of applying scrdec to the gifs to reveal the encoded script.

It appears to:
 (1) copy itself somewhere as 'sys.jse'
 (2) add itself to a Run key in the registry
 (3) (a) fetch the index to 4chan's /b forum
    (b) download the first image
    (c) save it as 'j.jse'
    (d) attempt to run 'j.jse'
 (4) construct a POST request containing the image as payload
 (5) upload itself as a new post on 4chan
 (6) point an instance of IE at site it came from

(3)-(6) are in an infinite loop."

To the subscriber who did the legwork on tihs one, my thanx for the excellent work

I will provide more data as it develops.......