GIFAR's Magical Mimes Filed in 8 by 3 (2012)

outline and notes for 2012 file types brownbag

GIFAR's Magical Mimes Filed in 8 by 3

File types, identification technology, and their weaknesses

File types?

a few examples:

  • live and raw bytes of common files types:
  • html/xml/text, pl/py/rb/sh, png, swf, PDF, exe, doc, mp3, avi, jar/zip/docx

the basic schemes

  • file name extensions (trust)
  • file metadata (tag)
  • resource forks and EAs
  • MIME type tags and headers
  • file(1) magic (check)
  • icons?

How is all of this used?

Optimizations

  • Apache modules may try to compress GIF, JPG, but not PNG,JAR

Exceptions to policy

  • configured in HIDS/NIDS : eg MSSE exclude from scan "*.jar"
  • WAF / IPS policy : Disallow requests to *.cgi, *.pl
  • Email security : Gmail won't allow exes ...

In response and triage

  • easy to prioritize/triage by file extension ...
  • automated analysis may rely on file typing
  • Fireeye/Damballa, FTK's Cerebus, ?

Basic Deceptions

lies

  • change extension/name
  • can simply hide files in windows or UNIX, eg ..

    Simple mutation

  • compression/packing/encoding to evade detection
  • magic tricks: gif/php stego

Chimera

thing

Release the GIFAR!

other examples of multiple valid types

Refs

bsk@bebo-bt5:~/anet/gsec$ file -v
file-5.03
magic file from /etc/magic:/usr/share/misc/magic

http://linux.die.net/man/1/file

http://www.garykessler.net/library/file_sigs.html

http://www.pkware.com/documents/casestudies/APPNOTE.TXT

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,7655.msg41049/ http://www.exploit-db.com/exploits/16181/

https://en.wikipedia.org/wiki/Executable_compression

https://en.wikipedia.org/wiki/GIFAR

http://googleonlinesecurity.blogspot.com/2012/08/content-hosting-for-modern-web.html

http://www.gnucitizen.org/blog/gifars-and-other-issues/

http://www.gnucitizen.org/blog/more-on-gifars-and-other-dangerous-attacks/

http://www.zdnet.com/blog/security/black-hat-sneak-preview/1619

/. thread: http://it.slashdot.org/story/08/08/01/184220/a-photo-that-can-steal-your-online-credentials

copy of original GIFAR presentation?:

http://files.sans.org/summit/pentest09/PDFs/Jeremiah%20Grossman%20-%20WebApp%20Vulnerabilty%20Analysis%20-%20SANS%20PenTest%20Summit09.pdf

R. Brandis. Exploring below the surface of the gifar iceberg. Whitepaper. 2009 http://www.infosecwriters.com/text_resources/pdf/RBrandis_GIFAR.pdf

Image Repurposing for Gifar-Based Attacks by Smitha Sundareswaran, Anna C Squicciarini : http://academic.research.microsoft.com/Paper/14046706.aspx

DeCore: Detecting Content Repurposing Attacks on Clients’ Systems by Smitha Sundareswaran, Anna C Squicciarini http://www.personal.psu.edu/sus263/DecoRe.pdf

Dan Crowley of Trustwave.com: Jack of All Formats http://www.slideshare.net/BaronZor/jack-of-all-formats

Needs

  • nil

Wants

  • pic/details for compression / encoding?
  • research on filetype usage in Cerebus, Fireeye, Sourcefire..
  • ? anti virus screen snip of exception config - at work ?
  • reorg this page and pretty up the links

New

Background books that don’t address file typing in any depth:

PMA

FSFS

MAC

Roel @ Kasperky Lab’s blog post about antivirus detection of scripts hiding as PEs, Nov 2005

Magic byte vulnerability

https://www.securelist.com/en/blog?weblogid=173180325

Malware Hidden Inside JPG EXIF Headers

http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html

Newer info from Talos is on their blog here

Written on November 7, 2012