Memory modification not detected?

[Guest]

[aigle]

When I run this spoofed jpg image, It starts a hidden window of InternetExplorer. Seems that spoofed jpg then modifies the memory of InternetExplorer( IE)  and IE then in turn creates more copies of malicious executabels.

CFP D plus does not give any warning about memory modification. Is it some thing missing?
Any explanation from the developers will be appreciated. I can send the file if asked.

 Thanks

[aigle]

Bump!

Anyone please?

[Blas]

Ok send it.
Im not a programmer neither a specialist but I can try it out.
Is it malicious or just a POC?

[aigle]

No, it,s a real malware. So are u willing to try it?

Thanks

[salmonela]

When I run this spoofed jpg image, It starts a hidden window of InternetExplorer. Seems that spoofed jpg then modifies the memory of InternetExplorer( IE)  and IE then in turn creates more copies of malicious executabels.

CFP D plus does not give any warning about memory modification. Is it some thing missing?
Any explanation from the developers will be appreciated. I can send the file if asked.

 Thanks

Just curiosity... Does that ".jpg" pulls the same trigger as a eq secure (mem. access/mod.) in CFP if you put *.jpg in groups  of executables  in "My Protected Files"?

[aigle]

Just curiosity... Does that ".jpg" pulls the same trigger as a eq secure (mem. access/mod.) in CFP if you put *.jpg in groups  of executables  in "My Protected Files"?

I don,t expect so but I did not try. I will try it later.

[aigle]

Another one. This is with virus W32/Jefoo.A.

Infact it seems that Defence Plus is missing too many memeory modifications. I don,t know what is the issue.

[salmonela]

Hmmm I dont see anything unsafe in third picture, If you wanna see prompt between two safe apps. you should run CFP in paranoid mode...

[Yuriy]

aigle,

As for third alert set d+ to paranoid mode (like salmonela suggested) and make sure iexplore.exe is not already allowed to access explorer.exe in memory and not allowed to execute explorer.exe.

[Blas]

The popup from defense+ asking if malware.exe can access iexplorer.exe in memory was allowed or blocked?
If you allowed it then it is normal behavior that you didn't received alert for the further actions of iexplorer.exe. This is because iexplorer.exe is considered safe. Try deleting the rules for iexplorer.exe and set defense+ to paranoid mode and disable 'learn automatically applications signed by comodo". In this case you should receive the second alert too..

Oh and the sample...if its malware, I cant test it right now. Im using my VM to test firewalls for testmypcsecurity.com and I haven't got cfp installed at the moment..Maybe later, but thanks.

[aigle]

Hi Salmonela, goodbrazer and Blas.

Thanks for the reply.

About third alert you are right. I missed that point.

My first post is still a question. Here Defence + is not ginving an alert.

[ at ] Blis

Sending you the file link via PM.

Thanks

[salmonela]

Please aigle, could you PM me with fake jpg (malware) link, also?
I would like to test it,
Tia

[panic]

Out of curiousity, how do you run a JPG?

It's not an executable extension and would merely call whatever app is registered to handle them.

Or do you mean that it is an EXE with a double extension of ".jpg.exe"?

Ewen :-)

[ggf31416]

Out of curiousity, how do you run a JPG?

It's not an executable extension and would merely call whatever app is registered to handle them.

I think you need an unpatched vulnerability or outdated software to run it in Internet explorer

Of course, you can always run a renamed executable in the command no matter the extension.

[panic]

Q.E.D.

You're not running the JPG, per se, you're loading it into another application that may or may not have vulnerabilities. The flaw lies in the application, not the data file.

Ewen :-)

[Tags:]