Bagle Does What?
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Bagle Does What?

  1. #1
    Banned
    Join Date
    Feb 2004
    Posts
    94

    Bagle Does What?

    Here is the article. Is it possible to detect words in image files? Are AV companies just blowing smoke and actually attempting to get the password? Why not just use normal pattern detection after partial/complete decryption?

    -Cheers-

  2. #2
    Senior Member
    Join Date
    Apr 2003
    Posts
    147
    Sure it's possible to detect words in images. That's what OCR is all about. I'm not sure I'd like my AV taking the time to do that scan, but life goes on.

  3. #3
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,836
    Steganography - The practice of hiding one piece of information inside of another.


    Reverse steganography or using the right decryption will show the words hidden inside an image. That might include passwords.

  4. #4
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    OCR is not very good, yet, about detecting words in images where there are varying contrasts close to the target. Not very good at all.

    Bagle Does What?
    what is - Taste good with Cream Cheese and coffee.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  5. #5
    Senior Member
    Join Date
    Apr 2003
    Posts
    147
    RoadClosed, you obviously haven't recieved one of those emails have you? The text is generally a primary color, with a white background, sharp edges. Ideal for OCR. As far as not being very good, about 4 years ago, I got a scanner and some trial software from a leading OCR company, and it could easily read book text and printed text. That's all it would be required to do here. Think how far they've probably come since then.

    Cyber1d, no, they're not talking about steganography. It's cool, but there talking about a literal picture of a password. See the attached, it's not the virus, just the pic that's in one of their emails, it's just a green pic of '02350'

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    UpperCell: I use OCR too for some tasks. It is very good at basic stuff... like books and such.

    Try to fead it forms and it'll crap all over the screen. The formatting gets all messed up and its faster to recreate the form than to try to fix a form scanned in.

    At least... the software I was using... I believe it is omniscan pro version 12?
    They are a couple of versions higher now... maybe I'll try the upgrade.

    Though, most of what I fed it, it scanned quite well.
    I only had to go back over and correct about 5 or so words that wern't in the dictionary.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    the reason they want the pwd is to be able to open the file to scan it to make it easier to detect. the virus writers are using multiple compression methods and file morphing to try and hide their virus
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  8. #8
    Here is what I'm pulling from it...

    It looks like a normal email, but one of the words in the email isn't actually text, its a .gif with a picture of what looks like normal text. So, you can read through it without noticing there is a picture there. When you search text with whatever programming language, you look at the actual characters. By having a picture of characters instead of actual characters, it puts a step between AV signatures and the virus.

    Most web hosts, email sites require you to type in a word as shown on a .gif image to prevent bots from opening numerous accounts. Usually the word has lines going though is a bunch or different colors to prevent those same bots from reading what word is on the .gif. Sort of like image recognition. Maybe AV will pick up this to prevent image text like that, and will be able to distinguish between legit images and fake text.

  9. #9
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Basic text on a single color background is easy to read, but draw a line through it or add additional data into the background and it will crap out, like contrasting greens or lines through the text. I am one of those who uses graphics to hide email adresses from automated bots or spiders. Until now, it would take a human eye to harvest the e-mail address and start spamming. Less likelely considering the are billions of web sites. So this virus writer takes that idea and uses it to disquise data that could otherwise be easily picked up by text scanners and tries to turn the book on them. But sophos picked up on it and wrote some code to pull it out of a graphic file. I wonder if it's traditional OCR technology or something along the lines of looking at the code in terms of binary not optical. To use traditional OCR definition in this case is wrong because the software isn't looking at it from a optical standpoint. It's not OCR they are using, is my point?
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  10. #10
    Senior Member
    Join Date
    Apr 2003
    Posts
    147
    I think I get your point. I agree with you RoadClosed, about OCR being easy to fool.

    What do you mean about binary instead of optical? to my knowledge computers interpret 'optical' as a string of bits with a specified width forming it into a rectangle. Much like text files are just strings of bytes with predetermined end lines and EOF's every once and a while. What's the difference between optical and binary in your analysis? The process of 'optically seeing' the password and 'digitally analysing for words' is the same to a computer. Unless I'm mistaken.

    Regardless, it's a cool, if not new trick. And the irony is undeniable.



    Jon

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides