adric.net

File types
Login

outline for file types brownbag

Newer info, from Talos: http://blogs.cisco.com/security/talos/malicious-pngs

GIFAR's Magical Mimes Filed in 8 by 3

File types, identification technology, and their weaknesses

File types?

a few examples:

the basic schemes

How is all of this used?

Optimizations

Exceptions to policy

In response and triage

Basic Deceptions

lies

Chimera

thing

Release the GIFAR!

other examples of multiple valid types


Refs

bsk@bebo-bt5:~/anet/gsec$ file -v
file-5.03
magic file from /etc/magic:/usr/share/misc/magic

http://linux.die.net/man/1/file

http://www.garykessler.net/library/file_sigs.html

http://www.pkware.com/documents/casestudies/APPNOTE.TXT

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,7655.msg41049/ http://www.exploit-db.com/exploits/16181/

https://en.wikipedia.org/wiki/Executable_compression

https://en.wikipedia.org/wiki/GIFAR

http://googleonlinesecurity.blogspot.com/2012/08/content-hosting-for-modern-web.html

http://www.gnucitizen.org/blog/gifars-and-other-issues/

http://www.gnucitizen.org/blog/more-on-gifars-and-other-dangerous-attacks/

http://www.zdnet.com/blog/security/black-hat-sneak-preview/1619

/. thread: http://it.slashdot.org/story/08/08/01/184220/a-photo-that-can-steal-your-online-credentials

copy of original GIFAR presentation?:

http://files.sans.org/summit/pentest09/PDFs/Jeremiah%20Grossman%20-%20WebApp%20Vulnerabilty%20Analysis%20-%20SANS%20PenTest%20Summit09.pdf

R. Brandis. Exploring below the surface of the gifar iceberg. Whitepaper. 2009 http://www.infosecwriters.com/text_resources/pdf/RBrandis_GIFAR.pdf

Image Repurposing for Gifar-Based Attacks by Smitha Sundareswaran, Anna C Squicciarini : http://academic.research.microsoft.com/Paper/14046706.aspx

DeCore: Detecting Content Repurposing Attacks on Clients’ Systems by Smitha Sundareswaran, Anna C Squicciarini http://www.personal.psu.edu/sus263/DecoRe.pdf

Dan Crowley of Trustwave.com: Jack of All Formats http://www.slideshare.net/BaronZor/jack-of-all-formats

Needs

Wants

New

Background books that don't address file typing in any depth:

PMA

FSFS

MAC


Roel @ Kasperky Lab's blog post about antivirus detection of scripts hiding as PEs, Nov 2005

Magic byte vulnerability

https://www.securelist.com/en/blog?weblogid=173180325

Malware Hidden Inside JPG EXIF Headers

http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html