https://live.paloaltonetworks.com/t5/general-topics/can-pan-detect-this-kind-of-malware/m-p/37409#M27426 <HTML><HEAD></HEAD><BODY><P>Hopefully PA will add this as a general threat that a jpeg contains a malformed exif-header (or rather the exif-header contains data which shouldnt exist there in normal situations).</P><P></P><P>Such as the /.*/e^ or for that matter eval, base64_decode and the other stuff.</P><P></P><P>This would also be interresting to exploit regarding as a tunneling technique.</P><P></P><P>That is similar to how <A href="http://www.what2code.net/" title="http://www.what2code.net/">What2Code &amp;#8211; IT Security Blog</A> used ssh within web-browsing session (and later ssh within dns session) now you can take it a step further and use proper http etc but tunnel through jpegs which is being sent back and forth <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> (and this way you would be screwed as soon as you let the client use web-browsing as appid)</P></BODY></HTML> Wed, 17 Jul 2013 21:25:30 GMT mikand 2013-07-17T21:25:30Z https://live.paloaltonetworks.com/t5/general-topics/can-pan-detect-this-kind-of-malware/m-p/37408#M27425 <HTML><HEAD></HEAD><BODY><P>I found following article.</P><P><A class="active_link" href="http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html" style="font-size: 10pt; line-height: 1.5em;" title="http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html">Sucuri Research</A></P><P></P><P>This is pretty interesting technique, though if people hits this kind of malware, is Threat Prevention (or might be wildfire?) able to detect this malware?</P><P></P><P>Regards,</P></BODY></HTML> Wed, 17 Jul 2013 15:17:27 GMT https://live.paloaltonetworks.com/t5/general-topics/can-pan-detect-this-kind-of-malware/m-p/37408#M27425 emr_1 2013-07-17T15:17:27Z https://live.paloaltonetworks.com/t5/general-topics/can-pan-detect-this-kind-of-malware/m-p/37409#M27426 <HTML><HEAD></HEAD><BODY><P>Hopefully PA will add this as a general threat that a jpeg contains a malformed exif-header (or rather the exif-header contains data which shouldnt exist there in normal situations).</P><P></P><P>Such as the /.*/e^ or for that matter eval, base64_decode and the other stuff.</P><P></P><P>This would also be interresting to exploit regarding as a tunneling technique.</P><P></P><P>That is similar to how <A href="http://www.what2code.net/" title="http://www.what2code.net/">What2Code &amp;#8211; IT Security Blog</A> used ssh within web-browsing session (and later ssh within dns session) now you can take it a step further and use proper http etc but tunnel through jpegs which is being sent back and forth <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> (and this way you would be screwed as soon as you let the client use web-browsing as appid)</P></BODY></HTML> Wed, 17 Jul 2013 21:25:30 GMT https://live.paloaltonetworks.com/t5/general-topics/can-pan-detect-this-kind-of-malware/m-p/37409#M27426 mikand 2013-07-17T21:25:30Z