?
Solved

Bypass firewall using images

Posted on 2014-01-06
12
Medium Priority
?
249 Views
Last Modified: 2014-01-26
Hi,
I'm new to network administration. I have seen some file comming from internet to our trusted company network as images. When I view these files it displays lots of dots and rendered as a valid image file also.

How can I detect and stop with out stoping the entire web site which hosts the particular images ?

I think we use Checkpoint firewall.

Thanks.
0
Comment
Question by:rpgeegange
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +3
12 Comments
 
LVL 23

Expert Comment

by:Patrick Bogers
ID: 39761338
Hi,

Could you be a little more precise about what is happening?
Are there images being uploaded through a web application or ....?
Where are the images been stored and in what format?
0
 

Author Comment

by:rpgeegange
ID: 39761361
Hi Patricksr1972,
Thanks for the reply.
These image are stored in free image hosting sites. Downloaded by some program from inside the network.
These images are in png format. I'm not sure it is using stenography.
0
 
LVL 23

Expert Comment

by:Patrick Bogers
ID: 39761379
ok, and where are they stored? A share or someone home directory?

What are you thinking? It is some sort of malware?
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:rpgeegange
ID: 39761406
I'm not sure whether it is a malware or not. because I can see an some doted image in it. They were stored in "my documents".
It can be liked this, malware convert its components to an image then get them through the firewall and then, decode it again.

If it is an malware, how can I stop it ?
0
 
LVL 23

Expert Comment

by:Patrick Bogers
ID: 39761412
Hi

You could download malwarebytes and have a full scan running, you will know soon enough.
0
 

Author Comment

by:rpgeegange
ID: 39761429
how can block images like this ? is there such ways ? I have read about this regarding image blocking mechanisms. how this technology works ? will it helps me ?

Thanks.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39772677
You need a UTM device or firewall which can do AV scanning.
0
 
LVL 64

Expert Comment

by:btan
ID: 39772765
Besides the below to chec on the machine downloaded with potential malicious content
http://www.checkpoint.com/solutions/malware-portal/infected-machine.html

Indeed some traditional FW does ICAP means to send files such as images to anti virus server and supposed to offload their performance and this capabilities off box. However there can be limit to file size,  delay and false positive of sending corrupted files choking the entry check. Traditional  FW cannot keep up hence next gen FW and UTM based FW gain traction and bigger appeal. ..there is application delivery content that does this. In all you are  looking deep content inspection with anti malware or bot check coupled with real time threat feeds cum content filtering to prevent badsites reach from user, where possible.

Checkpoint software blades technology is their move into UTM. They are keen competitor to Palo alto which seems to have started the NGFW "trend". Anti APT is all saying to be preventive for the hard sale...nonetheless, you can check this blade and other associated in Checkpoint portfolio

http://www.checkpoint.com/products/anti-bot-software-blade/

It also couple with content filter or proxy like Websense gateway..but as a whole endpoint serves the next layer if the image bypass and evade. Password protected or obfuscated files easily avoid detection hence breach detection device came to picture like FireEye, XPS, Netwitness, Solera etc...layer checks and no one size fits all...in simple takeaway
0
 
LVL 70

Expert Comment

by:Merete
ID: 39772776
Hi, this kind of reminds me of  3D Stereograms
Stereograms are 3D images hidden within another picture.
http://en.wikipedia.org/wiki/Autostereogram

Is this what you are typically seeing?
Can you determin who is downloading them?
In Sep 15, 2004  Microsoft's monthly security update was highlighted by a JPEG-handling vulnerability that could allow pictures in the format to provide access to remote code execution.
But that was patched way back then.
http://www.technewsworld.com/story/36629.html
Do you have Microsoft's Malicious Software Removal Tool  updated from windows updates?
http://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx
0
 
LVL 64

Expert Comment

by:btan
ID: 39773012
No one good full proof solution as eventually we are going against beyond signature based detection.  You can catch this

https://blog.damballa.com/archives/tag/sandbox

What can be done? I believe a key perspective to dealing with this evasion technique is to better understand the suspicious nature of the file transfer. Consider it “contextual awareness”. Despite not being able to dissect and analyze the malicious binary directly, understanding the context of its transport will likely provide enough circumstantial evidence to arrive at a comfortable conclusion as to the maliciousness of the binary
0
 
LVL 40

Accepted Solution

by:
noci earned 2000 total points
ID: 39774745
This is hard to do, as "images" mean something to us humans. And the representation of that in data is massive. Where small changes in images is hard to notice but can mean much info being "hidden".

You mentioned stenography, but that is a sign language also named shorthand, to note down realtime discussions on paper (like in courthouses etc.).
You probably meant Stegano-graphy or the hiding of info.
You can only prove steganography if you have a picture with and without the message.
Steganography uses  f.e. a text message converted to morse. and then
use the lowest bit in the blue every 16'th pixel to denote a dash or dot.  
You won't detect that ever without comparing to the original image.

And you mention PNG, (which can actually be represented in ascii readable form like a C declaration is needed) what about all the other formats GIF, BMP, JPG, ... etc. etc.

You may need a proxy to have all your transfers checked for pictures containing executable images, whose presence is easier to prove, f.e. if part of the image contains PE and the info after it looks like it could be a program header you can assume it is a windows NT program, or MZ and some valid data it may be a DOS executable etc.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses
Course of the Month10 days, 20 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question