Didier Stevens

I helped a friend creating picture files to be detected by anti-virus. They are not malicious: they don’t execute code neither trigger a vulnerability.

The EICAR test file is detected by many anti-virus programs, except when it is appended to arbitrary files (this is according to specs).

Starting with a one-pixel JPEG and PNG file, I append the EICAR test file. And with a JPEG file, I can also insert the EICAR file as a comment:

The detection scores on VirusTotal show that these files are not detected by many anti-virus programs:

• JPEG + EICAR: 6/55
• PNG + EICAR: 7/58
• JPEG + EICAR comment: 2/57

That wasn’t good enough for my friend, she needed something with a higher detection score.

Since several years now, there is a Windows program that triggers many anti-virus programs: mimikatz.

When I try mimikatz with picture files, I get better detection scores than for the EICAR test file (as I expected):

• JPEG + MIMIMATZ.EXE: 19/58
• PNG + MIMIMATZ.EXE: 15/57
• JPEG + MIMIMATZ.DLL: 12/57

And I have a picture file with even higher detection scores, but you’ll have to wait until April Fools day for the details 😉 .