PDA

View Full Version : JPEG Virus Warning!!!



Fish boy
09-28-2004, 05:44 PM
On 14 September, Microsoft released Security Bulletin MS04-028, which warned that because of a problem with the way that Windows handles JPEG image files, malicious code could be executed on a user's machine if they simply viewed an ordinary image file. Because Microsoft's Internet Explorer browser is vulnerable, users could be attacked just by visiting a website that has affected images.

Within a week, malicious hackers had developed a proof of concept and software development kit (SDK) for others who wished to write a virus to exploit the vulnerability. A virus is now loose on the internet, having been posted to an adult content newsgroup with a JPEG extension.... read more hereJPEG Viurs/ windows exploit (http://www.enn.ie/frontpage/news-9555765.html)

Plain English Version- Hackers have figured out a way to exploit Windows so that if you view a picture that a hacker has placed on the internet, sent in a email, disquised as a logo...etc, the hacker could take over your computer. This is a flaw in windows. You can download the patch from microsoft- this is highly recommended.

Microsoft Security Update and Patch (http://www.microsoft.com/security/bulletins/200409_jpeg.mspx)

JPEG Virus Info (http://www.easynews.com/virus.html)

Google search (http://news.google.com/news?q=jpeg+virus)

Hopefully some of the smarter Computer guru's on this site (wes, tux, etc) will chime in; I know just enough to make me dangerous.

txtaz
09-29-2004, 05:09 AM
Hey Fish,
Yeah this type of stuff has been around for some time. It first started with the gif file types back in the '90's. I have never looked into how the code works, but best guess would be it is VB script. You can disable that in Inernet Explorer and Outlook. I would recommend disableing VB scripts. Personally, I use Eudora as my email program and ACDSee as my picture viewing program. Both are isolated from Internet Explorer and if a picture does not come up, I delete it and no harm has been done. IF I view pictures with Internet Explorer it has to be from a trusted site that I know is good. As far as I know, thumbnail images in web pages with bad code will not affect you computer. If you click the larger version it could be a bad thing. If I want an image from the web, I right click the image and "save as" to save it to hard drive. Then I open it with ACDSee. I have seen several images that would not display. Their header length did not match the file length. Kind of like saying it's a 16 when it's a hidden 22 and the extra 6 is bad stuff.
You would think with 48 BILLION dollars, ol Mr Gates could get it right. If you want some interesting reading, go to the local library and read "The Model Railroad Club". You would learn about the founding of M$. He basically stole everything that started Microsoft.
Hope this helps.
Wes

Fish boy
09-29-2004, 08:34 AM
thaks wes, like I said, I know just enough to make me dangerous. I spoke with my former cto last night and tried to get him to explain this stuff in english to me (we were actually at hooters) :)

He agreed that this has been around for a while but until last week, the ability to exploit the buffer overrun to hide malcode in a jpg was theory. Last week, the road map to inserting malcode in the jpg's was released on a usenet group. Jpg's with a trojan downloader also began showing up on usenet groups.

What is ACDSee? if you save a thumbnail to your HD, will it still be thumbnail size or actual size on your HD? Can you explain a little more about how you determined header length not matching file length?

Again, I am a long way from an expert and will gladly defer to you and anyone else with conflicting or expanded opinions. Just tryiing to learn and also let folks know that if they have not downloaded the patch form Microsoft and updated their virus software, they should do so.

txtaz
09-29-2004, 03:51 PM
Fish, ACDSee is a picture viewing program. One of the better ones IMHO. They have a free trial version you can download and play with.
As far as the thumbnail pics, they are usually smaller versions of the large file and stored seperately so the code should not be in the thumbnail pic. All files have a header which describes what the file is and how long it is from beginning of file to end of file. This way programs know how much to read from the start without getting into some other file that is stored right next to it. When malcode is inseted into the file at the beginning, it makes the file bigger. Unless the hacker resets the header info to update the new size (which they won't, hackers are lazy) the header info will not match the actual size. This was one of the first methods to detect viruses in exe's.
Hope this helps.
Wes

Fish boy
09-29-2004, 06:40 PM
thanks Wes, as always good info. I appreciate you taking the time to explain that to me. Will give ACDSee a shot.

Thanks,

fish

Fish boy
09-30-2004, 10:45 AM
not just for images anymore...

someone combined it with a flaw in Instant Messaging.

http://www.nwfusion.com/news/2004/0929instamessa.html


Instant messaging worm exploits JPEG flaw


By Joris Evers
IDG News Service, 09/29/04

Security experts have spotted the first attempts to create an Internet worm that propagates using instant messages and exploits a recently disclosed flaw in Microsoft software.

Researchers at The SANS Institute's Internet Storm Center (ISC) have had two reports of users receiving messages on AOL Instant Messenger service that lured them to Web sites containing malicious code, said Johannes Ullrich, CTO at SANS ISC, in an interview on Wednesday. The messages told the users to "Check out my profile, click GET INFO!"

When visiting the Web sites, the malicious code would attempt to install "backdoor" software on the user's PC that gives remote attackers total control over the machine. Additionally, messages containing a link to the site would be sent out to all contacts on the victim's instant messenger contacts list, Ullrich said.

The malicious code is embedded in a JPEG image and exploits a security flaw in the way many Microsoft applications process such images. Microsoft identified and patched the flaw on Sept. 14, but users have complained that patching is onerous because several applications, including Office and Windows, require separate patches.

These first attempts to exploit the JPEG flaw using instant messaging appear to have failed. There have been no further reports of users getting the messages and the two AOL Instant Messenger user profile Web pages that contained the harmful images are no longer available, Ullrich said.

"People should be worried about the next attempt," Ullrich said. These first attempts show that people are actively working on this type of attack, he said.

FaceTime Communications, a provider of instant messaging security applications, also has not seen the attacks hit any of its customers, said Christopher Dean, senior vice president of marketing and business development at the company.

"We have not received reports from our customers, but we are alerting them about the threat at the moment," he said. "We think it is a pretty significant threat. You can basically completely take over the machine."

The warning about attempts to exploit the latest Microsoft vulnerability via instant messaging follows warnings earlier this week about hackers seeding pornography Usenet news groups with malicious JPEG images. Users who unwittingly downloaded the images could also have backdoor software installed on their computers.


The IDG News Service is a Network World affiliate.