Sijun Forums Forum Index
Log in to check your private messages
My Profile Search Who's Online Member List FAQ Register Login Sijun Forums Forum Index

This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.
Goto page Previous  1, 2    Sijun Forums Forum Index >> Random Musings
View previous topic :: View next topic  
Author   Topic : "JPEG virus"
math
member


Member #
Joined: 07 Mar 2004
Posts: 254
Location: Gnarsemole
PostPosted: Mon Sep 20, 2004 2:33 pm     Reply with quote
hello.jpg? hmmm reminds me of something....goatse...mmmmmmmm
_________________
quit pro quo
Back to top
View user's profile Send private message Yahoo Messenger MSN Messenger
hew
member


Member #
Joined: 06 Jul 2000
Posts: 145
PostPosted: Tue Sep 21, 2004 1:39 pm     Reply with quote
Don't execute your JPEGs, problem solved.

Rename notepad.exe to notepad.jpg and open it, this will illustrate the uselessness of a virus inside a .jpg.
Back to top
View user's profile Send private message Send e-mail
Spooky
member


Member #
Joined: 18 Oct 2000
Posts: 217
Location: Banff, Alberta, Canada
PostPosted: Sun Sep 26, 2004 2:37 pm     Reply with quote
What's amusing is that my Dad was just talking about this today. I had to remind him 1. You now have a Mac Powerbook, less chance of any virus affecting your computer, and 2. JPEGs are mostly as described as above. If you've got your Windows computer protected and do regular updates for Norton / Symantec / Zone Alarm one should be fine.

Still, I've always been highly suspect of the Antivirus companies myself.
_________________
http://www.digitaldreammachine.com/
Back to top
View user's profile Send private message Send e-mail Visit poster's website AIM Address MSN Messenger
Pat
member


Member #
Joined: 06 Feb 2001
Posts: 947
Location: San Antonio
PostPosted: Fri Oct 01, 2004 1:56 pm     Reply with quote
A working version of the exploit (including infected .jpg) is now circulating on Usenet. I took a look at the code and, despite what the pundits claim, found it to be a tepid implementation --as in it could be a lot worse. The process of infecting a .jpg can be automated, thus the exploit can be made to "replicate" itself. The efficacy of the code will only be harmful from here on in.

Updated information can be seen here

------

For those of you who are too lazy to read back into this thread, I wrote this TWO years ago:

Pat wrote:
Here's an interesting scenereo: You open Internet Explorer and visit a respectible site like Sijun. Unbeknownst to you or the site owner, the site has been hacked and the titlebar graphic is now the exact same JPEG you expect, but is now 4k larger. It also contains code to erase your hard drive.

Because of Internet Explorer's numerous vulenerabilities, scripted HTML code can be run locally on your machine by spoofing privileges. Or, alternately, code of the hacker's choice can be executed by flooding IE or tricking it to think certain file types need to be decompressed. Most of IE's vulenerabilities require hackers to know exactly where on the hard drive the code they wish to execute is. How convenient for them that your browsed JPEG files are stored in a cache file, uniformly located on all machines running Windows.

Properly executed, merely visiting a web site can set in motion a series of events that can infect and trigger viral code. In our example, as you're reading this message your hard drive could be rapidly disappearing.


This is exactly what is happening now. Exactly. It's depressing that I've been called a "rumor-monger", "hysterical" or just plain "ignorant" of how these things work. I'm none of those things. I feel like that guy in the science-fiction movie who knows the aliens are coming, but when I warn the townspeople, they just laugh.

Next time I won't bother.

hew wrote:
Don't execute your JPEGs, problem solved.

Rename notepad.exe to notepad.jpg and open it, this will illustrate the uselessness of a virus inside a .jpg.


I don't think you understand the vector of attack. Simply browsing a website with a .jpg which is infected will run the malicious code because images are decompressed/executed on display.

-Pat
Back to top
View user's profile Send private message
sweetums
member


Member #
Joined: 10 Aug 2004
Posts: 236
PostPosted: Mon Oct 04, 2004 6:17 am     Reply with quote
This article was #7 from the top of the Google link. I can't testify for the author, but agree with some of his statements. All emphasis formatting mine.
Quote:
Here are the simple details of this incident:

It's not a virus. The posted JPEG is actually a trojan downloader. It has no ability to spread on its own.
It only affects users with Windows XP Service Pack 1.
It's does not automatically execute on reading the message. The JPEG must be saved into a local folder, then the mouse pointer must be moved over the JPEG file's icon.
The file is detected by all major antivirus engines with current virus definition files. Because of the nature of the JPEG format, it is impossible to disguise an infected JPEG file. So current signatures should detect ALL future attempts to exploit this vulnerability.
Usenet newsgroups have a long history of virus/trojan postings. Malware authors have used many tricks over the years to entice readers of newsgroups to click on malicious files. This is just an extension of those attacks, and does not pose any greater risk (it's actually less effective than some other methods, such as the double-extension-with-spaces filename trick). Usenet is a specialized service on the Internet, and tends to cater to long-time users who are wary of these things. The majority of your Internet users today probably don't even know how to utilize Usenet groups - making the total risk even smaller. A larger risk might be JPEG files found on P2P networks.

Even though this particular incident is fairly insignificant, there may be future improvements on the MS04-028 exploits which may allow JPEGs to be executed directly upon viewing a website.

More detailed information is available through the LURHQ Threat Intelligence release. This advisory is brought to you by LURHQ's Threat Intelligence Group. Threat Intelligence provides security teams with vulnerability alerts and early warnings to emerging threats tailored to your environment. This enables faster remediation of critical vulnerabilities and better protection against outbreaks. For more information on this service, please visit http://www.lurhq.com/threat_intelligence.html or contact us to learn more at http://www.lurhq.com/contact.html.

About LURHQ Corporation
LURHQ Corporation is the trusted provider of Managed Security Services. Founded in 1996, LURHQ has built a strong business protecting the critical information assets of more than 400 customers by offering managed intrusion prevention and protection services. LURHQ's 24X7 Incident Handling capabilities enable customers to enhance their security posture while reducing the costs of managing their security environments. LURHQ's OPEN Service Delivery� methodology facilitates a true partnership with customers by providing a real time view of the organization's security status via the Sherlock Enterprise Security Portal. For more information visit http://www.lurhq.com.
It must be specifically executed, which viewing (at present) on the Web does not accomplish.
_________________
Life is short. Expect nothing, enjoy everything.
That which does not kill you should make you wiser...
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Sijun Forums Forum Index -> Random Musings All times are GMT - 8 Hours
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




Powered by phpBB © 2005 phpBB Group