Slashdot Mirror
First JPEG Virus Posted To Usenet
Shawn writes "This could possibly be the worst viruses yet! Earlier this month Microsoft announced a problem in their GDI driver that processes the way JPEG images are displayed. Someone has finally posted an exploit to Usenet. Easynews, a premium Usenet provider, found the virus Sunday afternoon. Up-to-date information about how we found it and what it does is located at www.easynews.com/virus.txt. When this picture is viewed it installs remote management software (winvnc and radmin) and will connect to irc."
In the article the virus.txt has a jpeg sample in code.
_JS
Update your systems now! The patch has been out for several weeks. I have already applied it to my corporation via SUS (which is free) and am rolling out the office patch now, as well. There is no reason other than laziness or sysadmin ignorance for this to be another massive virus attack.
This is the guy who published the "proof of concept" exploit, not the virus that is in the wild. He is as likely to be sued as "DVD Jon" would be sued for breaking CSS. Oh, wait.....
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
Any recent version certainly does so.
The World Wide Web is dying. Soon, we shall have only the Internet.
clamscan possibleVirus.jpg
possibleVirus.jpg: Exploit.JPEG.Comment FOUND
----------- SCAN SUMMARY -----------
Known viruses: 24607
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 0.501 sec (0 m 0 s)
also updated nav corp 8 with latest defs (9/27/04) and it found it. AVG free edition doesnt as of yet.
Lawyers, MBA's, RIAA? A jedi fears not these things!
http://easynews.com/test/possiblevirus.jpg.gz
Got the link from bugtraq a few hours ago.
Well, Apple's Preview (as of 10.3.5 with all the latest updates as of 6:00 PM PDT, 9/27/04,) says it's not a supported file type.
Graphic Converter complains that "Some parts of the file may be missing."
Safari displays a blank page, with no errors.
In all cases, I can't find any file-system goofiness. (And the free-with-DotMac Virex doesn't detect it as a virus.)
(The offending "virus" is available as a linked-to zip file in the linked virus.txt page.)
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
why it's a problem? because people do run with admin priviledges.
I hate to break it to you but normal people don't know or care about things like that.
.
world was created 5 seconds before this post as it is.
Heh, Norton Antivirus wouldn't even let me try it. The heuristics grabbed it before it was even on my desktop. Now [i]that[/i] is impressive.
yes, if you haven't updated to the latest version.
See this Slashdot thread.
- Leo
You don't use science to show that you're right, you use science to become right.
Hopefully mozilla decodes the jpgs itself before rendering them on windows.
It does. But Mozilla had almost the exact same problem with both BMP and PNG in the last week or two. So it's not just Microsoft who has vulnerable image decoders.
Now i can go exploiting people! Thx for the virus easynews! http://easynews.com/virus/virus-jpeg.zip
There's no Freedom like UFP-dom
Are you serious? Of course Slashdot covered those stories too.
Critical Mozilla, Thunderbird Vulnerabilities
CERT Warns Of Multiple Vulnerabilities In Libpng
Google finds a whole lot of exploids for this guy. Ranging from apache to AIM away message buffer over runs.
who | grep -i blond | date cd ~; unzip; touch; strip; finger; mount; gasp; yes; uptime; umount; sleep
FYI, here's the fix from M$ for this exploit: Security Bulletin
It is very hard to get in right now. I've set FlashFXP to retry 1,000 times every 15 seconds. We'll see how that goes.
The more of us that keep this connection tied up doing innocent things for the next 48 hours, the better.
There really needs to be a distributed DDOS for spammer sites, virus sites, etc. Use The Force for good, I say.
Lose Weight and Feel Great with Isagenix
The campus Resnet I'm on right now is just as bad if not worse, and we're sitting on an OC-3 here (though it's only 10Mbp and what seems to be Cat3 to most dorms. Yes, you heard me - we need special cables that take are RJ-11 on one end and RJ-45 on the other)
Once 3 years ago as a freshman, I left my XP share open to those default Shared folders for 10 minutes and had about 30-50 copies of nimda flood in. Norton went berserk with warnings before I closed the sharing.
And 2 years ago the fiber switches literally got overloaded from traffic from sasser et al. It still happens time to time. It's a wonder we've got continuous conntections more than a few hours.
Policy changed after sasser requiring all machines to be patched to a certain point before registering into the resnet system. It's still at WinXP SP1 right now with no signs of requiring SP2 or updating once your MAC's registered.
The only amusing part to this long story is that we knock our network down long before anyone can use our pipe to knock someone else off.
It can still do anything the user can do, including installing itself in the user's account space, setting itself to run every time the user logs on, uploading all of the files the user can access, logging the user's keystrokes, sending email, pinging for other systems, etc. Running as a non-administrator is not a panacea.
TechNet Home Security Microsoft Security Bulletin MS04-028 Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) Issued: September 14, 2004 Updated: September 21, 2004 Version: 1.2 Summary Who should read this document: Customers who use any of the affected operating systems, affected software programs, or affected components. Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Critical Recommendation: Customers should apply the update immediately. Security Update Replacement: None Caveats: If you have installed any of the affected programs or affected components listed in this bulletin, you should install the required security update for each of the affected programs or affected components. This may require the installation of multiple security updates. See the FAQ section of this bulletin for more information. Tested Software and Security Update Download Locations:
Affected Software:
Microsoft Windows XP and Microsoft Windows XP Service Pack 1 - Download the update (KB833987) Microsoft Windows XP 64-Bit Edition Service Pack 1 - Download the update (KB833987) Microsoft Windows XP 64-Bit Edition Version 2003 - Download the update (KB833987) Microsoft Windows Server(TM) 2003 - Download the update (KB833987) Microsoft Windows Server 2003 64-Bit Edition - Download the update (KB833987) Microsoft Office XP Service Pack 3 - Download the update (KB832332) Microsoft Office XP Service Pack 2 - Download the administrative update (KB832332) Microsoft Office XP Software: Outlook® 2002 Word 2002 Excel 2002 PowerPoint® 2002 FrontPage® 2002 Publisher 2002 Access 2002 Microsoft Office 2003 Software: Outlook® 2003 Word 2003 Excel 2003 PowerPoint® 2003 FrontPage® 2003 Publisher 2003 Access 2003 InfoPath(TM) 2003 OneNote(TM) 2003 Microsoft Project 2002 (all versions) and Microsoft Project 2002 Service Pack 1 (all versions) - Download the update (KB831931) Microsoft Project 2003 (all versions) - Download the update (KB838344) Microsoft Visio 2002 Service Pack 1 (all versions) and Microsoft Visio 2002 Service Pack 2 (all versions) - Download the update (KB831932) Microsoft Visio 2003 (all versions) - Download the update (KB838345) Microsoft Visual Studio .NET 2002 - Download the update (KB830348)
Microsoft Visual Studio .NET 2002 Software:
Visual Basic .NET Standard 2002
Visual C# .NET Standard 2002
Visual C++ .NET Standard 2002
Microsoft Visual Studio .NET 2003 - Download the update (KB830348)
Microsoft Visual Studio .NET 2003 Software:
Visual Basic .NET Standard 2003
Visual C# .NET Standard 2003
Visual C++ .NET Standard 2003
Visual J# .NET Standard 2003
The Microsoft .NET Framework version 1.0 SDK Service Pack 2 - Download the update (KB867461)
Microsoft Picture It!® 2002 (all versions) - Download the update
Microsoft Greetings 2002 - Download the update
Microsoft Picture It! version 7.0 (all versions) - Download the update
Microsoft Digital Image Pro version 7.0 - Download the update
Microsoft Picture It! version 9 (all versions, including Picture It! Library) - Download the update
Microsoft Digital Image Pro version 9 - Download the update
Microsoft Digital Image Suite version 9 - Download the update
Microsoft Producer for Microsoft Office PowerPoint (all versions)
Microsoft Platform SDK Redistributable: GDI+ - Download the update
Office Users Note Office XP Service Pack 2 and Office XP Service Pack 3 are both vulnerable to this issue. However the security update for Office XP Service Pack 2 is only provided as part of the Office XP administrative security update. For more information, see the Security Update Information section. Office
At our university, you simply get blocked if the campus servers notice you're infected with a virus (or if you're port scanning someone else). The only webpages you can visit are the pages of the university helpdesk (that contain several anti-virus programs, amongst other things).
You can only get unblocked if you contact the guys from the IT department and tell them you sucecssfully removed the virus.
This scheme works very well; most computers are virus-free on our campusses. Perhaps you should use a similar system on your campus.
From the sound of things, the exploit will be triggered, but this particular piece of code won't be able to do much, since it tries to install software that requires an Admin level account. Having a limited account won't prevent the user from running the exploit code, but it does prevent the exploit from leading to a system-level breach, unless some of privilege-escalation exploit is included as well.
If I understood the article correctly, you have to actually save the virus file, and then try to view it. Only then will it infect. From what I read, it would seem just opening a webpage with the "image" on it would not infect a computer.
You'd be breaking several laws in the process. So I wouldn't suggest it ;)
http://www.archive.org/details/ThePowerOfNightmares
As of writing the latest clamAV (windows ver) with latest virus DB does NOT find this.
GIMP under Win32 gives error "Improper call to JPEG library in state 201".
...just trying to be informative
I'm not going to try it under internet exploiter or mspaint.
main(0)
Technically, this is a Trojan Horse, not a virus.
Sorry to be nitpicky here, but this is a trojan horse, not a virus. A virus propagates through replication.
LS
There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie
Known vulnerabilities in Mozilla.
These would be numbers 83 and 89 on that list.
First time you hear a joke, it might be funny. Second time you might laugh because you are so polite. But do you have to tell that stupid joke on every damn story? It's not funny anymore!
Bleeping Computer has a tutorial on how to use GDI Scan, offered by ISC, to find apps with the vulnerable gdiplus.dll. The tutorial can be found here:
GDI Scan Tutorial and how to fix the GDI+ JPEG Vulnerability
Either update those apps so they dont have the problem anymore, or do not use the app.
"I have to ask, what has MS done that is actually useful since Windows 2000?"
The image viewer that comes with XP is very nice. (Especially for us pr0n freaks.) You can log in as another user without logging out the previous user. (We use that at work fairly frequently.) CD burning is built in to explorer. Startup and shutdown are considerably faster. You can actually lock the taskbar, although MS should have added that when they first put it in. I've noticed fewer restarts after installing some stuff, but it's been a long time since I've done that so I can't be more specific. Etc etc etc.
To sum it up: I have a 2k workstation at home and an XP workstation at work, and boy do I feel the dfference. I can still do my work just fine on 2K (i.e. I'm not excatly running out and buying the upgrade) but I am glad I have it at work and on my laptop. XP isn't total garbage compared to 2K.
"Derp de derp."
...at isc.sans.org (internet storm center). Do
not use the one from microsoft. It *sucks*.
Watch dshield (like a hawk). Read www.cert.org.
read "comp.risks" (usenet).
and still lose too much time..
Returning with the same stuff they have now, but with little or no security issues
Sorry, that won't work.
Some of the stuff is insecure by design!. Not "designed to be insecure", just "impossible to secure given the design".
Take ActiveX: running binary code downloaded from a anywhere without a JVM-like sandbox is insecure. Not matter how many digital signatures, OK dialog boxes and warnig messages you add, some (most?) users WILL simply click through all the warnings and have their boxes 0wn3d.
Design has tradeoffs between security, performance, usability etc. etc. Some of this stuff you can't fix without changing the basic design (i.e. starting from scratch)
In all seriousness, I downloaded an example of an Evil JPEG to my Linux computer and tried opening it up in various programs.
So, after five minutes of extremely unprofessional research and wild conjectures, I'd say it looks like the stories are true: some Linux programs may be vulnerable too. Yikes!
mind you, who would ever write an exploit that would only spread to five percent of the computers in the world? ;-)
Standing at the very edge of my imagination, I peered into the inky void and realised -- I couldn't think up a new sig.
From a usability point of view, it was a pretty good improvement, especially the spam handling, but with a fairly large message store, it took at least an order of magnitude longer to access folders, etc, in O2k3 than OE.
The first time you open the folder, it takes time to index it. After it completes indexing, it's much faster. If you don't allow the system to complete indexing before navigating away from a folder, it'll need to do it again next time you open the folder.
If you don't want to take the time, instead of opening existing PST files in Outlook, create a new one and import the contents of the older one into it - which will do the indexing for you.
After it has finished indexing, it's as fast - or sometimes even faster - as previous versions.
Coming soon - pyrogyra
TIFF supports using different compressions including jpeg (not all programs accept unusual choices though). That could be the reason.
I found this on SecurityFocus: Microsoft Windows XP Explorer.EXE TIFF Image Denial of Service Vulnerability. Looks like Symantec is proactive, but then that is what their Bloodhound stuff is for.
you're a goddamn idiot. a suitably constructed jpeg will cause an overflow in the gdi+ library which ie and most msft programs use to render jpegs, when that happens the jpeg can be made such that the overflow will cause virus code to be loaded. god you're an idiot.
.EXE file, except for the fact that the code is hiding inside what is supposed to be data, not code, and it gains control of the CPU by smashing the stack.
.TXT file to execute arbitrary code. Who knows?
Jesus, an obvious end user asks a perfectly legitimate question and you call him an idiot for being surprised by the notion of a hostile JPEG- something that should rightfully amaze everybody. I doubt he understood your high level description. To the grandparent: here is a meandering crappy description of how a buffer overflow attack works:
A function call, in C, pushes the current program counter on the stack. Then it pushes the arguments onto the stack, and control jumps to the function which pops the arguments off the stack and does whatever with them. At the end it invokes a RET instruction that pops the program counter back off the stack and control jumps to the address there (to the point right after the CALL). These are just normal C calling conventions.
Variables defined in the function are stored on the stack. If a string like a URL (for example) needs to be defined, a buffer is allocated for it there. When the function returns, the space is automatically deallocated, the RET pops the program counter off the stack, and the function call returns. By default no bounds checking is done on data stored in these buffers. Some library functions, like gets(), don't do bounds checking. They can't, since they don't know the buffer size and would need to have it provided as an argument. Newer, safer versions exist that do take buffer size arguments, but that means these aren't the same library functions anymore. (FWIW the gets() call takes a pointer to a buffer of unknown size as an argument, reads a newlined string from stdin into the buffer, and returns the buffer pointer that was passed to it.)
It's up to the programmer to do bounds checking if he uses library calls vulnerable in this way. But this is extra work, and people are lazy. It's easier to just allocate a big, big buffer that's probably larger than you'll ever need, that "no reasonable URL" will ever exceed. So the programmer allocates a fixed 10K buffer on the stack and passes its address to a library function like gets().
The attacker gains control in these situations by creating a program input like a long, carefully crafted URL, slightly longer than 10K, that overflows the buffer inside the library function. The goal is to overwrite the return address on the stack with an address that's within the buffer. In the case of the Code Red worm, someone meticulously put together a URL that attacked an obscure ISAPI routine, and not only overwrote the return address, but also had machine code instructions waiting at the replacement address within the buffer- encoded right into the damn URL! (The buffer has been deallocated at this point, but hasn't been zeroed, so it's still there.)
It's harder to explain with a JPEG than with a URL. But a JPEG contains variable length data structures that are read into buffers on the stack. Someone writing the JPEG decoder forgot to do a bounds check- and so a mundane function for decoding JPEGs never returns. Instead it jumps into an endless loop that's been placed within the image buffer by the attacker.
So yes it is a bit like running an
Older versions of Notepad gagged on files larger than 64K, which seems suspicious. It's theoretically possible that a vulnerability could exist even in a text editor like Notepad allowing a carefully constructed
So you see what happened. The unchecked library call in this case was memcpy(). The decoder trusts its input and sends a small signed integer (-2) off to memcpy() without checking the sign bit- and memcpy() thinks -2 is a huge unsigned integer (4294967294). What's the difference? Any reasonable number is going to be positive anyway, right? Who would give a comment a negative length!
I saw someone make this kind of goof even in Java, where you have signed-only types forced on you. Someone forgot that InputStream.read() returns an unsigned byte as an int (between 0-255), and they cast it to a signed byte and back without the &0xFF to zero out the 24 high bits. That got caught right before our product release. The consequence in that case would have been a hash algorithm with inconsistent output between stream and byte array inputs- not a security nightmare like this, but a long lasting migraine nevertheless.
The GDI Scan tool from ISC reveals that after all of the latest patches for Windows and Office, I am still left with vunerable .dll files within office.
.dll dated May 2004.
x s.dlll ll ln dows.GdiPlus_65 95b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 -- Possibly vulnerable (Windows Side-By-Side DLL)P lus_65 95b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll P lus_65 95b64144ccf1df_1.0.2600.1360_x-ww_24a2ed47\GdiPlus .dll
Further... the version of the GDI redistributable on the MSDN site still includes a vunerable version of the GDI
On this fully patched Windows XP system GDI Scan reveals the following information:
Scanning Drive C:...
C:\Program Files\Common Files\Microsoft Shared\Office10\MSO.DLL
Version: 10.0.3501.0 -- Possibly vulnerable (Under OfficeXP only)
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL
Version: 11.0.6360.0
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version: 6.0.2800.1106 -- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\Program Files\Microsoft Office\OFFICE11\GDIPLUS.DLL
Version: 6.0.3264.0
C:\Program Files\Microsoft Works\GDIPLUS.DLL
Version: 5.1.3102.1360
C:\WINDOWS\$NtUninstallKB833998$\s
Version: 5.1.2600.1106 -- Possibly vulnerable (Backup for uninstall purposes)
C:\WINDOWS\$NtUninstallKB839645$\sxs.d
Version: 5.1.2600.1336 -- Possibly vulnerable (Backup for uninstall purposes)
C:\WINDOWS\system32\dllcache\sxs.dll
Version: 5.1.2600.1515
C:\WINDOWS\system32\dllcache\vgx.d
Version: 6.0.2800.1106 -- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.1515
C:\WINDOWS\WinSxS\x86_Microsoft.Wi
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Gdi
Version: 5.1.3101.0 -- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Gdi
Version: 5.1.3102.1360
Scan Complete.
What you can do now to limit the spread:
* Update all of your virus checkers and make sure that they are fully active (auto, not just on-demand).
* Disable images in your email applications, just use text only.
* Switch your primary browser to Firefox or another browser whose latest version is immune from this specific attack. If you have to still use IE, then do so only for sites you truly trust.
We generally run Linux in my house, but my six year old daughter has a couple of computer games, and one of our machines is dual-boot; pretty much all that that copy of Windows is used for is her games. Guess what? The games only work if I make my six year old an administrator.
As a producer of children computer games, I have encountered those problems. Most are solved by a couple of registry/security policy edits. Try enabling 'Restrict CD-ROM Access to locally logged-on user only' in Local Security Policy (found in administrative tools). That should cure a lot of them.
Careful assignment of permissions to ceratin files/directories would probably take care of others. Check out www.sysinternals.com for tools which can help you track down what the program is trying to open and what it fails to do.
Be quick.
Sample squid code:
Or, more reasonable:
and stick 209.171.43.27 into that file (and all following IPs that will use that code).
Then use ClamAV to scan your squid-cache the next couple of days and remove infected files.
Hmmm... Perhaps you need to update your Virex.
Mine, v7.5, did find it and offer to clean it.
$0.02
Windows features a "Run As..." dialog which can be used to execute a program as a different user than the one logged in. Unfortunately, it's quite hidden. To access it, one must hold down shift and right-click on the icon for the executable (or a shortcut to it) and choose "Run As...". You can then enter the username/password you wish to use and hit OK to start the program.
Of course, it'd be better if it'd just happen automatically when you run something that requires admin privs, such as System control panel or an installer, but in the installer case there are so many different kinds of installer out there that it'd be impossible for Windows to know what's an installer and what isn't. Allowing applications to say "Hey Windows, I need to run as Administrator!" might be a solution, but then most of the worms around masquerade as things the user might want to run anyway, so they'd probably just go ahead and throw in the Administrator password much like they just click "Yes" when Internet Explorer offers to install BonzaiBuddy.
ANSI.SYS was a device driver that implemented a basic "terminal protocol" on IBM PC screens back in the MS-DOS days. It could manipulate the cursor, show text in colors, and it had a few other features like key redefinition.
An ANSI bomb was a sequence of commands to the ANSI driver. If the commands were somehow written to the terminal, they would redefine the Enter key to do something like "echo y | format c:". Thus, the next time the victim pressed Enter, the C: would be formatted.
There were a few was to trick your target into displaying the ANSI codes. One way was to embed them in the comment section of a pkzip archive, so that when the file was extracted the codes would be printed to the screen.
Much like on a Linux system, a limited user can just shove executables in his or her "home directory" and run them from there. The main thing making this hard right now is that it's very hard to get most applications not wrapped in an "installer" which tries to write DLLs all over the filesystem regardless of what directory you choose to install.
Windows XP "logo-compliant" installers will offer admin users the choice to install for "All Users" (put it in a publically-readable directory) or "Just Me", in which case much of it should end up in the admin's home directory. Limited users can install for "Just Me" only. This is much like me downloading a source tarball on a UNIX system and running ./configure --prefix=/home/nurgled/appdir.
I don't know about you, but I don't want to have to use the Run As command every 15 minutes just to do something simple like burn a CD (need Admin privs) or run a game. This is my PC, I administrate it, so I run with Admin privledges. As such, it then becomes MY responsibility to make sure that bullshit stuff doesn't find it's way over. This is why I bother to run an AV program, have Spybot tell me whenever something is trying to write to the registry, and so on.
At work, however, is a different story. I do have domain access, but I never log in as the domain admin unless I need to do some administration. I did, however, grant myself local admin rights on my machine for the same reasons above. I don't have a problem with spyware, adware, viruses, or anything.