Slashdot Mirror
First JPEG Virus Posted To Usenet
Shawn writes "This could possibly be the worst viruses yet! Earlier this month Microsoft announced a problem in their GDI driver that processes the way JPEG images are displayed. Someone has finally posted an exploit to Usenet. Easynews, a premium Usenet provider, found the virus Sunday afternoon. Up-to-date information about how we found it and what it does is located at www.easynews.com/virus.txt. When this picture is viewed it installs remote management software (winvnc and radmin) and will connect to irc."
In the article the virus.txt has a jpeg sample in code.
_JS
Update your systems now! The patch has been out for several weeks. I have already applied it to my corporation via SUS (which is free) and am rolling out the office patch now, as well. There is no reason other than laziness or sysadmin ignorance for this to be another massive virus attack.
This is the guy who published the "proof of concept" exploit, not the virus that is in the wild. He is as likely to be sued as "DVD Jon" would be sued for breaking CSS. Oh, wait.....
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
clamscan possibleVirus.jpg
possibleVirus.jpg: Exploit.JPEG.Comment FOUND
----------- SCAN SUMMARY -----------
Known viruses: 24607
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 0.501 sec (0 m 0 s)
also updated nav corp 8 with latest defs (9/27/04) and it found it. AVG free edition doesnt as of yet.
Lawyers, MBA's, RIAA? A jedi fears not these things!
http://easynews.com/test/possiblevirus.jpg.gz
Got the link from bugtraq a few hours ago.
Well, Apple's Preview (as of 10.3.5 with all the latest updates as of 6:00 PM PDT, 9/27/04,) says it's not a supported file type.
Graphic Converter complains that "Some parts of the file may be missing."
Safari displays a blank page, with no errors.
In all cases, I can't find any file-system goofiness. (And the free-with-DotMac Virex doesn't detect it as a virus.)
(The offending "virus" is available as a linked-to zip file in the linked virus.txt page.)
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
why it's a problem? because people do run with admin priviledges.
I hate to break it to you but normal people don't know or care about things like that.
.
world was created 5 seconds before this post as it is.
Heh, Norton Antivirus wouldn't even let me try it. The heuristics grabbed it before it was even on my desktop. Now [i]that[/i] is impressive.
yes, if you haven't updated to the latest version.
See this Slashdot thread.
- Leo
You don't use science to show that you're right, you use science to become right.
Hopefully mozilla decodes the jpgs itself before rendering them on windows.
It does. But Mozilla had almost the exact same problem with both BMP and PNG in the last week or two. So it's not just Microsoft who has vulnerable image decoders.
Are you serious? Of course Slashdot covered those stories too.
Critical Mozilla, Thunderbird Vulnerabilities
CERT Warns Of Multiple Vulnerabilities In Libpng
Google finds a whole lot of exploids for this guy. Ranging from apache to AIM away message buffer over runs.
who | grep -i blond | date cd ~; unzip; touch; strip; finger; mount; gasp; yes; uptime; umount; sleep
FYI, here's the fix from M$ for this exploit: Security Bulletin
It can still do anything the user can do, including installing itself in the user's account space, setting itself to run every time the user logs on, uploading all of the files the user can access, logging the user's keystrokes, sending email, pinging for other systems, etc. Running as a non-administrator is not a panacea.
Returning with the same stuff they have now, but with little or no security issues
Sorry, that won't work.
Some of the stuff is insecure by design!. Not "designed to be insecure", just "impossible to secure given the design".
Take ActiveX: running binary code downloaded from a anywhere without a JVM-like sandbox is insecure. Not matter how many digital signatures, OK dialog boxes and warnig messages you add, some (most?) users WILL simply click through all the warnings and have their boxes 0wn3d.
Design has tradeoffs between security, performance, usability etc. etc. Some of this stuff you can't fix without changing the basic design (i.e. starting from scratch)
In all seriousness, I downloaded an example of an Evil JPEG to my Linux computer and tried opening it up in various programs.
So, after five minutes of extremely unprofessional research and wild conjectures, I'd say it looks like the stories are true: some Linux programs may be vulnerable too. Yikes!
mind you, who would ever write an exploit that would only spread to five percent of the computers in the world? ;-)
Standing at the very edge of my imagination, I peered into the inky void and realised -- I couldn't think up a new sig.
you're a goddamn idiot. a suitably constructed jpeg will cause an overflow in the gdi+ library which ie and most msft programs use to render jpegs, when that happens the jpeg can be made such that the overflow will cause virus code to be loaded. god you're an idiot.
.EXE file, except for the fact that the code is hiding inside what is supposed to be data, not code, and it gains control of the CPU by smashing the stack.
.TXT file to execute arbitrary code. Who knows?
Jesus, an obvious end user asks a perfectly legitimate question and you call him an idiot for being surprised by the notion of a hostile JPEG- something that should rightfully amaze everybody. I doubt he understood your high level description. To the grandparent: here is a meandering crappy description of how a buffer overflow attack works:
A function call, in C, pushes the current program counter on the stack. Then it pushes the arguments onto the stack, and control jumps to the function which pops the arguments off the stack and does whatever with them. At the end it invokes a RET instruction that pops the program counter back off the stack and control jumps to the address there (to the point right after the CALL). These are just normal C calling conventions.
Variables defined in the function are stored on the stack. If a string like a URL (for example) needs to be defined, a buffer is allocated for it there. When the function returns, the space is automatically deallocated, the RET pops the program counter off the stack, and the function call returns. By default no bounds checking is done on data stored in these buffers. Some library functions, like gets(), don't do bounds checking. They can't, since they don't know the buffer size and would need to have it provided as an argument. Newer, safer versions exist that do take buffer size arguments, but that means these aren't the same library functions anymore. (FWIW the gets() call takes a pointer to a buffer of unknown size as an argument, reads a newlined string from stdin into the buffer, and returns the buffer pointer that was passed to it.)
It's up to the programmer to do bounds checking if he uses library calls vulnerable in this way. But this is extra work, and people are lazy. It's easier to just allocate a big, big buffer that's probably larger than you'll ever need, that "no reasonable URL" will ever exceed. So the programmer allocates a fixed 10K buffer on the stack and passes its address to a library function like gets().
The attacker gains control in these situations by creating a program input like a long, carefully crafted URL, slightly longer than 10K, that overflows the buffer inside the library function. The goal is to overwrite the return address on the stack with an address that's within the buffer. In the case of the Code Red worm, someone meticulously put together a URL that attacked an obscure ISAPI routine, and not only overwrote the return address, but also had machine code instructions waiting at the replacement address within the buffer- encoded right into the damn URL! (The buffer has been deallocated at this point, but hasn't been zeroed, so it's still there.)
It's harder to explain with a JPEG than with a URL. But a JPEG contains variable length data structures that are read into buffers on the stack. Someone writing the JPEG decoder forgot to do a bounds check- and so a mundane function for decoding JPEGs never returns. Instead it jumps into an endless loop that's been placed within the image buffer by the attacker.
So yes it is a bit like running an
Older versions of Notepad gagged on files larger than 64K, which seems suspicious. It's theoretically possible that a vulnerability could exist even in a text editor like Notepad allowing a carefully constructed
So you see what happened. The unchecked library call in this case was memcpy(). The decoder trusts its input and sends a small signed integer (-2) off to memcpy() without checking the sign bit- and memcpy() thinks -2 is a huge unsigned integer (4294967294). What's the difference? Any reasonable number is going to be positive anyway, right? Who would give a comment a negative length!
I saw someone make this kind of goof even in Java, where you have signed-only types forced on you. Someone forgot that InputStream.read() returns an unsigned byte as an int (between 0-255), and they cast it to a signed byte and back without the &0xFF to zero out the 24 high bits. That got caught right before our product release. The consequence in that case would have been a hash algorithm with inconsistent output between stream and byte array inputs- not a security nightmare like this, but a long lasting migraine nevertheless.
I don't know about you, but I don't want to have to use the Run As command every 15 minutes just to do something simple like burn a CD (need Admin privs) or run a game. This is my PC, I administrate it, so I run with Admin privledges. As such, it then becomes MY responsibility to make sure that bullshit stuff doesn't find it's way over. This is why I bother to run an AV program, have Spybot tell me whenever something is trying to write to the registry, and so on.
At work, however, is a different story. I do have domain access, but I never log in as the domain admin unless I need to do some administration. I did, however, grant myself local admin rights on my machine for the same reasons above. I don't have a problem with spyware, adware, viruses, or anything.