First JPEG Virus Posted To Usenet

Shawn writes "This could possibly be the worst viruses yet! Earlier this month Microsoft announced a problem in their GDI driver that processes the way JPEG images are displayed. Someone has finally posted an exploit to Usenet. Easynews, a premium Usenet provider, found the virus Sunday afternoon. Up-to-date information about how we found it and what it does is located at www.easynews.com/virus.txt. When this picture is viewed it installs remote management software (winvnc and radmin) and will connect to irc."

Anyone have a working copy?

[tuxedobob]

I want to see what GraphicConverter does with this.

Re:Anyone have a working copy?

[Ariane+6]

I just downloaded the sample from easynews.

Quit all internet apps, and watched my network traffic with Activity Monitor.

Graphic Converter gave its standard "An error occurred while decoding the image. Some parts of the picture may be missing." Message, then displayed a blank white image (555x857)

No spike in network activity at all, as one would expect.

(I love my Mac)

Re:Anyone have a working copy?

[Yaztromo]

I want to see what GraphicConverter does with this.

Absolutely nothing. The file is only 8KB in size, and doesn't appear to contain any actual image data. Loading it up in GraphicConverter v4.9 over here (and Preview, and a number of other tools) just reports that the image file is corrupt.

Yaz.

Re:Anyone have a working copy?

[Ariane+6]

If you think you are safe you are misleading yourself

I am well aware that I am not ENTIRELY safe, however, one of the upsides to using a platform with low marketshare is that the authors of malware (as exemplified by this and the vast majority of other virii) tend to pay it little attention.

Matter of fact, most macs that you can gain local access to are easily rooted through apple tools.

You mean single-user mode? I've used that before. I don't think anyone with local access to my machine gives a shit, though; it's in my bedroom. I suppose that if a cracker is enterprising enough to break into my house and root my machine locally, well...fair play to them :)

Re:Anyone have a working copy?

[Gogo+Dodo]

Did NAV detect it as Bloodhound.Exploit.13?

What I find interesting is the next one in sequence, Bloodhound.Exploit.14. Looks like IE has problems parsing TIFFs, too. First time I've heard of this. Apparently, Microsoft hasn't acknowledged this one as there's no link on the Symantec site for further details like they do will all the previous ones in the Bloodhound.Exploit series.

Re:Anyone have a working copy?

[famebait]

So, after five minutes of extremely unprofessional research and wild conjectures, I'd say it looks like the stories are true: some Linux programs may be vulnerable too. Yikes!

I don't know much of Linux internals, but I don't think it is obvious that it is vulnerable just because programs can get confused by unexpected data.

UNIX generally has separate code and data segments, and with modern CPUs with memory management the OS should be able to enforce the separation very strictly. Doesn't Linux do this?

It has long been a mystery to me why Windows did not (up until XP SP2). Whole classes of overflow exploits and system threats from bugs are just not be possible if you can't execute code that's not explicitly loaded into executable segments, and if normal data-writes simply don't have write access to executable memory.

Re:Anyone have a working copy?

[ajs]

I don't know much of Linux internals, but I don't think it is obvious that it is vulnerable just because programs can get confused by unexpected data.

Simple answer: no, and that's why buffer overflow attacks work.

Yeah, I've been waiting for years to hear about the first image-based attacks for Linux. I was kind of surprised that the first exploits arrived for Windows instead of Linux, just because we've known about several holes in Linux over the years (look at the changelog for any image processing library). The down-side is that you can't always "root the box" based on an image attack because a user will be running the browser, but I would think that access to the machine is enough for most zombification and you can always go after local exploits to get root at that point.

Linux needs a good suite of exploitive data (that doesn't do anything) for projects to test against. Perhaps I'll work on that in my spare time (every format and protocol has many spots where it would be easy for a lazy programmer to do static allocation and then fail to bounds-checks, so you just write code/generate data that exploits each one of these places. I've done this for specific proprietary applications before.

Just begging to be sued

[TheSpoom]

printf(" | JpegOfDeath - Remote GDI+ JPEG Remote Exploit |\n");
printf(" | Exploit by John Bissell A.K.A. HighT1mes |\n");
printf(" | September, 23, 2004 |\n");

Geez, this guy really wants to be sued and/or arrested.

A new era of exploitation

[SlashdotMirrorer]

This sort of thing ushers in a new era of exploitation in which the warnings of security professionals in the past have been proven dreadfully wrong. Only the bearded terminal hackers are invulnerable to this one, typing away at their command lines being all, "What JPGS?". No longer can we simply give advice on security based on our assumptions as to what is possible and what is not. We must pay the piper and actually consider attack vectors that have formerly not been feasible.

The real question...

[comwiz56]

Does this affect Firefox?

Imagine for a moment....

[Hardwyred]

your neighbors open accesspoint, a copy of Airpwn and a suitably infected jpeg. Sounds like a pretty nasty situation in the making to me.

Not particularly well coded

[crazyray]

If you read through the actual posting, it is apparent that this while may be the first GDI/JPEG-based worm, but it is certainly not going to be the worst. First of all, unless I missed it- this code does not even self-replicate (i.e.- it doesnt mail itself to others, or post itself to usenet, or otherwise exploit vulnerable systems) I would expect to see some script kiddies combine this proof of concept trojan with some social engineering type email worms, and then t**THAT** will be a nasty worm.

Re:Not particularly well coded

[Leomania]

Considering how many people are affected by malware loaded by visiting/loading code from a malicious (or hacked) website, I would expect this to spread relatively quickly once the exploit is propagated around all over the net.

I saw one post indicating that the anti-virus tools can pick it up, but can they do so when you visit a website? My guess is no, and as such the majority of people who don't update their systems regularly (most people) have a pretty high likelihood of coming across such a site sooner rather than later as a result.

- Leo

WAV files

[mosel-saar-ruwer]

Last weekend, I was messing around with writing my own WAV files [in conjunction with a LabVIEW project], and, oddly enough, M$FT's wmplayer.exe was the ONLY media player that checked the file for integrity.

Real Player and that piece of crap spyware that Dell calls a media player just blithely tried to open the file without performing any integrity checks whatsoever, and damn near crashed the system.

I bet this sort of thing is a helluva lot more endemic than people realize.

DOS it now?

[real_smiff]

it connects to ftp://209.171.43.27/www/system/ u/p bawz/pagdba

apparently, the text indicates, that's the only source for the installed files.

if say, 500 of us were to log into that and stay connected, would we stop the virus? would there be any risk to ourselves? (giving your IP away for a start).

The joys of keeping a campus virus-free

[iamlucky13]

Our university campus has a huge problem with viruses and this is another exciting addition to our collection. I'm sure I'll start seeing on plenty of guy's asking for help getting this removed, after finding out pornstars aren't virus free after all.

Thankfully, though, this shouldn't cause as much trouble as our current crop of worms. I'm shocked at how dumb our users are, as a whole. We're still having people infected with blaster, over a year after Microsoft patched that vulnerability! Sasser is absolutely rampant. The school even purchased a blanket liscence of Norton, but I would bet less than half of the students have installed it. We have a T3 line providing our outside connection, and it's currently averaging about 7 Mbps combined up/down, because the internal network, which is mostly linked from buidling to building by gigabit fiber, is saturated by virus crap. Although this virus may have a really effective way of spreading, it scares me very little.

Re:The joys of keeping a campus virus-free

[pigscanfly.ca]

I know what you mean . I'm an RCC (resnet computer consultant) at waterloo and we provided everyone with simple step by step guides to install norton and turn there firewall on yet we disconnected over 10% of people for getting infected with a form which the default windows firewall stops.
Add to our luck that norton doesnt detect the worm and we have a computing experience which reminds people of the old BBs days.
Lets just say I dont were my nametag except when required to :-)

Re:The joys of keeping a campus virus-free

[DannyiMac]

I work for the University of Kentucky ResNet and when a student's computer appears to exhibit viral activity they will be blocked by their IP address by the Communications department. Then the student calls and we check if the IP is blocked or not. If they are, we send them to the anti-virus web page--the only web page the student can access from their computer. Once they install the virus software the university supplies, remove the virus(es), and upgrade to the latest service pack for their version of Windows 2000/XP, we unblock them. If they lie to us and don't do this they simply get blocked again. This is how UK controls its virus problem and I think it's a good method. Students also get blocked for other reasons as well, such as port scanning for it's possible virus behavior. Lastly, a DMCA complaint, where the student gets caught sharing copyrighted materials by organizations outside of UK (I don't think the RIAA has gotten anyone on campus yet, however).

Self fulfilling prophecy anyone?

[PoderOmega]

Come on... admit it you've all been dying for this slashdot posting. You didn't think all this hype about the microsoft GDI thing wasn't going to pay off? Well there you go.... feast on microsofts pain....

Limited Accounts?

[WoTG]

Anyone know if this exploit can be done when the user is using a Windows Limited account?

Re:I don't see why this is a problem

[real_smiff]

she must have had Admin access to make herself an admin, no?

i manage systems with limited user accounts perfectly fine. just about all software works aswell, office apps, multimedia, games, communications - it's not as bad as people make out. stuff that doesn't work - people don't get to play! (evil grin ;) also be sure to complain to the makers, it's the only way to improve this.

And how is this a virus?

I don't see any indication that it's a virus at all. Just that the jpeg installs remote admin tools, connects to IRC and other typical things.

How does it propagate?

Re:I don't see why this is a problem

[Etcetera]

At the risk of being kicked off Slashdot for being a devil's advocate... ;)

If you aren't running as an administrator, which you shouldn't be, it can't install itself. It's the same as Linux or any other OS with a basic user system.

Why shouldn't I be able to run as an administrator on my own machine? It's my computer... I paid for it... I'm the only one using it. If the system is insecure, isn't that the system's fault? Am I to be blamed for operating my computer in a fashion that (*gasp*) allows me to make changes to it when I want without it bitching to me any further?

Think bigger. Think to the future. "Don't log in as root/Don't be an administrator." is NOT an answer. Mac OS 9 and below operated by default in a single-user mode without *any* authentication necessary to make changes and I can list the successful viruses/exploits (especially remote exploits) by hand on a single sheet of paper.

Artificial permission models (where "artificial" means "not needed by the environment") are not panaceas and aren't excuses for poor OS design.

Re:RUN ZONEALARM!

[AndrewStephens]

That will help in this case, becuase the malicious code downloads other programs, but what if the code just looks for JPGs on your local drive to modify. Pictures get emailed around so often these days that the virus would still spread at a decent rate.
The code could also contain its own backdoor software, IRC client, etc. Remember with a buffer overflow the code is executing in another program that already has rights to the network, so personal firewalls don't help.

Re:Can be prevented...

[EnronHaliburton2004]

Since this virus also affects MS Office, I bet it may be propogated that way.

Most people update their system via windowsupdate.microsoft.com . However, despite the rumors, Windowsupdate does NOT update your MS Office suite.

Very few people go the extrastep to use the MS office updater.

NX Protection?

[rsmith-mac]

Just out of curiosity, does anyone know if x86 no-execute protection(the NX bit, aka the XD bit, aka Data Execution Protection) prevents against this? With the release of SP2 and DEP support, it would seem that this would be a good test to see if DEP is all its cracked up to be.

Lament from an old-timer

[bigberk]

In my day, an article like this would have been a downright joke. Seriously, this is such a milestone that I'm filing the article in my permanent news archives.

In retrospect I don't know why we thought such a thing was impossible for so long? After all, buffer overflows or other coding problems can result in malicious code executing. I guess what we didn't expect "back then" was that computers primarily engaged in networking activities would be running vital parsers - HTML, ActiveX, images etc - within the operating system itself, with administrator level privileges.

Wouldn't it make sense to limit the scope of any kind of modular parser/crypto using privilege isolation, so that even if malicious code starts running it is utterly incapable of affecting anything else?

i.e. shouldn't all such modules - crypto, image, parser run within some kind of privilege jails and communicate with the involved application using something like a socket? Hell, couldn't Windows do just that and wrap it up so API users don't notice? What am I missing here? I'm not picking on Windows here, same thing could be done on *NIX.

Re:Lament from an old-timer

[bastard42]

i.e. shouldn't all such modules - crypto, image, parser run within some kind of privilege jails and communicate with the involved application using something like a socket?

No. It's slow.
You have to copy the data back and forth. Not only that, you double your memory for that "operation" (sender has a copy and receiver has a copy).

OTOH, it's a cool abstraction, and it's called pipes. All programs should pass data as file. Your file can be a pipe. Sockets are named pipes. GUI and speed be damned.


P.S. I still think plan9 is supercool.

Re:Can be prevented...

[Zocalo]

It means that you still have a Microsoft application that needs patching, "Ink" - is something to do with with either Tablet PC or frp, one of their dev kits. Lucky you; that sounds like you can isolate a patch fairly easy. My vulnerable files are in the SP2 uninstall directory and, more critically, "\Windows\WinSxS". The former is easy enough to deal with, but the latter which means I have almost no way of knowing which application stuck them there or what might break if I simply delete them.

I'm guessing that only the application that installed them there can actually call them since their appears to be a serial number in the folder name. Certainly that *specific* version of the DLL would need to be in use to be exploited, but I'm not sure whether it is possible for a malicious web app to seek out and deliberately call a vulnerable version of a DLL stored under WinSxS.

At the moment, I see two options to resolve this issue, other than simply relying on my virus scanner.

1. Find out which applications "own" the vulnerable DLLs by starting to every third party application on my systems and watching which files get opened.
2. Delete the vulnerable files and see what breaks as and when. Then hope that I can resolve all of the issues with Windows' system file integrity function that this appears to create.

I don't consider either of these a satisfactory solution to the problem, quite frankly, and I think that Microsoft needs to address this issue PFQ.

Crappy MS "GDI Detection Tool"

[whoever57]

I just ran the updates on an XP machine. It claimed that there was vulnerable GDI code on the machine and I should go to the office update page. Guess what: the office update page said there were no updates. So, apparanetly the system is vulnerable, but there is no way to fix it. Wonderful!

This'll be good for catching downloaders . . .

[base3]

. . . of kiddy porn. The pervs grab the jpeg, load it, and it quietly calls home to the FBI, where a dot matrix printer prints out another warrant for a judge's signature . . .

Re:This'll be good for catching downloaders . . .

[base3]

2. The infected JPEG is a legal photo, in which case the "alleged perv" has broken no law, and there is no basis for the warrant.

What if it's titled as kiddy porn, but it's not--just bait to see who's viewing it? Sure, then the "alleged perv" hasn't committed a crime by downloading and viewing it, but the fact that s/he has might just be enough probable cause for a sealed Grand Jury indictment, followed by a warrent for an unnanounced full search of the downloader's PC . . . (IANAL, especially NA criminal L).

Re:SP2 Firewall

[BubbleNOP]

Furthermore, you would not need a firewall if you were not running services that bound to things other than localhost. Since Windows firewall (prior to SP2, not sure whether SP2 has this functionality) doesn't let you pick who gets through to your ports, users should have the choice to shut down all ports exposed to the net. Keeping ports open and firewalled to everybody seems stupidly inefficient.

Re:That's pretty amazing.

[ConceptJunkie]

The real kicker was when I switched to Outlook 2003 from Outlook Express. From a usability point of view, it was a pretty good improvement, especially the spam handling, but with a fairly large message store, it took at least an order of magnitude longer to access folders, etc, in O2k3 than OE. It was absurd. Oh, yeah, and the fact that an O2k3 data store can't be bigger than about 1GB to 1.5GB before it starts losing messages (I couldn't believe this at first but it was confirmed by two people with much more MS experience than me). I switched to Thunderbird around 0.5 and haven't given it a second thought.

Now here's a case where the MS software really was well-designed and easy to use (from a UI standpoint), but the grotesque slowness of the app killed it for me.

In 1994, I had a 50MHz 486SX... I didn't buy a Pentium 100 until '96, so you're right. Clock speed is more like 40 - 60 times faster (and thanks to wonders of CISC, performance is more than that). And disk space has increased for me by 3 orders of magnitude.

I seem to recall MicroCenter or CompUSA having a "Buck-a-Meg" sale and I bought a 340MB drive for $340, bringing my total to a whopping 580MB. Now I've got about 600GB over about 4 machines, maybe more since each box is crammed full of old drives ranging from 7GB to 250GB etc in addition to a few bigger drives.

I used to hate how my Amiga took like 3 minutes to boot back in the late 80's. Windows 2000 on a machine that was 100 times faster took around the same time. XP is much better, but still, there are times when I have a lot of apps loaded and it just seems to go out to lunch for several seconds before anything responds. And don't get me started on the launch time for Word 2003...

ANSI Bombs

[hpavc]

Does anyone remember those ANSI bombs of old? I remember BBS's had all sorts of elaborate protections against them, zipfile comments etc.

Anyone think it's interesting...

[JohnsonWax]

That /.ers can reference generic sounding apps like GraphicConverter and Preview without mention of the operating system?

Apple really has come a long way around here, eh?

Re:Anyone think it's interesting...

[Yaztromo]

Apple really has come a long way around here, eh?

For the record, I bought my first Mac (a 12" PowerBook G4) this past spring based in significant part on all the good things I had read about Apple's latest offerings here on /. .

Yaz.

I wish Windows was like the Mac in this area...

[Chordonblue]

It's all pretty simple there. To install something you have to put in the admin password. Unix made easy.

The way Apple does it (by app) is FAR more intelligent than having to make a user an admin or log out of the system entirely to log in as an admin.

I have a few applications here at the school that demand admin privs. I've all but given up trying to restrict them. But as anyone who has seen the proliferation of unwanted toolbars can attest - the cost is high.

How do they reencode?

[SuperKendall]

MSN reencodes all images to PNG

That brings to mind the question of if the reader on the server is using a standard library that might have buffer exploits, so that you could alter the server to start feeding out PNG's with viruses (assuming a similar attack could be found in the PNG reader in windows, not sure if that's true or not).

Re:Tutorial on GDI Scan to find vulnerable apps

[pe1chl]

This page refers to a download location for an updated gdiplus.dll, but the extracted file is dated 04-05-2004.
Is that really the fixed version? Did Microsoft know about this problem for so long?

Is this based on the Independent JPEG Group lib?

[fraktus]

From www.ijg.org. This library is very popular.
And if yes, are all application linking this library subject to the vulnerability?

If yes this will be a lot of work to update all applications.