Slashdot Mirror
First JPEG Virus Posted To Usenet
Shawn writes "This could possibly be the worst viruses yet! Earlier this month Microsoft announced a problem in their GDI driver that processes the way JPEG images are displayed. Someone has finally posted an exploit to Usenet. Easynews, a premium Usenet provider, found the virus Sunday afternoon. Up-to-date information about how we found it and what it does is located at www.easynews.com/virus.txt. When this picture is viewed it installs remote management software (winvnc and radmin) and will connect to irc."
In the article the virus.txt has a jpeg sample in code.
_JS
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Update your systems now! The patch has been out for several weeks. I have already applied it to my corporation via SUS (which is free) and am rolling out the office patch now, as well. There is no reason other than laziness or sysadmin ignorance for this to be another massive virus attack.
It was only a matter of time. Now we wait for a dozen variants to pop up.
"This could possibly be the worst viruses yet!"
Hm...maybe when he started typing there was only one and it spread during the sentence?
I guess those nude pictures of Anna Kournikova could indeed be a virus.
If you aren't running as an administrator, which you shouldn't be, it can't install itself. It's the same as Linux or any other OS with a basic user system.
Interested in open source engine management for your Subaru?
clamscan possibleVirus.jpg
possibleVirus.jpg: Exploit.JPEG.Comment FOUND
----------- SCAN SUMMARY -----------
Known viruses: 24607
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 0.501 sec (0 m 0 s)
also updated nav corp 8 with latest defs (9/27/04) and it found it. AVG free edition doesnt as of yet.
Lawyers, MBA's, RIAA? A jedi fears not these things!
http://easynews.com/test/possiblevirus.jpg.gz
Got the link from bugtraq a few hours ago.
your neighbors open accesspoint, a copy of Airpwn and a suitably infected jpeg. Sounds like a pretty nasty situation in the making to me.
www.linux-skunkworks.com
No Screenshots, please!
Tell the truth and you won't have so much to remember.
Well, Apple's Preview (as of 10.3.5 with all the latest updates as of 6:00 PM PDT, 9/27/04,) says it's not a supported file type.
Graphic Converter complains that "Some parts of the file may be missing."
Safari displays a blank page, with no errors.
In all cases, I can't find any file-system goofiness. (And the free-with-DotMac Virex doesn't detect it as a virus.)
(The offending "virus" is available as a linked-to zip file in the linked virus.txt page.)
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
Ok, no offense, but beanie-babies and erotica? There are some newsgroups that just shouldn't exist.
These could be the worst grammar too!!!
If you read through the actual posting, it is apparent that this while may be the first GDI/JPEG-based worm, but it is certainly not going to be the worst. First of all, unless I missed it- this code does not even self-replicate (i.e.- it doesnt mail itself to others, or post itself to usenet, or otherwise exploit vulnerable systems) I would expect to see some script kiddies combine this proof of concept trojan with some social engineering type email worms, and then t**THAT** will be a nasty worm.
Heh, Norton Antivirus wouldn't even let me try it. The heuristics grabbed it before it was even on my desktop. Now [i]that[/i] is impressive.
yes, if you haven't updated to the latest version.
See this Slashdot thread.
- Leo
You don't use science to show that you're right, you use science to become right.
Hopefully mozilla decodes the jpgs itself before rendering them on windows.
It does. But Mozilla had almost the exact same problem with both BMP and PNG in the last week or two. So it's not just Microsoft who has vulnerable image decoders.
put the image on doubleclick.net
Absolutely nothing. The file is only 8KB in size, and doesn't appear to contain any actual image data. Loading it up in GraphicConverter v4.9 over here (and Preview, and a number of other tools) just reports that the image file is corrupt.
Yaz.
This reminds me of my first thought when I saw Windows 95 message "It is now safe to turn off your computer."
Which was, "However it is no longer safe to turn on your computer."
Quality freefall.
Really, how much new useful functionality has MS provided in the last 5 years? It takes just as long to load apps now as it did 10 years ago, even though machines are 10 times faster with 100 times more memory. Functionality increases at best in a linear fashion, while system requirements increase at a geometric rate. Software eats more of your computer and offers less in return.
Remember when MS supposedly shut down for a month to work on security issues? That was about 4 years ago. Not only did the problems not go away, but the occurance of gaping new exploits increased significantly.
Maybe they should shut down for a year. Take all the gigabyte-gobbling shit they've written for the last 10 years and turn it into useful code with no new functionality. Returning with the same stuff they have now, but with little or no security issues would win them more customers than their current monopolistic policies and FUD spreading ever will.
Really, what else could they possibly do besides introduce a bunch of bloated new technologies for doing the same damn thing we all wrote for ourselves years ago, but without all the MS lock in and huge learning curve?
I have to ask, what has MS done that is actually useful since Windows 2000?
You are in a maze of twisty little passages, all alike.
Our university campus has a huge problem with viruses and this is another exciting addition to our collection. I'm sure I'll start seeing on plenty of guy's asking for help getting this removed, after finding out pornstars aren't virus free after all.
Thankfully, though, this shouldn't cause as much trouble as our current crop of worms. I'm shocked at how dumb our users are, as a whole. We're still having people infected with blaster, over a year after Microsoft patched that vulnerability! Sasser is absolutely rampant. The school even purchased a blanket liscence of Norton, but I would bet less than half of the students have installed it. We have a T3 line providing our outside connection, and it's currently averaging about 7 Mbps combined up/down, because the internal network, which is mostly linked from buidling to building by gigabit fiber, is saturated by virus crap. Although this virus may have a really effective way of spreading, it scares me very little.
Are you serious? Of course Slashdot covered those stories too.
Critical Mozilla, Thunderbird Vulnerabilities
CERT Warns Of Multiple Vulnerabilities In Libpng
Mine too... Totall impressive. What's even more impressive is the ability to use standard html tags on slashdot :)
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
FYI, here's the fix from M$ for this exploit: Security Bulletin
Why doesn't slashdot allow you to post images! :)
Stop being a tease and saying we can't have pr0n and then using language like "patches the hole." Thank you.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
Just out of curiosity, does anyone know if x86 no-execute protection(the NX bit, aka the XD bit, aka Data Execution Protection) prevents against this? With the release of SP2 and DEP support, it would seem that this would be a good test to see if DEP is all its cracked up to be.
What, now you can't even WATCH sex without protection?
In my day, an article like this would have been a downright joke. Seriously, this is such a milestone that I'm filing the article in my permanent news archives.
In retrospect I don't know why we thought such a thing was impossible for so long? After all, buffer overflows or other coding problems can result in malicious code executing. I guess what we didn't expect "back then" was that computers primarily engaged in networking activities would be running vital parsers - HTML, ActiveX, images etc - within the operating system itself, with administrator level privileges.
Wouldn't it make sense to limit the scope of any kind of modular parser/crypto using privilege isolation, so that even if malicious code starts running it is utterly incapable of affecting anything else?
i.e. shouldn't all such modules - crypto, image, parser run within some kind of privilege jails and communicate with the involved application using something like a socket? Hell, couldn't Windows do just that and wrap it up so API users don't notice? What am I missing here? I'm not picking on Windows here, same thing could be done on *NIX.
I extracted the bad code, but I'm having trouble getting it to run in WINE.
Just one more reason Linux isn't ready for the desktop.
I'm probably at the karma cap. Mod up a funny troll instead, it lightens the mood
I'm glad I'm not the only one who noticed this. btw cpu's are way faster than 10x faster. In 1994 I could only afford a 386sx at 16Mhz. Not only is the clock speed faster but the chip has gone through several major revisions. Yet I think that 386sx booted up faster and ran Lotus and Wordperfect under DOS just as fast as anything out there on Windows today. Of course there are some advantages to windows but speed sure isn't one of them!
Liberals call everyone Nazis yet they are the closest thing to it.
So what happens when someone hacks the ad server that cnn or google uses, and puts this jpeg up?
Millions of instant zombies.
Thats f*cking scarry....
The real kicker was when I switched to Outlook 2003 from Outlook Express. From a usability point of view, it was a pretty good improvement, especially the spam handling, but with a fairly large message store, it took at least an order of magnitude longer to access folders, etc, in O2k3 than OE. It was absurd. Oh, yeah, and the fact that an O2k3 data store can't be bigger than about 1GB to 1.5GB before it starts losing messages (I couldn't believe this at first but it was confirmed by two people with much more MS experience than me). I switched to Thunderbird around 0.5 and haven't given it a second thought.
Now here's a case where the MS software really was well-designed and easy to use (from a UI standpoint), but the grotesque slowness of the app killed it for me.
In 1994, I had a 50MHz 486SX... I didn't buy a Pentium 100 until '96, so you're right. Clock speed is more like 40 - 60 times faster (and thanks to wonders of CISC, performance is more than that). And disk space has increased for me by 3 orders of magnitude.
I seem to recall MicroCenter or CompUSA having a "Buck-a-Meg" sale and I bought a 340MB drive for $340, bringing my total to a whopping 580MB. Now I've got about 600GB over about 4 machines, maybe more since each box is crammed full of old drives ranging from 7GB to 250GB etc in addition to a few bigger drives.
I used to hate how my Amiga took like 3 minutes to boot back in the late 80's. Windows 2000 on a machine that was 100 times faster took around the same time. XP is much better, but still, there are times when I have a lot of apps loaded and it just seems to go out to lunch for several seconds before anything responds. And don't get me started on the launch time for Word 2003...
You are in a maze of twisty little passages, all alike.
"Quality freefall"? Not really. They've always produced third tier code.
I dunno. NT 3.51 always seemed to be rock-frickin'-solid, but then I didn't use it for long before NT 4 came out.
Of course, Windows 95 was stillborn and they kept pumping the corpse full of formaldehyde for 5 years for they finally let it rot in peace, but the NT branch was really good until they started making every app they wrote effectively part of the core OS.
Remember when NT ran on 4 different processor architectures and Win32 was just one API on top of the kernel in addition to Posix and OS/2? Now that IE and WMP are practically part of the kernel it seems so long ago, and yet, in a sense, it was far more advanced because it was modular enough and clean enough to be ported.
You are in a maze of twisty little passages, all alike.
I have to ask, what has MS done that is actually useful since Windows 2000?
:P
You mean, apart from the sanitation, the medicine, education, wine, public order, irrigation, roads, a fresh water system, and public health?
Oh, wait - that was the Romans
Windows Users have all the fun!
Oh well, what the hell...
For the record, I bought my first Mac (a 12" PowerBook G4) this past spring based in significant part on all the good things I had read about Apple's latest offerings here on /. .
Yaz.
Returning with the same stuff they have now, but with little or no security issues
Sorry, that won't work.
Some of the stuff is insecure by design!. Not "designed to be insecure", just "impossible to secure given the design".
Take ActiveX: running binary code downloaded from a anywhere without a JVM-like sandbox is insecure. Not matter how many digital signatures, OK dialog boxes and warnig messages you add, some (most?) users WILL simply click through all the warnings and have their boxes 0wn3d.
Design has tradeoffs between security, performance, usability etc. etc. Some of this stuff you can't fix without changing the basic design (i.e. starting from scratch)
In all seriousness, I downloaded an example of an Evil JPEG to my Linux computer and tried opening it up in various programs.
So, after five minutes of extremely unprofessional research and wild conjectures, I'd say it looks like the stories are true: some Linux programs may be vulnerable too. Yikes!
mind you, who would ever write an exploit that would only spread to five percent of the computers in the world? ;-)
Standing at the very edge of my imagination, I peered into the inky void and realised -- I couldn't think up a new sig.
"It is now safe to turn off your computer." ... Quality freefall.
It's related.
There is an arrogance that Microsoft knows best that is implicit in that statement. Whether or not it is actually safe to turn off the computer is very much outside of Microsoft's knowledge. In fact the safest thing to do when a system is acting bonkers is to hit reset or the power switch on old computers or pulling the power plug or removing the battery on new compouter where the power switch is no longer functional. The reasoning goes that when the system has its brains scrambled it desperately wants to write those scrambled brains to disk and thus perpetuate the scramble.
Remember when MS supposedly shut down for a month to work on security issues? That was about 4 years ago. Not only did the problems not go away, but the occurance of gaping new exploits increased significantly.
One whole month, Well golly gee! Actually one month would be enough to stop hiding stuff and never under any circumstance use or require scripts or ActiveX controls for anything remotely related to security.
[x] Hide files extension for known file types.
That by itself is enough to wreck any attempts at achieving security. The message is loud and clear. Linux worms never seem to get anywhere. People see them and react violently to anything sneaking around trying to be invisible.
Task Manager doesn't show everything. Microsoft Windows comes with a pre-installed root kit!
Yeah but Linux users make up 90% of the porn-downloading population; therefore, there is an elevated risk.
you're a goddamn idiot. a suitably constructed jpeg will cause an overflow in the gdi+ library which ie and most msft programs use to render jpegs, when that happens the jpeg can be made such that the overflow will cause virus code to be loaded. god you're an idiot.
.EXE file, except for the fact that the code is hiding inside what is supposed to be data, not code, and it gains control of the CPU by smashing the stack.
.TXT file to execute arbitrary code. Who knows?
Jesus, an obvious end user asks a perfectly legitimate question and you call him an idiot for being surprised by the notion of a hostile JPEG- something that should rightfully amaze everybody. I doubt he understood your high level description. To the grandparent: here is a meandering crappy description of how a buffer overflow attack works:
A function call, in C, pushes the current program counter on the stack. Then it pushes the arguments onto the stack, and control jumps to the function which pops the arguments off the stack and does whatever with them. At the end it invokes a RET instruction that pops the program counter back off the stack and control jumps to the address there (to the point right after the CALL). These are just normal C calling conventions.
Variables defined in the function are stored on the stack. If a string like a URL (for example) needs to be defined, a buffer is allocated for it there. When the function returns, the space is automatically deallocated, the RET pops the program counter off the stack, and the function call returns. By default no bounds checking is done on data stored in these buffers. Some library functions, like gets(), don't do bounds checking. They can't, since they don't know the buffer size and would need to have it provided as an argument. Newer, safer versions exist that do take buffer size arguments, but that means these aren't the same library functions anymore. (FWIW the gets() call takes a pointer to a buffer of unknown size as an argument, reads a newlined string from stdin into the buffer, and returns the buffer pointer that was passed to it.)
It's up to the programmer to do bounds checking if he uses library calls vulnerable in this way. But this is extra work, and people are lazy. It's easier to just allocate a big, big buffer that's probably larger than you'll ever need, that "no reasonable URL" will ever exceed. So the programmer allocates a fixed 10K buffer on the stack and passes its address to a library function like gets().
The attacker gains control in these situations by creating a program input like a long, carefully crafted URL, slightly longer than 10K, that overflows the buffer inside the library function. The goal is to overwrite the return address on the stack with an address that's within the buffer. In the case of the Code Red worm, someone meticulously put together a URL that attacked an obscure ISAPI routine, and not only overwrote the return address, but also had machine code instructions waiting at the replacement address within the buffer- encoded right into the damn URL! (The buffer has been deallocated at this point, but hasn't been zeroed, so it's still there.)
It's harder to explain with a JPEG than with a URL. But a JPEG contains variable length data structures that are read into buffers on the stack. Someone writing the JPEG decoder forgot to do a bounds check- and so a mundane function for decoding JPEGs never returns. Instead it jumps into an endless loop that's been placed within the image buffer by the attacker.
So yes it is a bit like running an
Older versions of Notepad gagged on files larger than 64K, which seems suspicious. It's theoretically possible that a vulnerability could exist even in a text editor like Notepad allowing a carefully constructed
So you see what happened. The unchecked library call in this case was memcpy(). The decoder trusts its input and sends a small signed integer (-2) off to memcpy() without checking the sign bit- and memcpy() thinks -2 is a huge unsigned integer (4294967294). What's the difference? Any reasonable number is going to be positive anyway, right? Who would give a comment a negative length!
I saw someone make this kind of goof even in Java, where you have signed-only types forced on you. Someone forgot that InputStream.read() returns an unsigned byte as an int (between 0-255), and they cast it to a signed byte and back without the &0xFF to zero out the 24 high bits. That got caught right before our product release. The consequence in that case would have been a hash algorithm with inconsistent output between stream and byte array inputs- not a security nightmare like this, but a long lasting migraine nevertheless.
* Eye of Gnome seemed to work okay, but I got all sorts of weird redraw problems when I tried to resize the window.
* Gimp (2.1) says the JPEG is unsupported and couldn't be imported by the filter, then segfaults.
* Konqueror seems to work okay, but just shows a tall black rectangle, and its spinner is still chugging away, as if it's still busy loading something.
* Firefox 0.9.3 has no troubles at all; it just shows a nice white rectangle on a white background
These programs are not vulnerable to the the exploit in the same way that Windows machines are vulnerable. In fact, the issues you saw appear to be in no way related to the intended result of the virus. GIMP's segfault seems to be the most serious of these, and it is still a minor problem. I believe all of your results can be achieved by opening a mangled/corrupted
Nutshell: One cannot conclude that graphics-related processes/apps on Linux machines are vulnerable to this virus.
PS Conclusions posited based on "unprofessional research and wild conjectures" are likely to cause much more harm than good. Is this really necessary? (not a flame - just an observation)
I want to drag this out as long as possible. Bring me my protractor.