V
Versy Tyle
What's the name of the JPG virus blocker that Microsoft offer?
Thanks,
Versy
Thanks,
Versy
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
I
Ionizer
Versy Tyle said:What's the name of the JPG virus blocker that Microsoft offer?
Thanks,
Versy
If you are referring to the vulnerability described in this bulletin:
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx Microsoft
offers a tool to scan your system for the vulnerable .dll files, but a
more comprehensive scanning tool is offered here:
http://isc.sans.org/gdiscan.php
Neither tool blocks the vulnerability- they only identify vulnerable
versions of the several .dll files which may be on your system.
Regards,
Ian.
S
Sanjaya
Ionizer said:If you are referring to the vulnerability described in this bulletin:
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx Microsoft
offers a tool to scan your system for the vulnerable .dll files, but a
more comprehensive scanning tool is offered here:
http://isc.sans.org/gdiscan.php
Neither tool blocks the vulnerability- they only identify vulnerable
versions of the several .dll files which may be on your system.
Regards,
Ian.
Hi Ian.
How does a .jpg virus work? What can it, or does it, do?
R
Roger Wilco
Sanjaya said:How does a .jpg virus work? What can it, or does it, do?
There is no such thing as a jpg virus. There is a vulnerability in the implementation of GDI Plus that allows arbitrary code
execution IIRC. A jpg can be crafted to exploit this vulnerability so you may eventually find a virus (or worm) that uses
it (maybe as a downloader trojan), but it is an exploit itself (and a "trojaned" JPG). For there to be a jpg virus, JPEGs
would have had to be designed to have executable content as a matter of course.That won't stop peeps from calling these
"jpg viruses" though.
S
Sanjaya
Roger Wilco said:There is no such thing as a jpg virus. There is a vulnerability in the implementation of GDI Plus that allows arbitrary code
execution IIRC. A jpg can be crafted to exploit this vulnerability so you may eventually find a virus (or worm) that uses
it (maybe as a downloader trojan), but it is an exploit itself (and a "trojaned" JPG). For there to be a jpg virus, JPEGs
would have had to be designed to have executable content as a matter of course.That won't stop peeps from calling these
"jpg viruses" though.
Thanks.
R
Richard S. Westmoreland
implementation of GDI Plus that allows arbitrary codeRoger Wilco said:There is no such thing as a jpg virus. There is a vulnerability in the
may eventually find a virus (or worm) that usesexecution IIRC. A jpg can be crafted to exploit this vulnerability so you
"trojaned" JPG). For there to be a jpg virus, JPEGsit (maybe as a downloader trojan), but it is an exploit itself (and a
course.That won't stop peeps from calling thesewould have had to be designed to have executable content as a matter of
"jpg viruses" though.
I'm sorry but I have to disagree. If you can add the exploit into a jpeg,
you can also have excutable content that the exploit calls, which would
classify it as a legitimate infector file. If the executable routine in the
jpeg then looks for other jepgs and alters their files to do the same thing,
then this is no different than viruses that infect other EXE files that act
as the virus (like Chernoybl or Nimda).
I have already come across some websites that triggered the GDI+ exploit IDS
signature in my firewall, and I don't think the images on the pages were
intentionally altered to use this exploit. So I think we're already seeing
signs of what I described above.
More info about this can be found at:
http://www.antisource.com/article.php?story=20040921030750393
So far this year we have found that JPG, BMP, and PNGs are all possible
methods of malware propogation. :-(
Rick
S
Sanjaya
Richard S. Westmoreland said:implementation of GDI Plus that allows arbitrary code
may eventually find a virus (or worm) that uses
"trojaned" JPG). For there to be a jpg virus, JPEGs
course.That won't stop peeps from calling these
I'm sorry but I have to disagree. If you can add the exploit into a jpeg,
you can also have excutable content that the exploit calls, which would
classify it as a legitimate infector file. If the executable routine in the
jpeg then looks for other jepgs and alters their files to do the same thing,
then this is no different than viruses that infect other EXE files that act
as the virus (like Chernoybl or Nimda).
I have already come across some websites that triggered the GDI+ exploit IDS
signature in my firewall, and I don't think the images on the pages were
intentionally altered to use this exploit. So I think we're already seeing
signs of what I described above.
More info about this can be found at:
http://www.antisource.com/article.php?story=20040921030750393
So far this year we have found that JPG, BMP, and PNGs are all possible
methods of malware propogation. :-(
Rick
Thanks for the information and link.
R
Roger Wilco
Richard S. Westmoreland said:implementation of GDI Plus that allows arbitrary code
may eventually find a virus (or worm) that uses
"trojaned" JPG). For there to be a jpg virus, JPEGs
course.That won't stop peeps from calling these
I'm sorry but I have to disagree. If you can add the exploit into a jpeg,
you can also have excutable content that the exploit calls, which would
classify it as a legitimate infector file.
The replication is hosted by the broken application or feature using the JPG file's data and not the JPG file's executable
image. If it were a modern file infector virus it would be hosted by the "program" file it has infected. Text (.txt) files aren't
infectable, and yet it is not beyond reason that there could be a vulnerability that allows execution of their contents by feeding
them to the command interpreter, a worm, virus, or other malware could make use of the exploit - but that is not the same
as it being a txt virus.
If the executable routine in the
jpeg then looks for other jepgs and alters their files to do the same thing,
Yes, then it is an exploit based worm - just not a jpg virus because JPEG is a data format filetype and is not expected to be
executable. The code does not modify a program by adding itself to it, it corrupts the data input that a program uses in such
a way that it allows execution and recursion through exploit.
then this is no different than viruses that infect other EXE files that act
as the virus (like Chernoybl or Nimda).
Except for the fact that the JPGs aren't normally expected to execute and the EXEs are. You require an already compromised machine
(vulnerability) to have this work - like "Perrin" does.
I have already come across some websites that triggered the GDI+ exploit IDS
signature in my firewall, and I don't think the images on the pages were
intentionally altered to use this exploit. So I think we're already seeing
signs of what I described above.
More info about this can be found at:
http://www.antisource.com/article.php?story=20040921030750393
So far this year we have found that JPG, BMP, and PNGs are all possible
methods of malware propogation. :-(
If BMP for older version of IE, then why not add RLE to that list?
R
Richard S. Westmoreland
is a data format filetype and is not expected to beRoger Wilco said:Yes, then it is an exploit based worm - just not a jpg virus because JPEG
corrupts the data input that a program uses in suchexecutable. The code does not modify a program by adding itself to it, it
a way that it allows execution and recursion through exploit.
How would you classify Code Red? Or Volga?
I understand what you're pointing out, just picking your brain a little.
Rick
K
kurt wismer
Richard said:I'm sorry but I have to disagree. If you can add the exploit into a jpeg,
you can also have excutable content that the exploit calls, which would
classify it as a legitimate infector file. If the executable routine in the
jpeg then looks for other jepgs and alters their files to do the same thing,
then this is no different than viruses that infect other EXE files that act
as the virus (like Chernoybl or Nimda).
while that may indeed be a virus (by some definition), it is not a jpeg
virus... it is not a jpeg virus anymore than a virus that uses outlook
vulnerabilities to autoexecute itself and send itself by email is an
email virus...
the jpeg format, like the email format, is not infectable because it is
not executable... viral infection requires that the host be an
executable or interpretable program - the jpeg format doesn't include
any notion of instructions in the jpeg file that the jpeg viewer is
supposed to execute and thus a virus cannot insert itself into that
execution chain...
however jpegs, like email, can act as containers for executable content
(self-replicating or otherwise) and so could be a viable medium through
which *worms* could spread...
the convention generally goes something like: viruses are classified by
(among other things) the type of object they infect while worms are
classified by (among other things) the medium by which they spread... a
self-replicator that spreads in jpegs would be a jpeg worm... there can
never be jpeg infecting viruses (until the jpeg format is changed)
because the format doesn't support the requirements for infectability
but jpeg worms are conceivable (though probably not that viable since
they would rely on vulnerabilities in the jpeg viewer in order to get
executed)...
R
Roger Wilco
Richard S. Westmoreland said:is a data format filetype and is not expected to be
corrupts the data input that a program uses in such
How would you classify Code Red? Or Volga?
The same way, Code Red used an exploit so that packet data was executed as code (it is not a "packet" virus). Volga
copies itself to a place that is expected to run code, infecting a program. Back to jpgs we could see how that is a data
filetype, it used to be that .doc files were data files but now we come to expect scripting in them so macro viruses are
real yet it is the macro that is "infected" not the document itself which is only a container - same for e-mail as containers
of executable content yet not themselves executable.
I understand what you're pointing out, just picking your brain a little.
Consider a DOS batch virus (where "virus" means that its execution results in another copy being created) that names it's
children either ???.txt or ???.bat. There is no discernable difference between the two except the names, yet the ???.bat
file is a virus because it is routinely expected to be executed - and the ???.txt file is not a virus (although it contains the
same information as one). If some popular software mistreated the text file and resulted in its contents being executed
it would be another spread vector (maybe BAT_TXT.exploit or somethin') but they should not call it a .txt virus because
as text it won't create the copy.
F
fluidly unsure
Versy said:What's the name of the JPG virus blocker that Microsoft offer?
Thanks,
Versy
Hi Versy,
A couple of notes on the GDI+/JPG exploit.
1. The Microsoft scanner only checks for bad DLLs on their latest
products and directs you to an update site if you have a vulnerable DLL.
But it doesn't tell you where the problem is, scan old products, or scan
third party products.
2. You might want to see Microsofts explanation for technical
information, but there is a lot of information in the forums at
Bleepingcomputer. Bleepingcomputer also have good tutorials on many- if
not most- security related tools.
[http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx]
[Bleepingcomputer.com]
3. The SANS institute has a scanner that looks for any bad DLL no matter
what the software it (GDISCAN.EXE). It comes in both a GUI version and a
command line version.
[isc.sans.org/gdiscan.php]
4. If you want to just check a JPG to see if it is contaminated, use
JPGSCAN.EXE from Diamondcs.
[www.diamondcs.com.au]
F
fluidly unsure
Sanjaya said:How does a .jpg virus work? What can it, or does it, do?
Whether or not it is a virus (read above), it works by using bad/old
code libraries (DLLs) on a specially crafted JPG file.
It uses DLLs (code libraries) with a bug in them which doesn't handle
bad JPG files well.
The DLLs- there are four of them- are what MS calls a "distributable"
library. In other words, a third party program can include their own
version. Programs (games or picture editors especially) might do this
because they need a feature that the MS library doesn't have.
The bad JPG file is using an "illegal" header with overlapping offsets.
This causes the program to hick-up with a problem called an "integer
overflow".
When the news first came out, all it did was crash the browser. It
didn't take long (2 weeks I think) for someone to figure-out how to run
a virus with it. I've seen a POC (proof of concept) program that creates
a bad JPG and has several exploit capabilities.
1. opens a command prompt so another program can be run
2. binds a command prompt to a network interface which is used to create
a back-door so that another person can run programs from the Internet
3. down-loads and run a program from the Internet which could be another
exploit
4. creates a administrative user with no password so that another can
log onto your computer with administrative rights
If I got anything wrong here, please chime in and let me know.
F
fluidly unsure
fluidly said:Hi Versy,
A couple of notes on the GDI+/JPG exploit.
I forgot to mention a few things:
5. Norton and many AVs will catch the problem. When the news came out, I
would get a warning from Nortons heuristic engine (Bloodhound) whenever
I opened a directory (sub-folder) with a bad JPG in it. It did this even
though my signatures were out-of-date. But I was trying to figure-out
this mess and Norton kept deleting the file!
F
fluidly unsure
....fluidly said:Whether or not it is a virus (read above), it works by using bad/old
code libraries (DLLs) on a specially crafted JPG file.
I missed a couple more notes about how the exploit works. I assume that
includes what will keep it from happening.
While SP2 has this fix built in, it is still vulnerable to 3rd party
software. But I think a program built with .NET would not have this
problem at all.
BTW, Netscape/Mozilla had the same problem about four years ago, but
solved it without the presses pressure.
Once again, I'm being kind of speculative here so feel free to correct me.