Viruses now in jpg files? Gif files?

[Gabriele Neukam]

On that special day, Hoosier Daddy, ([email protected]) said...

My Win98 registry shows an entry for .wmf files associated with a classid
and the classid shows data of "TridentImageExtractor".

Trident? A video card manufacturer had this name. Maybe they shipped
their products with some graphic utilities?


Gabriele Neukam

(e-mail address removed)

 

[Ant]

[...] the address of the "abortproc"
code in the WMF is passed to the GDI, but why is it being run? In
the exploit code I've seen, there's no subsequent call to trigger it.

It's called on errors, not just print cancels.

I didn't realise that. It's not clear from the SDK documentation, but
that's no surprise.

If you examine the calls in the file, you should find something
wrong that would cause an error, and hence execute the abort proc.

Ah-ha! I corrected the escape(setabortproc) record size value in a POC
WMF exploit which triggers when opened with Irfanview. The escape call
and code is still in place, but it no longer runs.

 

[Hoosier Daddy]

It has been known for a long time that people put malware in images. This
is especially true for compressed formats like jpg or gif.
I suppose that it would be possible to imbed malware in almost any type of
image if a person were determined enough.
It has also been known that one should never open an image from anybody
unless some friend tells you that the image is coming.
There is nothing new about the potential for getting infected via image
files.
Jim

The problem is that while the rest of the computing world is trying to draw
(and respect) a line between code and data, Microsoft is trying to do the
opposite. Most image files are data files and must rely on an application
to create a display bitmap. Generally the image files you mention are not
designed to execute code and any execution of the data they contain is
the result of a flaw or bug in the application's code. This time it is the WMF
filetype itself that is not a pure data type. Just as the .doc file was once
considered a data filetype, thanks to Microsoft we must now treat it as an
executable.

 

[Ant]

On that special day, Hoosier Daddy, ([email protected]) said...


Trident? A video card manufacturer had this name. Maybe they shipped
their products with some graphic utilities?

Trident is the name of Microsoft's HTML rendering engine as used by
IE, OE and Explorer.

 

[Jim]

The problem is that while the rest of the computing world is trying to
draw
(and respect) a line between code and data, Microsoft is trying to do the
opposite. Most image files are data files and must rely on an application
to create a display bitmap. Generally the image files you mention are not
designed to execute code and any execution of the data they contain is
the result of a flaw or bug in the application's code. This time it is the
WMF
filetype itself that is not a pure data type. Just as the .doc file was
once
considered a data filetype, thanks to Microsoft we must now treat it as an
executable.

No, what I am talking about is that someone can imbed extraneous material in
an image file because the low bits tend not to be used. Hence, through
creative programming, a person can write a small program which extracts the
extraneous information to create a virus. This technique predates what
Microsoft has tried to do, and it is not mecessarily dependent in any way on
the functionality that Microsoft provides.
Jim

 

[kurt wismer]

No, what I am talking about is that someone can imbed extraneous material in
an image file because the low bits tend not to be used. Hence, through
creative programming, a person can write a small program which extracts the
extraneous information to create a virus. This technique predates what
Microsoft has tried to do, and it is not mecessarily dependent in any way on
the functionality that Microsoft provides.

unfortunately, what you're talking about now (lsb steganography) does
*not* allow for getting infected from images as you implied
previously... the scenario you're suggesting would require the target
system to already be compromised by a trojanized image viewer that would
extract the 'virus' from the image and execute it...

wmf is the first image format i'm aware of that actually contains code
as part of it's specification and is therefore the first truly unsafe
image format...

 

[Hoosier Daddy]

No, what I am talking about is that someone can imbed extraneous material in
an image file because the low bits tend not to be used.
Steganography.

Hence, through
creative programming, a person can write a small program which extracts the
extraneous information to create a virus.

Yes, data files can be containers for malware. Yes, programs can be written
to extract and execute malware contained in data files. This does not however
make all those data files "infectable" or "executable" files.

This technique predates what
Microsoft has tried to do, and it is not mecessarily dependent in any way on
the functionality that Microsoft provides.

Where the malicious code hides (as data) is not the issue, the issue is how
the "data" comes to be executed as code. The image files you refer to are
not intended to carry code (they carry data), but the WMF format actually
carries code intended by design to be executed by the system.

 

[Offbreed]

wmf is the first image format i'm aware of that actually contains code
as part of it's specification and is therefore the first truly unsafe
image format...

Didn't someone come up with a way to use fonts the same way?

 

[kurt wismer]

Didn't someone come up with a way to use fonts the same way?

closest thing i could come up with in google was a corrupted font
connected to a symbian-os trojan... do you have anything more specific
to search on?

 

[Frazer Jolly Goodfellow]

wmf is the first image format i'm aware of that actually
contains code as part of it's specification and is therefore the
first truly unsafe image format...

There are many formats that include code and predate WMF - Postscript
being the most well-known.

 

[Hoosier Daddy]

Didn't someone come up with a way to use fonts the same way?

Yes, some font files are special forms of the dll format. Windows has the
annoying habit of recognizing some file formats regardless of extension.

 

[kurt wismer]

There are many formats that include code and predate WMF - Postscript
being the most well-known.

which is why i said *image* format...

 

[Geoff]

Yes, some font files are special forms of the dll format. Windows has the
annoying habit of recognizing some file formats regardless of extension.

Just like Linux and Mac OS/X.

In Linux, all files are passed through the shell first. If the shell
determines it can be executed by a specific program, it opens it with
that program. This is why shell scripts have those famous shebang
lines and this is what is meant by magic.

http://en.wikipedia.org/wiki/Shebang

 

[Frazer Jolly Goodfellow]

which is why i said *image* format...

Which is why I mentioned Postscript, an image format relevant to the
context of this discussion.

 

[kurt wismer]

Which is why I mentioned Postscript, an image format relevant to the
context of this discussion.

sorry - i was under the impression that postscript was a document
format, seeing as how i only ever see it used for documents instead of
straight graphics... (and the fact that the name itself implies writing,
not drawing)

my googling seems to support that impression... ghostscript, adobe, and
wikipedia all say it's for printing *documents*...

 

[Virus Guy]

sorry - i was under the impression that postscript was a
document format, seeing as how i only ever see it used
for documents instead of straight graphics...

There was once a computer that (I think) ran some form of unix (back
in the late 80's or early 90's). It was called "Next". We had a few
of those in our lab.

Anyways, as I understand it, the graphic display was actually
implimented in postscript.

Postscript is actually quite a complicated document description
language. If IE or an OS-linked thumbnail or document preview
mechanism could handle .ps or .eps files then you might very well see
postscript malware.

 

[Frazer Jolly Goodfellow]

sorry - i was under the impression that postscript was a
document format, seeing as how i only ever see it used for
documents instead of straight graphics... (and the fact that the
name itself implies writing, not drawing)

my googling seems to support that impression... ghostscript,
adobe, and wikipedia all say it's for printing *documents*...

I think we're disappearing down a rathole of semantic minutiae

In its final-form representation, a document *is* a graphics image.

WMF is a vector graphics representation language, as is Postscript.
The "Postcript" bit referred to its (at that time) innovative use
of vector graphics to represent characters and symbols - giving
stepless text scalability and output device independence.

Embedded Postscript (EPS) was in common use as graphics image
format e.g. for company logos etc.

 

[James Egan]

I think we're disappearing down a rathole of semantic minutiae

Can I join in?

Embedded Postscript (EPS) was in common use as graphics image
format e.g. for company logos etc.

It's encapsulated.


Thanks


Jim

 

[Befunge Sudoku]

For now. Now the idea is out, we can expect malware writers to start
sifting through 98 for similar flaws.

<G> I wonder if 3.11 is vulnerable?

I was on holiday so didn't bother keeping up to date on the wmf
exploit, but I did see one piece that said it went right back
to Windows3

 

[Befunge Sudoku]

opinion of Win 2000 pro?

I still run it on my desktop, but lately, every MS update needs
3 re-boots beofre I get a full desktop back.