Mad Mardigan Posted October 11, 2004 Posted October 11, 2004 It was only a matter of time before someone unleashed malware that exploits the JPEG GDI+ vulnerability. Over the last two weeks various people have released proof of concept code in stages. The first code base that consisted of a corrupted JPG image file that caused an application to crash. The second code based was a JPG image that spawned a local command shell with no remote access. Within hours of the second code base released another person claimed to have made the command shell bind to a port for remote access. Now someone has taken matters to a greater extreme by unleashing a JPEG file that causes a buffer overrun where shell code is run on the affected system. The shell code connects to a remote FTP site and downloads approximately 2MB of data, installs a Trojan service, and also installs a copy of radmin.com, which supposedly allows a remote user to interact with a system as if they were sitting at the local console. The Trojan also downloads several other tools, including fport, netcat, peek, rcrypt, and more. According to Easynews, the JPEG exploit first appeared on several Usenet newsgroups that commonly contain erotic images. A possible way of detecting whether a system is infected is to look for a directory called, c:\windows\system32\system\ which might contain files named nvsvc.exe and winrun.exe. The Trojan might also open port 10002. Easynews also made packet captures available that were taken as the JPEG infected a Windows XP system. This is probably only the beginning of several future exploits that might take advantage of the JPEG GDI+ vulnerability. As always, you are advised to be sure you have the latest virus signature updates on your systems, and to be sure that you've loaded the patch if necessary. You can learn more about the patch and tools that can help you identify systems that need the patch in our Security Matters blog and in our related news story, "New Tools Help with JPEG GDI+ Updates". source = http://www.freerepublic.com/focus/f-news/1229010/posts
5614 Posted October 11, 2004 Posted October 11, 2004 JPEG, JPG or both? the article kinda swaps, whichever, they are both very popular and this could be a big one. maybe gif will become popular :S nice 'safe' names as normal, does this effect SP1? pressumably so however it mentions SP2 only.
Sayonara Posted October 11, 2004 Posted October 11, 2004 There is no difference between jpg and jpeg. JPEG is an acronym for Joint-Photographic Experts Group. The 3 character .jpg extension exists due to the 8-3 file naming convention.
5614 Posted October 11, 2004 Posted October 11, 2004 the difference is in the name! (ok, could never tell the difference... just found out why though! thanks)
Dave Posted October 11, 2004 Posted October 11, 2004 Doesn't surprise me that this has gotten exploited quite a lot, it was crying out for it afterall. Hopefully most people will have updated their system by now. Ha ha.
Kedas Posted October 11, 2004 Posted October 11, 2004 You can also use PNG instead of GIF or JPG. http://www.webopedia.com/DidYouKnow/Internet/2002/JPG_GIF_PNG.asp http://www.webcolors.freeserve.co.uk/png/
Cap'n Refsmmat Posted October 11, 2004 Posted October 11, 2004 Now just how does this work? Is it a browser thing that lets it execute or do you have to download the picture in the first place? If it's browser, then I'm glad I'm on FF.
5614 Posted October 11, 2004 Posted October 11, 2004 the original article: http://www.freerepublic.com/focus/f-news/1229010/posts touches on this subject... windows XP SP2 is not effected.... SP2 has fixed something! security patches for this available at: http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx select the operating system you have and follow links/instructions... NOTE: on instal it recommends that you back up your computer or data or something like that, im not quite sure what this is on about, a bit worrying, i currently have downloaded but not installed the update due to this warning, you'll see it when the auto-instal thing starts, just dont click next and you'll see it safely! seemingly (in reply to capn) you only have to view the image, as that will 'download' it to your computer... how else do you see images? not literal downloading but the loading of the image includes loading of the 'virus', im not sure if you are safe behind firefox, though i doubt it as it is a windows exploit NOT a program exploit, so (im assuming) FF will not save you, though im not sure.
Cap'n Refsmmat Posted October 11, 2004 Posted October 11, 2004 Well isn't it how the browser allows the image to execute script?
5614 Posted October 11, 2004 Posted October 11, 2004 images dont normally execute scripts though so this might not be a standard firefox (FF)security issue, this isnt an IE attack so its not a IE bad FF good thingy, its a windows attack, im not 100% with FF security where this is involved, neither is anyone as nothing like this has happened until now, i would expect all users are under risk (those without the update see post #8 update included in XPs SP2) are using all browsers, as they all 'load' the image in the same way. i say this using knowledge of other such 'programs' and security things, i dont know the answer - however im saying what i think!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now