New computer virus is the first ever to infect picture files

Dow Jones ^

[Sub-Driver]

13 Jun 2002 12:42 ET DJ McAfee Expresses Concern Over New Picture Data Virus

Copyright © 2002, Dow Jones Newswires

WASHINGTON (AP)--A new computer virus is the first ever to infect picture files, an anti-virus firm reported Thursday, making sharing family photos on the Internet a potentially dangerous activity.

The virus, dubbed Perrun, is not currently infecting computers but worries anti-virus experts because it is the first to cross from program infection into data files, long considered safe from malicious data.

"Our concern is more for what might be coming," said Vincent Gullotto, head anti-virus researcher at McAfee Security (MCAF). "Potentially, no file type could be safe."

Until now, viruses infected program files -files that can be run on their own. Data files, like movies, music, text and pictures, were safe from infection. While earlier viruses deleted or modified data files, Perrun is the first to infect them.

Perrun still needs some tweaking to become dangerous. The virus arrives via e-mail or a floppy disk as an executable file. Security experts always warn against opening programs sent as e-mail attachments.

Once run, the file drops an "extractor" component onto the victim's hard drive. When a computer user clicks on a picture file with the extension .JPG -a common picture file found on the Web -it is infected before it appears. Because the picture displays normally, Gullotto said, the victim may not know there's anything wrong.

In its current form, an infected JPG file sent to a friend or placed on a Web site isn't dangerous without the extractor file. But Gullotto said there's no reason a virus writer couldn't stuff the entire virus code into the JPG, making the picture file a virus itself.

That evolution should make computer users think twice about sending pictures -or any other media -over the Internet, Gullotto said.

"I think there's a possibility that this could change the playing field," he said. "Going forward, we may have to rethink about distributing JPGs."

McAfee researchers received the virus from its creator. Gullotto declined to identify the author, and McAfee anti-virus software can detect and remove Perrun.

Perrun is known as a proof-of-concept virus, and does not cause damage. Gullotto said he fears that virus writers may use Perrun as a template to create a more destructive version.

[WindMinstrel]

Wow, that's a new one! Who'd ahve thought you could infect image files? There's a full description of the virus at NAI

[Constitution Day]

In its current form, an infected JPG file sent to a friend or placed on a Web site isn't dangerous without the extractor file. But Gullotto said there's no reason a virus writer couldn't stuff the entire virus code into the JPG, making the picture file a virus itself.

Guess all those Internet porn fanatics better be careful! 8^)

[ahariail]

I disagree, the statement "New computer virus is the first ever to infect picture files" is just hype to sell anti-virus software.

The virus is the extractor program. The fact that this program get information on what nasty things to do from specially encoded jpg files is not the same thing as saying that jpegs are, by themselves, capable of carrying viruses.

Regards, AL

[Paul Atreides]

I once heard that hackers and those who create computer viruses are mostly made up of radicals who have a strong hatred of the Internet being used for commerce. They think it should be used more for educational purposes. I think I also heard that they think the Internet ought to be free.

[MikeJ]

But Gullotto said there's no reason a virus writer couldn't stuff the entire virus code into the JPG, making the picture file a virus itself.

That sounds bogus to me - the virus code is only harmful if it is executed, and programs that open jpegs for display do not execute the contents of these files.

There might be more to this story, but I suspect somebody has been misinformed.

[CaptSkip]

McAfee researchers are the probable creators! Tryin' to drum-up more business. Had them once...updates were impossible...Now Norton AV opens all my e-mails and auto-updates CONSTANTLY.

(I do NOT work for Symantec.)

[Orblivion]

Actually, a lot of virus writers do what they do simply to show the world how pathetic security is. Especially when it comes to the Microsoft world of computing products. I wouldn't be suprised tho if a lot of employees at MacAfee and Network Solutions write virus's in their off time for job security purposes. :) This picture thing is not a virus. The extractor is a trojan. Specifically designed to input some extra junk into an image file. I don't think it's possible to put malicious code into the image itself since most images are standard formats and you would have to put something into the image that caused the image reader/viewer to do something messed up like write to the hard drive or execute programs.

[Mo1]

SUPPORT FREE REPUBLIC

Donate Here By Secure Server

Or mail checks to
FreeRepublic , LLC
PO BOX 9771
FRESNO, CA 93794

or you can use

PayPal at Jimrob@psnw.com

Thank you Registered!

[CaptSkip]

Oppps....also, Norton AV has caught two or three virus/worms trying to get into my computer via E-mail that were NOT attachments. They were imbedded in the e-mail.

Is VIRI the plural of virus as campi is for campus????

[Rebelbase]

Malicious hacking is the modern day equivelant of lighting a bag of dog poop on fire,ringing the bell and running away. Unfortunately a lot of times the bag catches the house on fire before anyone answers the door.

[balrog666]

The virus is the extractor program. The fact that this program get information on what nasty things to do from specially encoded jpg files is not the same thing as saying that jpegs are, by themselves, capable of carrying viruses.

Worth repeating.

[weegee]

In its current form, an infected JPG file sent to a friend or placed on a Web site isn't dangerous without the extractor file. But Gullotto said there's no reason a virus writer couldn't stuff the entire virus code into the JPG, making the picture file a virus itself.

If someone could stuff the extractor executable into the JPG, there would be no need to have an extractor executable. They would just stuff the VIRUS executable in the JPG.

[weegee]

It's possible that they were javascripts. You may try to disable HTML display for email.

The more "tricks" friendly senders needlessly use, the more opportunities hackers get to screw with your computer.

Text I understand. Attachments I understand. If the font and layout mean that much to you, send the file as a DOC. Want popups from opening an email? I'd be willing to bet that your recipient doesn't.

[ZaDomSpremni]

That's not true, hackers/virus coders are nothing but lonely teenagers with no friends who cause mischief on the internet because they have nothing better to do. They need help.

[ZaDomSpremni]

I think a much bigger problem then viruses are trojan horses. I had my entire hard drive deleted that way about 2 years ago. It took me many hours to re-install all my software. Now I have a firewall.

[CaptSkip]

Hey weegee, (and others that know),

Why do I get a prompt from Netscape, when sending e-mail, if I want to send it text, HTML, or both? And what is your advice?

[dinodino]

It doesn't work that way. Image data is never executed by the processor.

[Bobalu]

Yup. your correct.. the problem is with the executable not the jpg

It is a simple matter to write a program that can use jpg's to transfer data into a users PC. You can easily add data to many types of file though... not just images.

You can add data to exe and dll files easily by stuffing it into data 'caves' that the compilers created... this won't change the files length but it WILL change it's checksum.

You can defeat a firewall by having an executable running on the target machine. The firewall will detect any attempt by the exe to communicate using the net BUT if the exe simply sends a request to the default web browser to fetch a web page the browser will do so (shellexecute) because the browser generally has the users permission to access the net. If you tell the browser to fetch a url that is on the hackers server his server will have access to anything that the exe has added to the url i.e http://www.mysite.com/this is added data that could contain your pgp passphrase/ the server will get the added text and thus the hacker has defeated your firewall.

The hackers server can then send a modified jpg back to your browser that contains data that the exe will then use to further compromise your system...or place a file on you HD :-(

all of this is incredibly simple to do :-(

[ahariail]

In addition to helping sneak through firewalls, another advantage that this technique has to the virus author is that it gives him some additional cover.
If he wishes to program his "zombie" computers to, say, attack microsoft.com next tuesday, he doesn't have to do anything to contact them, and risk being traced.
All he has to do is put some encoded pictures into various news groups, perhaps using stolen AOL accounts, etc.
Porn sites asking you to download special "viewer" programs are fairly common. Anybody dumb enough to run one of these from a web site in Romania, probably deserves what he gets.