Posted on 09/28/2004 2:15:28 AM PDT by HAL9000
It was only a matter of time before someone unleashed malware that exploits the JPEG GDI+ vulnerability. Over the last two weeks various people have released proof of concept code in stages. The first code base that consisted of a corrupted JPG image file that caused an application to crash. The second code based was a JPG image that spawned a local command shell with no remote access. Within hours of the second code base released another person claimed to have made the command shell bind to a port for remote access.Now someone has taken matters to a greater extreme by unleashing a JPEG file that causes a buffer overrun where shell code is run on the affected system. The shell code connects to a remote FTP site and downloads approximately 2MB of data, installs a Trojan service, and also installs a copy of radmin.com, which supposedly allows a remote user to interact with a system as if they were sitting at the local console. The Trojan also downloads several other tools, including fport, netcat, peek, rcrypt, and more.
According to Easynews, the JPEG exploit first appeared on several Usenet newsgroups that commonly contain erotic images. A possible way of detecting whether a system is infected is to look for a directory called, c:\windows\system32\system\ which might contain files named nvsvc.exe and winrun.exe. The Trojan might also open port 10002. Easynews also made packet captures available that were taken as the JPEG infected a Windows XP system.
This is probably only the beginning of several future exploits that might take advantage of the JPEG GDI+ vulnerability. As always, you are advised to be sure you have the latest virus signature updates on your systems, and to be sure that you've loaded the patch if necessary. You can learn more about the patch and tools that can help you identify systems that need the patch in our Security Matters blog and in our related news story, "New Tools Help with JPEG GDI+ Updates".
How long until our enemies start posting infected JPEGS here? As the article says - it's only a matter of time.
As usual, it only affects Windows computers, including XP computers with SP2.
Uh oh.
Bttt
The virus could just as easily be contained in a JPEG image of President Bush, or the U.S. flag.
Is there a free virus checker/remover that covers this?
It's impossible to upload a gif or jpg to Free Republic.
You link a jpg or gif from another site.
So, don't save any jpgs or gifs from this or any other site.
I thought their was a fix for this in SP2?
This is the "feature" where data appended to a corrupt image gets executed, right?
My guess is that there are more "erotic images" being passed around, than pictures of President Bush.
I suppose they're the same thing, to some people.
I like my Macs.
LOL, noticed something funny with your compy? ;D
I don't believe you have to save it locally (even though it is saved in your browser's cache).
Simply viewing the picture regarless of where it is hosted does the job.
Very confusing because I've always thought only executables can be infected.
Dumb programmers.
No, it's not impossible. It's quite easy and it requires no special skills.
But it doesn't matter. It's simple enough to embed an image in an FR page that's hosted on another site.
Rephrasing for clarity - It's simple enough to embed an image hosted on another site in an FR page.
Can changing my browser keep these things out of my computers? What are someother browsers besides Explorer? I have been a week trying to get a dataminer in the form of ads called lop.com off my other computer. SpySweeper and AdWare take it off but it comes right back . I can't find where it is embedded. What I really would like to do is find a way to get in touch with the company that is doing this and give them a piece of my mind. Anyone know anything on this?
Windows, we have a problem. Get my technogeek on the ameche!
Microsoft programmers are typically too lazy to check for memory buffer overflows. For example, if a buffer contains space for 100 bytes of data, the programmer should not try to copy 101 bytes of data into it. That 101st byte exceeds the capacity of the buffer - and overflows into the executable code of the program your running. The excess data overwrites the program code, and then you're executing virus code.
Well, the less standard a browser, generally the safer it is going to be. Alot of people suggest Firefox for that reason.
As for your particular problem, google "lop.com". You should be able to find all that is known about it pretty quickly.
One of the features of SP2 was a "no execute" flag that prevent some of this, but if the overflow occurred into an area that is supposed to contain executable code, it won't help.
I haven't looked at any of the infected JPEGS, but my impression is that they do not give a visual indication of being corrupted - they just contain an unseen virus.
Another method is to do a "WhoIs" search on that URL. That will give you the registrant's name and contact info, as well as the ISP of any parent company (if applicable). Then after you write to those people and the ads/spam don't stop, just contact the FBI's Internet Fraud and Complaint Center. They'll stop it if all else fails.
|
|
|
| Alternative browsers: http://www.mozilla.org/ http://www.opera.com/ Free anti-viral protection: http://www.grisoft.com/us/us_dwnl_free.php Popup ad killers: http://www.bayden.com/popper/ Close that friggin' Messenger in Windows XP: http://grc.com/stm/ShootTheMessenger.htm Spyware removers: http://www.safer-networking.org/index.php?lang=en&page=download http://www.lavasoftusa.com/ http://www.wilderssecurity.net/spywareblaster.html Good for pre-screening & bouncing SPAM: http://mailwasher.net/ Script Defender ( stop that nonsense from running unwelcome scripts ): http://www.analogx.com/welcome.htm _________________ |
Please tell us that you have disabled "Instant Messaging" on your browser - or any of the other similar programs.
I use mozilla and like it.
But, I use MS me for an OS. I am not sure if Mozilla will help in this instance.
"What are someother browsers besides Explorer? I have been a week trying to get a dataminer in the form of ads called lop.com off my other computer."
First off, I've been very pleased by changing to Firefox... and to get rid of lop, you need to look at SWI forums-- links and details about this and a lot more are here:
http://www.freerepublic.com/focus/f-news/1168134/posts
Hijacked! New Browser Exploits Plague Web
This might be a stupid question, but I'm going to ask it anyway.
If I use a screen capture tool, like Screenhunter, that's not the same as downloading the jpg is it? I thought it like making a new picture, so even if there was an infected picture posted or "linked" as is the case on this site, it's code can't be transfered via screencapture.
I seldom if ever "download" a picture, via the right click method.
Anything I post here is a screencapture, which I then modify to make a corny joke, then upload to photo bucket.
Your information looks accurate. Thank you for the correction. I apologize for the error.
However, there is a long list of XP applications that are affected, notably Internet Explorer and MS Office. So, if I understand correctly, XP users can still be affected and should apply the patches.
BTW, I have used "hijack this" for a long time for getting rid of spyware. It works good, but you do have to be carefull with it. If you use yahoo email, don't download the yahoo program, it sticks spyware on, and is hard to clean out.
Screenhunter...I am not familiar with it. My concern would be pictures I have posted that I find thru FR or google or yahoo.
If they are infected, and I repost the URL into FR, do I set up a bunch of Freepers with a bug, if they save the pic to their hard-drive?
I don't know.
Forget free - you can easily find Norton Anti-virus for next to nothing.
I just bought a friend a Norton Systemworks 2003 (w/NAV), on Ebay for $3.95. even with shipping, I didn't even have $10 bucks in it.
It may say 2003, but it will still automaticly download the new defs for the next year or so. If he listens to me, gets rid of "Live Update", and downloads them manually instead, his "subscription" will never expire.
Thanks for the info. I will use my wife's Norton program.
if you are hot linking them, then yes, anyone who wants to save it via rightclick (that's downloads it) can potentualy get an infected jpeg.
Screencapture doesn't download the picture it takes a snapshot, or saves what your highlight.
my thinking is that you can't possibly "download an infected Jpeg because you aren't downloading with screnhunter.
I can't even tell if the pic is degraded with Screencapute programs, maybe, but you can't tell on a pc screen anyways.
You can choose how you save the screen capture, jpg, BMP or Giff.
It's free here:
http://www.wisdom-soft.com/products/screenhunter.htm
It just might be a good thing to have if your playing with alot of pictures, better to capture them rather than download.
Not that simple... as a Win32 programmer, I can tell you that it is quite very possible to change the text limits on a window handle! For example, you can send an EM_SETTEXTLIMIT message to a data entry box and change the size limit to infinity. You don't even have to be the "owner" of the window. The control you have over ANY other windows and apps is amazing.
Convenience/ease-of-use and security are 2 trade-offs. That's why Linux GUI desktops will never reach to the level of Windows, it's just too darn secure and thus just too darn hard to use/program!
You can use AVG (grissoft) anti virus system for free. It works just as good as norton as far as virus detection goes. it updates every week automaticly.AVG Free Edition
It's available here:
http://www.grisoft.com/us/us_index.php
Thanks!
it is fully compatible with SP2 it says. I've used it for years, it integrates with your outlook email as well
And thanks!
.JPG files are not just images of pictures. They contain lots of information regarding the file, not just the pixel data to represent the image. Go inform yourself.
P.S. JPG was not designed by MS.
Ditto!!
That's the exact article I linked to. XP SP2 is listed as "not affected." The "patch" you're referring to is a download from Windows Update to check if your PC is vulnerable. If you have SP2, the program will report that you aren't vulnerable.
I went to the MS site and downloaded the GDI+ vulnerability. It installed fine. It sent me to the MS Office patch. I gotta get the freaking Office CDs before I can protect my PC. I've got six sets of these things somewhere. I'll have to figure out which ones go with each PC in the house. They turned a 3 minute security fix into a several hour project keying impossible-to-read key codes from the CDs and trying to match them to the PCs.
Internet Explorer and Office are vulnerable to just about everything these days. I just wanted to make the point that SP2, the OS itself, is not vulnerable, and the patches out are for WinXP, XP SP1, and various versions of Office. This is an odd problem, because Win98 and ME aren't affected. Neither is 2000 SP4. I have to wonder what Microsoft changed in its JPG rendering, especially since XP is based on 2000.
Bump!
Yeah, Microsoft is paranoid about Office piracy. I have a basic version of Office 2000 pre-installed on my PC, and I don't have the CDs, so... no service packs or patches for me.
This is really funny, because I was working on an MS Access database project for a class, and actually ran into a problem where the wizard I needed wasn't installed, and it prompted me for the CDs... extremely inconvenient.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.