JPEG GDI+ Trojan Unleashed

winnetmag.com ^ | September 28, 2004

[HAL9000]

It was only a matter of time before someone unleashed malware that exploits the JPEG GDI+ vulnerability. Over the last two weeks various people have released proof of concept code in stages. The first code base that consisted of a corrupted JPG image file that caused an application to crash. The second code based was a JPG image that spawned a local command shell with no remote access. Within hours of the second code base released another person claimed to have made the command shell bind to a port for remote access. 

Now someone has taken matters to a greater extreme by unleashing a JPEG file that causes a buffer overrun where shell code is run on the affected system. The shell code connects to a remote FTP site and downloads approximately 2MB of data, installs a Trojan service, and also installs a copy of radmin.com, which supposedly allows a remote user to interact with a system as if they were sitting at the local console. The Trojan also downloads several other tools, including fport, netcat, peek, rcrypt, and more.  

According to Easynews, the JPEG exploit first appeared on several Usenet newsgroups that commonly contain erotic images. A possible way of detecting whether a system is infected is to look for a directory called, c:\windows\system32\system\ which might contain files named nvsvc.exe and winrun.exe. The Trojan might also open port 10002.  Easynews also made packet captures available that were taken as the JPEG infected a Windows XP system.

This is probably only the beginning of several future exploits that might take advantage of the JPEG GDI+ vulnerability. As always, you are advised to be sure you have the latest virus signature updates on your systems, and to be sure that you've loaded the patch if necessary. You can learn more about the patch and tools that can help you identify systems that need the patch in our Security Matters blog and in our related news story, "New Tools Help with JPEG GDI+ Updates".

[HAL9000]

It's in the wild now - the first virus that can embedded in and spread from a Free Republic page.

How long until our enemies start posting infected JPEGS here? As the article says - it's only a matter of time.

As usual, it only affects Windows computers, including XP computers with SP2.

[spodefly]

According to Easynews, the JPEG exploit first appeared on several Usenet newsgroups that commonly contain erotic images.

Uh oh.

[Jet Jaguar]

Bttt

[HAL9000]

The virus could just as easily be contained in a JPEG image of President Bush, or the U.S. flag.

[Jet Jaguar]

Is there a free virus checker/remover that covers this?

[xtinct]

It's impossible to upload a gif or jpg to Free Republic.

You link a jpg or gif from another site.

So, don't save any jpgs or gifs from this or any other site.

[swilhelm73]

I thought their was a fix for this in SP2?

This is the "feature" where data appended to a corrupt image gets executed, right?

[Izzy Dunne]

The virus could just as easily be contained in a JPEG image of President Bush

My guess is that there are more "erotic images" being passed around, than pictures of President Bush.
I suppose they're the same thing, to some people.

I like my Macs.

[Constantine XIII]

LOL, noticed something funny with your compy? ;D

[DB]

I don't believe you have to save it locally (even though it is saved in your browser's cache).

Simply viewing the picture regarless of where it is hosted does the job.

[LibWhacker]

I think Microsoft already has a patch out for it. I downloaded it a couple of days ago. Quite an involved and complicated download, too. Hope I got it right!

Very confusing because I've always thought only executables can be infected.

[swilhelm73]

Very confusing because I've always thought only executables can be infected.

For quite a long time you could only get infected via executables/zip files. Then, Nimida, I think found a way to download an exe file to your computer and run it just be visiting a website. And now you can get infected by looking at an image file. I don't normally jump on the MS-bashing bandwagon...but executing code contained in a JPG file??? How the heck do you explain that one???

[DB]

Dumb programmers.

[HAL9000]

It's impossible to upload a gif or jpg to Free Republic.

No, it's not impossible. It's quite easy and it requires no special skills.

But it doesn't matter. It's simple enough to embed an image in an FR page that's hosted on another site.

[HAL9000]

It's simple enough to embed an image in an FR page that's hosted on another site.

Rephrasing for clarity - It's simple enough to embed an image hosted on another site in an FR page.

[Terpfen]

WinXP SP2 is not affected, according to Microsoft's security bulletin.

Non-Affected Software

• Microsoft Windows NT Server 4.0 Service Pack 6a

• Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6

• Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4

• Microsoft Windows XP Service Pack 2

• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Me)

• Microsoft Office 2003 Service Pack 1

• Microsoft Office 2000

• Microsoft Visio 2003 Service Pack 1

• Microsoft Visio 2000

• Microsoft Project 2003 Service Pack 1

• Microsoft Project 2000

• Microsoft Digital Image Suite 10, Microsoft Digital Image Pro 10, Picture It! Premium 10

• The Microsoft .NET Framework version 1.1 SDK

• Microsoft Works (all versions)

Non-Affected Components:

• Internet Explorer 5.01 Service Pack 3 on Windows 2000 Service Pack 3

• Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4

• Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition

• The Microsoft .NET Framework version 1.0 Service Pack 3

• The Microsoft .NET Framework version 1.1 Service Pack 1

• The Microsoft .NET Framework version 1.1 Service Pack 1 for Windows Server 2003

[Conservative Kay]

Can changing my browser keep these things out of my computers? What are someother browsers besides Explorer? I have been a week trying to get a dataminer in the form of ads called lop.com off my other computer. SpySweeper and AdWare take it off but it comes right back . I can't find where it is embedded. What I really would like to do is find a way to get in touch with the company that is doing this and give them a piece of my mind. Anyone know anything on this?

[Graymatter]

pingerino/vo do de oh doh/hey nonny nonny/ha cha cha/'ods bodkins!

Windows, we have a problem. Get my technogeek on the ameche!

[HAL9000]

How the heck do you explain that one???

Microsoft programmers are typically too lazy to check for memory buffer overflows. For example, if a buffer contains space for 100 bytes of data, the programmer should not try to copy 101 bytes of data into it. That 101st byte exceeds the capacity of the buffer - and overflows into the executable code of the program your running. The excess data overwrites the program code, and then you're executing virus code.

[HAL9000]

the program your you're running