JPEG Virus in the wild?
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: JPEG Virus in the wild?

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324

    JPEG Virus in the wild?

    Just got this link from Full Disclosure. Apparently it was released in the newsgroups (interesting choices me thinks):

    jpeg virus in the wild?!

    If you don't know what a jpeg virus is, check out:
    http://news.google.com/news?q=jpeg+virus

    Swany and I wrote a quick and nasty script to scan every jpeg that comes into Easynews.com.. It paged
    my cell phone at 6:47pm PDT on 9/26/2004 for the first hit, and 7:52pm PDT on 9/26/2004 for
    the second hit.

    Not sure what this jpeg is exactly.. if it's malicious or not.. any experts want to weigh in?

    Here is the data:

    The isolated file is here (BE CAREFUL - DON'T SUE ME FOR DAMAGE, I'LL COUNTER-SUE!):

    http://easynews.com/test/possiblevirus.jpg.gz

    md5: b7e7a5703a722558b6a170be5c43b90d
    crc32:a3e0f71e
    size: 4098 bytes

    Here is the first message header:

    Path: news.easynews.com!core-easynews!newsfeed2.easynews.com!newsfeed1.easynews.com!easynews.com!
    easynews!cyclone1.gnilink.net!gnilink.net!wn14feed!worldnet.att.net!204.71.34.3!newsfeed.cwix.com!newsfeed.icl.net!newsfeed.wirehub.nl!
    news.cambrium.nl!news.cambrium.nl!news2.euro.net!62.253.162.219.MISMATCH!news-in.ntli.net!newsrout1-win.ntli.net!ntli.net!
    newspeer1-win.ntli.net!newsfe3-win.ntli.net.POSTED!53ab2750!not-for-mail
    From: Power-Poster@power-post.org (Power-Post 2000)
    Sender: Power-Poster@power-post.org
    Newsgroups: alt.binaries.multimedia.erotica.transsexuals,alt.binaries.pictures.erotica.transexual,alt.binaries.pictures.erotica.transexual.action,alt.binaries.pictures.erotica.transsexual
    Subject: (Shemale-loves it up the ass.jpg (1/1)] [1/1] - Shemale loves it up the ass
    X-Newsposter: NNTP POWER-POST 2000 (Build 24c) - net-toys.8k.com
    Lines: 96
    Message-ID: <A_J5d.105$24.101@newsfe3-win.ntli.net>
    Date: Mon, 27 Sep 2004 01:25:52 GMT
    NNTP-Posting-Host: 82.1.163.241
    X-Trace: newsfe3-win.ntli.net 1096248352 82.1.163.241 (Mon, 27 Sep 2004 02:25:52 BST)
    NNTP-Posting-Date: Mon, 27 Sep 2004 02:25:52 BST
    Organization: NTL
    Xref: core-easynews alt.binaries.multimedia.erotica.transsexuals:1756301 alt.binaries.pictures.erotica.transexual:393069 alt.binaries.pictures.erotica.transexual.action:2666691 alt.binaries.pictures.erotica.transsexual:207823
    X-Received-Date: Sun, 26 Sep 2004 19:19:51 MST (news.easynews.com)

    And here is the second header:

    Path: news.easynews.com!core-easynews!newsfeed2.easynews.com!newsfeed1.easynews.com!
    easynews.com!easynews!bigfeed2.bellsouth.net!bigfeed.bellsouth.net!news.bellsouth.net!news-in.ntli.net!newsrout1-win.ntli.net!
    ntli.net!newspeer1-win.ntli.net!newsfe2-win.ntli.net.POSTED!53ab2750!not-for-mail
    From: Power-Poster@power-post.org (Power-Post 2000)
    Sender: Power-Poster@power-post.org
    Newsgroups: alt.binaries.erotica.beanie-babies,alt.binaries.erotica.breasts,alt.binaries.erotica.christy-canyon,alt.binaries.erotica.fetish,alt.binaries.erotica.original.sin,alt.binaries.erotica.pornstar
    Subject: (Beautiful 20yr old - double penetration.jpg (1/1)] [1/1] - 20yr old double penetration
    X-Newsposter: NNTP POWER-POST 2000 (Build 24c) - net-toys.8k.com
    Lines: 96
    Message-ID: <S2L5d.341$wW2.317@newsfe2-win.ntli.net>
    Date: Mon, 27 Sep 2004 02:38:42 GMT
    NNTP-Posting-Host: 82.1.163.241
    X-Trace: newsfe2-win.ntli.net 1096252722 82.1.163.241 (Mon, 27 Sep 2004 03:38:42 BST)
    NNTP-Posting-Date: Mon, 27 Sep 2004 03:38:42 BST
    Organization: NTL
    Xref: core-easynews alt.binaries.erotica.beanie-babies:884786 alt.binaries.erotica.breasts:1112072 alt.binaries.erotica.christy-canyon:368690 alt.binaries.erotica.fetish:1386267 alt.binaries.erotica.original.sin:1793 alt.binaries.erotica.pornstar:831729
    X-Received-Date: Sun, 26 Sep 2004 20:12:42 MST (news.easynews.com)
    (click on the above link for the full listing)
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    I attached the clam sig for it, if it is. I used the area after what looks like the buffer overflow in hex to determine the signature, but someone should test it before using it. I will be able to test the sig more after class.

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I'm not going to mess with it but I would suggest that a jpeg of a shemale doing..... whatever.... is probably pretty damn boring or low resolution if the file size is only 4k....

    [Edit]

    Soda:

    In terms of signature writing I'm not sure that taking that piece as the signature will be of value. It's my understanding that the region after the buffer overflow will be the "arbitrary code" we all fear so much.... The problem is just that.... It's arbitrary and therefore your sig will most likely only catch this specific version. The silightest change to the code may make your sig irrelevant.

    I don't know about Clam sigs but can you negate a pattern for a specific file type? If so then I understand that the header of the JPEG is pretty much fixed in stone and anything that deviates from that pattern would be considered malformed and thus a threat. You might want to look at the header ans see if you can run a negate on it so that it is functional over a broader range of code.

    [/Edit]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Kwiep
    Join Date
    Aug 2001
    Posts
    924
    with them dgi+ library thing there's like a zillion jpeg "virusses" made every day it seems
    Double Dutch

  5. #5
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    for an AV sig..all you need to do is match the overflow string within the jpeg.
    If this exists in the JFIF header, then it's most likely using the overflow. You could also use the k-otik information for creating your sig soda.

    0xFF 0xFE 0x00 0x00 or 0xFF 0xFE 0x00 0x01
    or: FFFE0000 FFFE0001
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  6. #6
    Symantec has a heuristic signature released.

    http://www.sarc.com/avcenter/venc/da...jpegshell.html

    That tool mentioned generates jpeg trojans.

    Tiger: My goal was to get something definite to key on immediately, I figured some ******* would upload that exact file as an avatar or something. I'm going to take hog's advice and look at the k-otik code for something more broad.

  7. #7
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    FYI, the good folks at SANS (www.incidents.org) have been tracking this as well and there is at least a name now:
    Most popular anti-virus scanners are able to detect these exploitative JPG's including BitDefender, Kaspersky, McAfee, Symantec and TrendMicro, identifying them as "Exploit-MS04-028" or "Bloodhound.Exploit.13" (Symantec).
    For SNG here are a few links:

    http://securityresponse.symantec.com...gdownload.html
    http://securityresponse.symantec.com...jpegshell.html
    http://securityresponse.symantec.com...xploit.13.html
    http://xforce.iss.net/xforce/alerts/id/182 (vulnerability and sensor info)
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  8. #8
    Member
    Join Date
    Sep 2004
    Posts
    32
    http://isc.sans.org/gdiscan.php


    GDI Scan
    gdiscan.exe was written for Windows 2000 and higher. It scans the drive containing the Windows %system% directory and Looks for vulnerable versions of gdiplus.dll, sxs.dll, wsxs.dll, mso.dll.

  9. #9
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    Caught this little snippet from a thread at SFDC:
    [quote]
    Quote Originally Posted by gossi
    Spreading fast? Where'd that come from?

    Myself, CERT, Godzilla from Easynews and John LaCour from ZoneLabs monitored the worm's botnet as soon as it appeared 'in the wild'. 2 machines were infected. Of those 2, 1 was mine, and 1 was from a staff member of Easynews. Both were deliberate infections.

    Shortly after it appeared, the host of the FTP server the worm used was phoned, and the account used was locked. Therefore, it no longer could work.

    The posts on Slashdot and here are pure, complete and utter hype that it was 'spreading fast'.

    Having said that, it is *TRIVIAL* to make a mass mailing worm from this. In practice, all we've had so far are trojans.

    Regards,

    g
    And then:
    [quote]
    Quote Originally Posted by gossi
    Trust me, you won't turn it up. I spoke to the person who wrote the 'exploit' myself at the time, it failed in a bad way since it depended on the FTP server (wm.netfirms.com) being online, and it wasn't after a very short amount of time due to intervention by various forces.

    ..

    <Epoch> ive rooted over 2000 boxes
    <Epoch> inmexico
    <Epoch> brazil
    <Epoch> china
    <gossi> well done
    <Epoch> onlogout
    <Epoch> it wipes logging
    <Epoch> therefore
    <Epoch> i can't be held accountable for sh*t
    <Epoch> im a programmer dude
    <gossi> have you not heard of firewall logs, forensic recovery?
    <Epoch> and i know how to be safe
    <Epoch> dude
    <Epoch> i know what im doing haha

    ..

    Heh.
    So now I am curious. Can anybody confirm that they have this, or have actually seen a machine with it?

    Cheers!!

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Groove:

    Haven't seen it yet but it demonstrates what I said in the original thread about the vulnerability, specifically regarding the attack vector.

    This isn't going to "go" if it depends on specific "choke points", (infected web servers etc.), because they can be closed or blocked so easily and unless thay are huge hit per day sites they will not infect many machines before closedown.

    The most likely attack vector to make this vulnerability effective remains email and unpatched user machines. Bearing in mind that a simple OS patch doesn't make the machine immune and the likelihood that the OS is being patched is higher than the Office product is why I still say look for an office type document to be exploited in the form of an email.... It's been a long time since Word was exploited specifically.... people have forgotten..... It's more likely to hit the corporate systems than the home because Office isn't common on the home user machines but there's more than enough corporate boxes that will be vulnerable.... Mine will be - to be honest.... Simply because patching office hasn't been automatic in the past and still isn't for my OS so patching Office all the time is a burden on an IT department..... Work from there as a virus author and you have the answer.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides