JPEG Virus in the wild?

[MrLinus]

Just got this link from Full Disclosure. Apparently it was released in the newsgroups (interesting choices me thinks):

jpeg virus in the wild?!

If you don't know what a jpeg virus is, check out:
http://news.google.com/news?q=jpeg+virus

Swany and I wrote a quick and nasty script to scan every jpeg that comes into Easynews.com.. It paged
my cell phone at 6:47pm PDT on 9/26/2004 for the first hit, and 7:52pm PDT on 9/26/2004 for
the second hit.

Not sure what this jpeg is exactly.. if it's malicious or not.. any experts want to weigh in?

Here is the data:

The isolated file is here (BE CAREFUL - DON'T SUE ME FOR DAMAGE, I'LL COUNTER-SUE!):

http://easynews.com/test/possiblevirus.jpg.gz

md5: b7e7a5703a722558b6a170be5c43b90d
crc32:a3e0f71e
size: 4098 bytes

Here is the first message header:

Path: news.easynews.com!core-easynews!newsfeed2.easynews.com!newsfeed1.easynews.com!easynews.com!
easynews!cyclone1.gnilink.net!gnilink.net!wn14feed!worldnet.att.net!204.71.34.3!newsfeed.cwix.com!newsfeed.icl.net!newsfeed.wirehub.nl!
news.cambrium.nl!news.cambrium.nl!news2.euro.net!62.253.162.219.MISMATCH!news-in.ntli.net!newsrout1-win.ntli.net!ntli.net!
newspeer1-win.ntli.net!newsfe3-win.ntli.net.POSTED!53ab2750!not-for-mail
From: Power-Poster@power-post.org (Power-Post 2000)
Sender: Power-Poster@power-post.org
Newsgroups: alt.binaries.multimedia.erotica.transsexuals,alt.binaries.pictures.erotica.transexual,alt.binaries.pictures.erotica.transexual.action,alt.binaries.pictures.erotica.transsexual
Subject: (Shemale-loves it up the ass.jpg (1/1)] [1/1] - Shemale loves it up the ass
X-Newsposter: NNTP POWER-POST 2000 (Build 24c) - net-toys.8k.com
Lines: 96
Message-ID: <A_J5d.105$24.101@newsfe3-win.ntli.net>
Date: Mon, 27 Sep 2004 01:25:52 GMT
NNTP-Posting-Host: 82.1.163.241
X-Trace: newsfe3-win.ntli.net 1096248352 82.1.163.241 (Mon, 27 Sep 2004 02:25:52 BST)
NNTP-Posting-Date: Mon, 27 Sep 2004 02:25:52 BST
Organization: NTL
Xref: core-easynews alt.binaries.multimedia.erotica.transsexuals:1756301 alt.binaries.pictures.erotica.transexual:393069 alt.binaries.pictures.erotica.transexual.action:2666691 alt.binaries.pictures.erotica.transsexual:207823
X-Received-Date: Sun, 26 Sep 2004 19:19:51 MST (news.easynews.com)

And here is the second header:

Path: news.easynews.com!core-easynews!newsfeed2.easynews.com!newsfeed1.easynews.com!
easynews.com!easynews!bigfeed2.bellsouth.net!bigfeed.bellsouth.net!news.bellsouth.net!news-in.ntli.net!newsrout1-win.ntli.net!
ntli.net!newspeer1-win.ntli.net!newsfe2-win.ntli.net.POSTED!53ab2750!not-for-mail
From: Power-Poster@power-post.org (Power-Post 2000)
Sender: Power-Poster@power-post.org
Newsgroups: alt.binaries.erotica.beanie-babies,alt.binaries.erotica.breasts,alt.binaries.erotica.christy-canyon,alt.binaries.erotica.fetish,alt.binaries.erotica.original.sin,alt.binaries.erotica.pornstar
Subject: (Beautiful 20yr old - double penetration.jpg (1/1)] [1/1] - 20yr old double penetration
X-Newsposter: NNTP POWER-POST 2000 (Build 24c) - net-toys.8k.com
Lines: 96
Message-ID: <S2L5d.341$wW2.317@newsfe2-win.ntli.net>
Date: Mon, 27 Sep 2004 02:38:42 GMT
NNTP-Posting-Host: 82.1.163.241
X-Trace: newsfe2-win.ntli.net 1096252722 82.1.163.241 (Mon, 27 Sep 2004 03:38:42 BST)
NNTP-Posting-Date: Mon, 27 Sep 2004 03:38:42 BST
Organization: NTL
Xref: core-easynews alt.binaries.erotica.beanie-babies:884786 alt.binaries.erotica.breasts:1112072 alt.binaries.erotica.christy-canyon:368690 alt.binaries.erotica.fetish:1386267 alt.binaries.erotica.original.sin:1793 alt.binaries.erotica.pornstar:831729
X-Received-Date: Sun, 26 Sep 2004 20:12:42 MST (news.easynews.com)

(click on the above link for the full listing)

[Soda_Popinsky]

I attached the clam sig for it, if it is. I used the area after what looks like the buffer overflow in hex to determine the signature, but someone should test it before using it. I will be able to test the sig more after class.

[Tiger Shark]

I'm not going to mess with it but I would suggest that a jpeg of a shemale doing..... whatever.... is probably pretty damn boring or low resolution if the file size is only 4k....

[Edit]

Soda:

In terms of signature writing I'm not sure that taking that piece as the signature will be of value. It's my understanding that the region after the buffer overflow will be the "arbitrary code" we all fear so much.... The problem is just that.... It's arbitrary and therefore your sig will most likely only catch this specific version. The silightest change to the code may make your sig irrelevant.

I don't know about Clam sigs but can you negate a pattern for a specific file type? If so then I understand that the header of the JPEG is pretty much fixed in stone and anything that deviates from that pattern would be considered malformed and thus a threat. You might want to look at the header ans see if you can run a negate on it so that it is functional over a broader range of code.

[/Edit]

[neel]

with them dgi+ library thing there's like a zillion jpeg "virusses" made every day it seems

[hogfly]

for an AV sig..all you need to do is match the overflow string within the jpeg.
If this exists in the JFIF header, then it's most likely using the overflow. You could also use the k-otik information for creating your sig soda.

0xFF 0xFE 0x00 0x00 or 0xFF 0xFE 0x00 0x01
or: FFFE0000 FFFE0001

[Soda_Popinsky]

Symantec has a heuristic signature released.

http://www.sarc.com/avcenter/venc/da...jpegshell.html

That tool mentioned generates jpeg trojans.

Tiger: My goal was to get something definite to key on immediately, I figured some ******* would upload that exact file as an avatar or something. I'm going to take hog's advice and look at the k-otik code for something more broad.

[nebulus200]

FYI, the good folks at SANS (www.incidents.org) have been tracking this as well and there is at least a name now:

Most popular anti-virus scanners are able to detect these exploitative JPG's including BitDefender, Kaspersky, McAfee, Symantec and TrendMicro, identifying them as "Exploit-MS04-028" or "Bloodhound.Exploit.13" (Symantec).

For SNG here are a few links:

http://securityresponse.symantec.com...gdownload.html
http://securityresponse.symantec.com...jpegshell.html
http://securityresponse.symantec.com...xploit.13.html
http://xforce.iss.net/xforce/alerts/id/182 (vulnerability and sensor info)

[HotSpot]

http://isc.sans.org/gdiscan.php


GDI Scan
gdiscan.exe was written for Windows 2000 and higher. It scans the drive containing the Windows %system% directory and Looks for vulnerable versions of gdiplus.dll, sxs.dll, wsxs.dll, mso.dll.

[groovicus]

Caught this little snippet from a thread at SFDC:
[quote]

Spreading fast? Where'd that come from?

Myself, CERT, Godzilla from Easynews and John LaCour from ZoneLabs monitored the worm's botnet as soon as it appeared 'in the wild'. 2 machines were infected. Of those 2, 1 was mine, and 1 was from a staff member of Easynews. Both were deliberate infections.

Shortly after it appeared, the host of the FTP server the worm used was phoned, and the account used was locked. Therefore, it no longer could work.

The posts on Slashdot and here are pure, complete and utter hype that it was 'spreading fast'.

Having said that, it is *TRIVIAL* to make a mass mailing worm from this. In practice, all we've had so far are trojans.

Regards,

g

And then:
[quote]

Trust me, you won't turn it up. I spoke to the person who wrote the 'exploit' myself at the time, it failed in a bad way since it depended on the FTP server (wm.netfirms.com) being online, and it wasn't after a very short amount of time due to intervention by various forces.

..

<Epoch> ive rooted over 2000 boxes
<Epoch> inmexico
<Epoch> brazil
<Epoch> china
<gossi> well done
<Epoch> onlogout
<Epoch> it wipes logging
<Epoch> therefore
<Epoch> i can't be held accountable for sh*t
<Epoch> im a programmer dude
<gossi> have you not heard of firewall logs, forensic recovery?
<Epoch> and i know how to be safe
<Epoch> dude
<Epoch> i know what im doing haha

..

Heh.

So now I am curious. Can anybody confirm that they have this, or have actually seen a machine with it?

Cheers!!

[Tiger Shark]

Groove:

Haven't seen it yet but it demonstrates what I said in the original thread about the vulnerability, specifically regarding the attack vector.

This isn't going to "go" if it depends on specific "choke points", (infected web servers etc.), because they can be closed or blocked so easily and unless thay are huge hit per day sites they will not infect many machines before closedown.

The most likely attack vector to make this vulnerability effective remains email and unpatched user machines. Bearing in mind that a simple OS patch doesn't make the machine immune and the likelihood that the OS is being patched is higher than the Office product is why I still say look for an office type document to be exploited in the form of an email.... It's been a long time since Word was exploited specifically.... people have forgotten..... It's more likely to hit the corporate systems than the home because Office isn't common on the home user machines but there's more than enough corporate boxes that will be vulnerable.... Mine will be - to be honest.... Simply because patching office hasn't been automatic in the past and still isn't for my OS so patching Office all the time is a burden on an IT department..... Work from there as a virus author and you have the answer.....