Virus in JPG still not found correctly.
Results 1 to 6 of 6

Thread: Virus in JPG still not found correctly.

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Virus in JPG still not found correctly.

    I lack time to translate the french story in English but take a look at this page.

    http://www.hiddenbit.org/jpeg.htm

    A guy scanning a jpg file who was infected by a few AV and only one got it (Symantec). If anyone found the complete story, can he post it? I was unable to find and I have to leave the office.
    -Simon \"SDK\"

  2. #2
    Senior Member
    Join Date
    Mar 2005
    Posts
    400

    Exclamation

    Not sure where you are going with this.

    There is no indication on the page you noted about some guy opening a .jpg which was infected by a virus that only Symantec could find. Not on the webpage you noted, not even in the "You can read my paper with explanations" instructions found on the same page you noted.

    Also the sparse page you noted contained a link that supplied the full story. How did you miss that?

    Someone went to great lengths to create this GDI+ exploit, to document it and publish it and then someone as stupid as myself simply previously downloads the latest MS patches which simply dessimates all the work this poor guy has done. So what's the point?

    I have file and registry monitors that tell me *everything* happening in my system at hundreds of a second and NOTHING happened when I double clicked on the bulzano2.jpg file, except I saw a picture of some vegetable stands, probably in Europe. The monitor logs were simply normal, no buffer overflows, no wicked port hiding under the name of "Explorer", etc., no nothing. Actually it wasn't even a good picture.

    Not to be rude, but wherever you are going with this, Symantec is still a lousy excuse for an antivirus.
    ZT3000
    Beta tester of "0"s and "1"s"

  3. #3
    There is no indication on the page you noted about some guy opening a .jpg which was infected by a virus that only Symantec could find.
    Look at the chart, the author states the file he has exploits GDI+ but avoids AV's, and the chart he provided only shows Symantec with a detection. I just ran it through myself, and the results are almost the same:

    AntiVir 6.30.0.5 03.08.2005 no virus found
    AVG 718 03.08.2005 no virus found
    BitDefender 7.0 03.09.2005 Exploit.Win32.MS04-028.Gen
    ClamAV devel-20050130 03.09.2005 no virus found
    DrWeb 4.32b 03.08.2005 no virus found
    eTrust-Iris 7.1.194.0 03.08.2005 no virus found
    eTrust-Vet 11.7.0.0 03.08.2005 no virus found
    Fortinet 2.51 03.08.2005 no virus found
    F-Prot 3.16a 03.08.2005 no virus found
    Ikarus 2.32 03.08.2005 no virus found
    Kaspersky 4.0.2.24 03.09.2005 Backdoor.Win32.Roxe.a
    McAfee 4442 03.08.2005 BackDoor-Roxe
    NOD32v2 1.1021 03.07.2005 no virus found
    Norman 5.70.10 03.07.2005 no virus found
    Panda 8.02.00 03.08.2005 no virus found
    Sybari 7.5.1314 03.09.2005 no virus found
    Symantec 8.0 03.08.2005 Backdoor.Roxe
    Someone went to great lengths to create this GDI+ exploit, to document it and publish it and then someone as stupid as myself simply previously downloads the latest MS patches which simply dessimates all the work this poor guy has done. So what's the point?
    If only it were that simple... you obviously aren't an admin of a network any larger than your own house.

    I have file and registry monitors that tell me *everything* happening in my system at hundreds of a second and NOTHING happened when I double clicked on the bulzano2.jpg file, except I saw a picture of some vegetable stands, probably in Europe. The monitor logs were simply normal, no buffer overflows, no wicked port hiding under the name of "Explorer", etc., no nothing.
    You are updated, of course it wouldn't . SP2 compiled GDI+ with better memory management. And good luck maintaining that level of HIDS on more than one box.
    Not to be rude, but wherever you are going with this, Symantec is still a lousy excuse for an antivirus.
    I think you are missing the point, the AV's (should be) detecting the exploit, not the payload. If they can't detect the exploit (which is quite static in this case) then it could mean it's being exploited in a new way or it's a new exploit.

  4. #4
    Senior Member
    Join Date
    Mar 2005
    Posts
    400

    Exclamation

    Soda,


    1) When is a GDI+ exploit in a .jpg, a virus?? Even trojan/backdoors are not considered virii.

    2) It IS that simple, Soda. Simply download the GDI+ update off MS website and you can use your monitoring software and see for yourself... NOTHING.

    3) I think the point stands, download the MS updates and you are not affected by this guy's work. You even said so yourself, "You are updated, of course it wouldn't".

    4) I respectfully disagree with your last statement. AV's aren't detecting the exploit (prolly cause they aren't scanning .jpgs) and it's not their main job to pick up a GDI+ buffer overflow.
    I ran Panda Platinum (a respectable AV), renamed the .jpg to .exe and it still didn't find it.
    Did anyone test this on a system which is vulnerable to the GDI+ effects which are noted in the instructional link? (in other words, does this thing do what it really says it does?)

    An AV's primary job is not to ensure that it picks up any file that would contain an exploit of the OS. An exploit is a piece of software that attacks a particular security vulnerability. Exploits are not necessarily malicious in intent they are often devised by security researchers as a way of demonstrating that a vulnerability exists. However, they are a common component of malicious programs such as network worms.

    I would suggest that, in today's exploitable and changing world, the job lies with the manufacturer (MS). I also do know that certain IDS products pick this stuff (exploits) up handily. Which is why I run an Antivirus and an IDS.

    You having a bad day today or something?

    Your move.
    ZT3000
    Beta tester of "0"s and "1"s"

  5. #5
    1) When is a GDI+ exploit in a .jpg, a virus?? Even trojan/backdoors are not considered virii.
    I don't feel like playing the definition game, it's beside the point. When the GDI+ exploit appears, it's malicious, end of story.

    2) It IS that simple, Soda. Simply download the GDI+ update off MS website and you can use your monitoring software and see for yourself... NOTHING.
    The point is not that it exploits SP2. The point is that it avoids Anti-Virus. Besides, it's only simple to update windows on a personal computer or SOHO network. Most large networks didn't run SP2 immediately until it was tested, leaving them wide open for a bit. And if they did deploy it immediately, they risked bigger problems. If this page came out earlier, it would have been much more popular.

    3) I think the point stands, download the MS updates and you are not affected by this guy's work. You even said so yourself, "You are updated, of course it wouldn't".
    Exactly, the whole point of this article is that it is avoiding AntiVirus, not SP2, which seems to be the point you are missing.

    4) I respectfully disagree with your last statement. AV's aren't detecting the exploit (prolly cause they aren't scanning .jpgs) and it's not their main job to pick up a GDI+ buffer overflow.
    I ran Panda Platinum (a respectable AV), renamed the .jpg to .exe and it still didn't find it.
    Did anyone test this on a system which is vulnerable to the GDI+ effects which are noted in the instructional link? (in other words, does this thing do what it really says it does?)

    An AV's primary job is not to ensure that it picks up any file that would contain an exploit of the OS. An exploit is a piece of software that attacks a particular security vulnerability. Exploits are not necessarily malicious in intent they are often devised by security researchers as a way of demonstrating that a vulnerability exists. However, they are a common omponent of malicious programs such as network worms.
    A database containing every single payload ever developed instead of just detecting the exploit would be a horrible design. Especially because the GDI+ exploit (and nearly all others) is very easy to pick out and shouldn't show up in any typical jpg. Most every AV will detect exploitive code, plus common payloads for instances where exploitation isn't necessary. And yes, I consider exploitive code to be malicious.

    You having a bad day today or something?

    Your move.
    Not that I'm aware of... are we playing chess or something?

  6. #6
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    -Simon \"SDK\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •