Printable View
Well, I'm not going to get into a childish pissing contest with some self-proclaimed professional know-it-all who has managed to get themselves banned as a noob. You can flame me as much as you like, but you're not as up to date and on top of things as you think specialist.
First of all,
You seem to have examples of the "JPG Viruses", Yes?.. I Asked if you could send a copy.. Yes send it out so we can examin the toy..Please..
When the news of this type of virus broke there were discussions about it on many forums including here.. I have given up looking for it here.. But to date i haven't seen an example of either a "infected Picture" or the decoder/extractor program.. and I have examined pictures from suspect sites in extreem detail.. searching for examples. but some one else has had better luck.
A News Artical at the time of announcment
The Decoder/Extractor/Binder HAS to be running on the victims computer when the image file is opened.
(this is for anyone else who is watching)
If you think that It is impossable to place code in a JPG file.. then just go and read about Steganography..
My original reply to GR was his post gave the impression that the Picture files contained "Active" Viruses.. that is a When the Image is viewed.. regardless of the Viewing program.. will execute the viral code..Without the Binding/decoder/extractor prog.
Don't confuse this with the double extension trick.(Picture.jpg.pif).. and dont forget that there is also a triple extension trick as well.. or one that came with a version of netsky.Q ..Important.TXT .pif...
Cheers
I can imagine a .exe writing a .jpeg in the same location, and opening a default viewer to view that .jpeg, but as for code embedded in the jpeg through stegenography (or any other method) triggering buffer overflows in any software that it is opened by is "impossible". A buffer overflow is program specific... it can't be universal like you described. (unless its smart, but will start to get pretty large, and the picture would get ugly :p),
Stick around and defend your case, post the name and author of this program if possible... If you post one of these viruses with HUGE BOLD letters for warning I'm sure you won't get in trouble. If you bring a underground virus public I'm sure that can only help your reputation.
I agree with this except you forgot to mention that one major reason why businesses lose so much money is also because the internal IT staff of any particular company that's got more than 20 people has to immediately go into overtime cleaning everything, issuing verified patches (some of which have to go through strenuous checks to make sure the business won't lose their ass by installing something wrong or have conflicts) as well as make visits to every machine because every person's calling for IT help at that time.Quote:
Originally posted here by TheSpecialist
Its the boost in network traffic... if a company gets a worm and it starts scanning, sending, & stuff then things could eventually lead down to a form of a dDoS. If a company is down for even a hour then the big wig company types go crazy about it. Not to mention this means they get 1 less of a hours worth of pay from sponsors. Also If your doing buisness online who is going to bother argueing or trying to prove how many would-be customers they lost anyways.
Also most peaple just send thier computer off to some place for repairs... even for minor stuff. So they also lose money while AVers, tech-supporters, and repair dudes gain from it.
All because some idiot decided to clicky-clicky on a new_screensaver.scr or whatever and immediately, the business' email server is trenched because of the address book abuse.
Common sense and education of what is good to do and what is not good to do is invaluable but there lies the problem. People want to learn...a little bit. It takes quite a bit to become a fairly savvy and educated "end user" and most don't want to do that at all. They want it to work now, not later, now...and if they have to double-click the same icon for program X to open, they will. Even if it results in 19 windows opening up when the processor finally gets around to processing the requests.
Spyware is less than virii, in my opinion because you can easily get rid of it with scheduled runs of updated progs like Ad-Aware and while it can do some things that are annoying, viruses like the latest Netsky.V is downright scary because it doesn't even have an attachment! Anything like that, which will launch DOS attacks at a list of known sites through ports 5556 and 5557, is way worse than some dropped off cookie that I got from surfing through www.lotsofpornogfraphy.com or whatever.
Vorlin, thats exaclty what I was talking about, except you explained it more in detail ;).
For the rest of you, So basically everyone is saying that an infected picture will only run the virus if you have the binder program running at the same time, or whatever. And you guys are sticking to this conclusion unless GR can prove it otherwise by giving you a example picture that will cause a virus to run right when you view the picture??
Until they come out with a report stating the damage that the new netsky.v virus has done (which im sure will be huge damage), I am sticking to spyware being more of a hassel then virii, especially for computer savvy people
Duck: Yup... the picture can only execture code if it is embedded in a way that will cause a buffer overflow in the program that opens it. A .txt file can be a virus in this way givin a program like notepad can be exploited through this overflow. Lets say that overflow exists... you make a gigantic text file, and at the end of it you write a bit of code. The overflow disregards the huge amount of text, and runs the code because of poor programming in notepad. Same idea with a .jpeg, but GR is saying it can be executed without this overflow, on ANY program. This is hard to believe, because all programs are written differently. It would be new.
OK ppl, I have sent Undertaker two examples about 5 hours ago. When he returns, he can update you on the status. Again, I will not make this readily available in the forum, online, etc...that is not how discovery is done. This entire example has already been submitted to the ICSA, who are the proper authorities on virus dissection. From there, this will be distributed to all the major AV vendors so they can adapt their AV scanning engines to detect the threat. Until then, let's hear what Undertaker says upon his return.
Once agian the things comeing out of your mouth is either not very detailed, inaccurate, or something you clearly know absolutly nothing about. Most members includeing a few seniors never even got the full story as to what happend.Quote:
Originally posted here by grim_reaper1
who has managed to get themselves banned as a noob. You can flame me as much as you like, but you're not as up to date and on top of things as you think specialist.
Up to date and on top of things? Oh and let me guess and you are? Every time you open your mouth I or someone else finds a need to correct what you said or ask of you to go further into detail on things but instead of doing that you just take a additude and make a bigger ass out of yourself. I mean **** how else do you expect peaple to respond to this or take you seriously. Oh yeah sure... and im "flameing" you. Dude... you haven't seen me flame peaple yet. Ask around.
ok 5 hrs ago GR posted that 5 hrs b4 the examples had been sent.. I was at work at that time.. so I hope the email addy wasn't mistyped.. i have sent you a direct message from that account.. i hope you follow my instructions and zip and password the file/s ..
cheers
Und3ertak3r is quite right, the subject of "picture viruses" has been discussed here before, most recently I believe in the context of what is a "safe" file/extension.
I seem to recall reading about picture viruses about 3 years ago and I think it was called "one off" "run once" or something like that. The actual virus code was embedded in a picture, in a type of steganograpy approach, and there was an extractor program.
I never saw a detailed analysis as I believe it was a "proof of concept" virus that someone had sent to McAfee or one of the other AV houses (from who I remember I was getting bulletins from at the time that would be either Symantec or Panda)
The points I recall thinking at the time were that:
1. it was really only standard malware disguised by steganography
2. it required a specific program to extract and run it, which meant that a separate executable was required.
3. it would not run if the picture was opened in regular picture viewing/manipulating applications.
The only reason I vaguely remember it is because it was unusual. :)
Cheers