Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Viruses in profile pictures

  1. #1
    Senior Member
    Join Date
    May 2002
    Posts
    256

    Talking Viruses in profile pictures

    Just looking at yahoo pictures and the like, is it possible and if not why hasnt anyone thought of it, to embed a virus in a jpg file so that when someone views your profile, you get infected. Might be a stupid question, but its just something on my mind....

  2. #2
    Junior Member
    Join Date
    Mar 2003
    Posts
    16
    It would be next to impossible to do.

    Basically to embed a virus in a .jpg or .gif file, you'd have to change the file extension or add on to it. The servers that handle these pictures 1) scan for viruses on a regular basis (if they are any good) and 2) they check the file integrity (extension, any known virus extensions, etc) before they allow an upload to remain on the server.

    D'elTarra

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I remember someone posting some time ago, a link to an article/interview of people who were trying to do it.

    More of a proof of concept thing.

    I have been unable to locate this nor can I find it on google... yet.

    I know I read it though...

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Re: Viruses in profile pictures

    Originally posted here by wildred
    Just looking at yahoo pictures and the like, is it possible and if not why hasnt anyone thought of it, to embed a virus in a jpg file so that when someone views your profile, you get infected. Might be a stupid question, but its just something on my mind....
    There's quite a simple explanation for it. Jpg cannot contain any active content.

    The only way to embed a virus (or some kind of code) in an jpg would be to find a flaw in the implementation of the compression algorithm and abuse this flaw in the program that's used to view the jpg. Not impossible but highly unlikely.

    They (the bad guys) did this not to long ago with mp3 files. Windows Media Player contained a flaw in the decompression algorithm of mp3's. By cleverly abusing this they were able to get code of their choice executed.

    edit: If you viewed the bad jpg in another program that didn't have the flaw you would just see a garbled picture. Same with the mp3.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    There is apparently a 'proof-of-concept" virus already out there.

    SOPHOS, A WORLD leader in corporate anti-virus protection, today called for the anti-virus industry to act responsibly in light of the discovery of the first virus capable of infecting JPEG graphic files.

    The virus, known as W32/Perrun-A, was sent directly to the anti-virus community by its author and is considered to be a "proof of concept".

    It spreads in the form of a traditional Win32 executable virus (usually called proof.exe), making changes to the Registry to mean that JPEG (.JPG) graphic files are examined by an extractor (called EXTRK.EXE) before they can be viewed. If the extractor finds viral code inside the graphic file it is executed.
    So, in short, it appears it can be done.

    Full story HERE

    Cheers:
    DjM

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Phish: Yeah, You're right, I read about it too..... There was a big hulaballoo about no-one being safe any more and the proof of concept code was published except, if my memory serves, it was something of a cheat. There was a dropper that actually carries the "infected" jpg and I believe it then executed the instructions held within the .jpg so the picture was really harmless without the dropper and was pooh-poohed by most.

    As to embedding malicious code within a .jpg. Yes, you could but it would be useless without another program to read, interpret and execute the instructions. Under normal circumstances a .jpg file will be ignored by the OS since it does not carry what it recognizes to be an executable extension. When you open a .jpg you really open Explorer for example due to the file associations on your machine. Explorer then looks and thinks "oh... .jpg" and uses a routine to read the picture info into itself and display the picture...... Note, I did not say execute anything.... it simply reads the data and interprets it as pixels on a screen.

    [EDIT]

    As a slow typer I really hate spending all that time typing only to find that someone else beat me to the punch.......

    [/EDIT]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    Just to clarify my mind:
    This "virus" requires some sort of troyan (exec) already installed on the PC, then it will scan all *.JPG files for detecting some embedded instructions?

    Why should that be a Virus, I mean commercial apllications of this concept are wide!
    For instance M$ could embbed such progz on their OS to detect licence abuse, ....
    [shadow] SHARING KNOWLEDGE[/shadow]

  8. #8
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by Networker
    Just to clarify my mind:
    This "virus" requires some sort of troyan (exec) already installed on the PC, then it will scan all *.JPG files for detecting some embedded instructions?

    Why should that be a Virus, I mean commercial apllications of this concept are wide!
    For instance M$ could embbed such progz on their OS to detect licence abuse, ....

    If the embedded instructions were damaging in nature, would that not be, by definition, a virus?

    Cheers:
    DjM

  9. #9
    Banned
    Join Date
    Jul 2001
    Posts
    264
    WOW, I have never read so much disinformation in my life. First off, *if* you were going to embed viral code into an image it would be through the use of stenography. But the fact still remains it would be completely benign until it was extracted and compliled or ran if it was some uber lame VB script. Which is not likely since the entire porpose of stenography is to HIDE the existance of data within the image. *sighs*

  10. #10
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Yes Quad,

    That is infact what has been said by a couple of others..

    The Imbeded code is useless without the decoding programm.. so while it was a nice try at a proof of concept Virus.. it infact needed a conventional programm, read another virii/trojan to decode it.. best to re read Tiger Shark's comments... I think his description was the closest..

    I was sure we had a thread on this board regarding this type of "vulnerability" but search as I may I can't find it, certainly the info from DJM is as I remembered it..

    And to add to the information on this subject..

    found at Symantec

    W32.Perrun is a virus that appends itself to .jpeg or .txt files. The malicious content of files that it alters will not spread to other computers. Indications of infection are that .jpg or .txt files will have increased in size by approximately 11KB, and the presence of the file Extrk.exe or Textrk.exe.

    The original data will not successfully extract from .jpeg files if the file C:\Windows\System\Shimgvw.dll does not exist on an infected computer.
    The original data will not successfully extract from .txt files if the file C:\Windows\Notepad.exe does not exist on an infected computer.



    Also Known As: W32/Perrun-A, PE_PERRUN.A, Win32.Perrun, W32/Perrun, Perrun, W32/Perrun.A

    If a .jpg or .txt file that has been altered by W32.Perrun is opened on another, uninfected computer, it will not execute malicious actions on that computer because the virus requires the presence of the Extrk.exe or Textrk.exe file for it to execute and append its malicious content to other files.

    Upon execution of the viral executable which is detected as W32.Perrun.dr, the virus does the following:

    It drops the files:

    Reg.mp3. This is a registry file that the virus uses to modify the registry.
    Extrk.exe or Textrk.exe. This is the executable that will be configured in the registry to open all JPEG or TXT files.

    Depending upon which variant of W32.Perrun, the virus will perform one of the following actions:

    For the variant that appends to JPEG files

    Extrk.exe is then configured to open all JPEG files by changing the (Default) value of the registry key

    HKEY_LOCAL_MACHINE\Software\Classes\jpegfile\shell\open\command

    to

    extrk.exe %1

    For the variant that appends to TXT files

    Textrk.exe is then configured to open all TXT files by changing the (Default) value of the registry key

    HKEY_LOCAL_MACHINE\Software\Classes\txtfile\shell\open\command

    to

    textrk.exe %1
    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •