As those who read slashdot or grc.security will know, AP4.jpg has been posted on the web (I am withholding a non-clickable link to this file from this post) supposedly to demonstrate the exploitation of the recent security alert/patch from Microsoft, specifically "MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution" . Whether it does, in fact, exploit this particular problem, I will leave to those far more knowledgeable about such matters than me. What it does do, is crash IE6 on all flavours of XP (patched or unpatched, irrespective of service packs).

NOD32 detects nothing peculiar about this file, which I opened untroubled in Mozilla 1.7.3 and then downloaded to one of my hard drives. However, eScan AntiVirus Toolkit Utility with current updates identifies AP4.jpg as infected by "Exploit.IE.Crashsos" Virus.

My understanding of the discussions about this matter is that it is a question of when, not if, infected JPEGs are produced that will fully exploit MS04-028 (McAfee already has been scanning for this http://vil.nai.com/vil/content/v_128461.htm). It is not clear to me that NOD is currently affording me protection from this. Before, rather than after the event would be preferable, I think :)

It's hard to argue with that logic. Before would be nice.

Send samples to samples@nod32.com. It would be a help to us all .

As Ron said, please send an email to support@nod32.com and place a link to this thread.

If you do not hear from Eset within 3 days (allows for weekends), please advise us here...

Let us know how you go… we are all interested to hear what the answer is...

Cheers ;D

NOD32 - v.1.876 (20040924)

Win32/JPEGexploit.A

Thanks rumpstah

Sure wish we could have a naming party and get them all the same.

{QUOTE-> …NOD32 detects nothing peculiar about this file, which I opened untroubled in Mozilla 1.7.3 and then downloaded to one of my hard drives. However, eScan AntiVirus Toolkit Utility with current updates identifies AP4.jpg as infected by "Exploit.IE.Crashsos" Virus… <-QUOTE}
It’s this part that worries me Rumpstah, which is dependant on when Howard scanned the file and what update he was using…

Cheers ;D

{QUOTE-> NOD32 - v.1.876 (20040924)

Win32/JPEGexploit.A <-QUOTE}

Excellent! It still does not detect the infection in the AP4.jpg that I mentioned, but I think that is because it is a quite different exploit. I will send the latter to support@nod32.com and place a link to this thread as has been suggested, but the more important impending threat, via MS04-028, is addressed by Win32/JPEGexploit.A

Thanks Howard.

So, the "advanced" heuristics are not detecting it?

This might be a stupid observation, but I do not think NOD scans jpeg's by default.... Do you have NOD set to scan all files?

{QUOTE-> So, the "advanced" heuristics are not detecting it? <-QUOTE}

No, I have scanned it with everything switched on and with the latest definitions - 1.877 However, from what I can gather this particular file is not exploiting the MS04-028- Buffer Overrun in JPEG Processing (GDI+) flaw. While it was posted as though it might be doing so, it appears to be exploiting an older flaw as the affected module when IE crashes is mshtml.dll

For those of you who may wish to examine this file, the original link was posted in the following message on slashdot:

http://slashdot.org/comments.pl?sid=122855&cid=10327905

{QUOTE-> This might be a stupid observation, but I do not think NOD scans jpeg's by default.... Do you have NOD set to scan all files? <-QUOTE}

I have NOD set to scan everything including the kitchen sink :)

From http://virusscan.jotti.dhs.org/

---------------------------------------------------------
Service load: 0% 100%

File: AP4.jpg
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: None

AntiVir No viruses found (3.70 seconds taken)
Avast No viruses found (9.42 seconds taken)
BitDefender No viruses found (7.69 seconds taken)
ClamAV No viruses found (26.36 seconds taken)
Dr.Web No viruses found (12.44 seconds taken)
F-Prot Antivirus No viruses found (0.75 seconds taken)
F-Secure Anti-Virus No viruses found (9.64 seconds taken)
Kaspersky Anti-Virus Exploit.IE.Crashsos (7.67 seconds taken)
mks_vir No viruses found (2.68 seconds taken)
NOD32 No viruses found (4.73 seconds taken)
Norman Virus Control No viruses found (1.83 seconds taken)
-------------------------------------------------------------

From:
http://www.virustotal.com/flash/index_en.html

Results of a file scan
This is the report of the scanning done over "AP4.jpg" file that VirusTotal processed on 09/25/2004 at 04:34:13.
Antivirus Version Update Result
BitDefender 7.0 09.24.2004 -
ClamWin devel-20040822 09.23.2004 -
Kaspersky 4.0.2.24 09.25.2004 Exploit.IE.Crashsos
McAfee 4394 09.22.2004 -
NOD32v2 1.877 09.25.2004 -
Norman 5.70.10 09.24.2004 -
Panda 7.02.00 09.24.2004 -
Sybari 7.5.1314 09.25.2004 -
Symantec 8.0 09.24.2004 -
TrendMicro 7.000 09.23.2004 -



VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about abailability and continuity of this service. Do not reply this message, it has been sent by an automated process that will not handle such responses. Even wh! en the detection rate given by the use of multiple antivirus engines is far superior to the one offered by only one product, this results DONT guarantee the harmlessness of a file. There is no such a solution that can offer a 100% rate of efectiveness recognizing virus and malware.

-----------------------------------

{QUOTE-> From http://virusscan.jotti.dhs.org/

---------------------------------------------------------
Service load: 0% 100%

File: AP4.jpg
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: None

AntiVir No viruses found (3.70 seconds taken)
Avast No viruses found (9.42 seconds taken)
BitDefender No viruses found (7.69 seconds taken)
ClamAV No viruses found (26.36 seconds taken)
Dr.Web No viruses found (12.44 seconds taken)
F-Prot Antivirus No viruses found (0.75 seconds taken)
F-Secure Anti-Virus No viruses found (9.64 seconds taken)
Kaspersky Anti-Virus Exploit.IE.Crashsos (7.67 seconds taken)
mks_vir No viruses found (2.68 seconds taken)
NOD32 No viruses found (4.73 seconds taken)
Norman Virus Control No viruses found (1.83 seconds taken)
------------------------------------------------------------- <-QUOTE}

And, of course, the eScan AntiVirus Toolkit Utility - which I used to identify
AP4.jpg as infected by "Exploit.IE.Crashsos" Virus - is based on the KAV scan engine and updates.

{QUOTE-> I have NOD set to scan everything including the kitchen sink :) <-QUOTE}
ROFLMAO, damn where can I get your version of Nod? ;D ;D ;D

{QUOTE-> ROFLMAO, damn where can I get your version of Nod? ;D ;D ;D <-QUOTE}

Dunno, but it is based on your settings :)

Do not save the ap4.jpg file to the desktop. It makes a machine unbootable to the desktop (at least after about 5 minutes of waiting; glad I have test machines laying around ;) ). That was kind of fun. Of course if you go into safe mode and delete the file, it boots fine after that.

I have come across an interesting discussion on the file in question AP4.jpg, with the following being the most significant observation:

"I just build the 6a JPEG library from the IJG sources and ran it on the
AP4.jpg image through a debugger. The offending code writes data to a
non-allocated buffer. I.e it writes to a pointer pointing out in space. That
is NOT a buffer overrun issue.
Moreover, what is written is the output from the inverse DCT. That is NOT
executable code from an untrusted source. Hence it is not a security issue."

The following link is to the message from which I have quoted.

AP4.jpg discussion (http://groups.google.com/groups?q=g:thl1158007720d&dq=&hl=en&lr=&ie=UTF-8&selm=KBv4d.417219%24OB3.353512%40bgtnsc05-news.ops.worldnet.att.net)

{QUOTE-> Excellent! It still does not detect the infection in the AP4.jpg that I mentioned, but I think that is because it is a quite different exploit. I will send the latter to support@nod32.com and place a link to this thread as has been suggested, but the more important impending threat, via MS04-028, is addressed by Win32/JPEGexploit.A <-QUOTE}

It still vexes me a bit that ESET's response to threats depends on whether it's a weekend or not. I understand staffing problems, but it seems that a
worldwide-used AV program may need to ramp up its response ability.

The offending jpg seems a relatively minor bit of malware, but this business of writing offending code into such a common file type is alarming.

John

{QUOTE-> So, the "advanced" heuristics are not detecting it? <-QUOTE}
Another zoo virus. NOD32 stops malware infections. Remember that having a piece of malware on one's computer does not automatically mean it has executed. If a virus or other malware has not executed then no harm has happened. Sure we all do not want any malware, executed or non-executed, on our computers but the problem happens if a piece of malware executes. NOD32 stops in-the-wild virii from executing. Right?

Best wishes

{QUOTE-> It still vexes me a bit that ESET's response to threats depends on whether it's a weekend or not. I understand staffing problems, but it seems that a worldwide-used AV program may need to ramp up its response ability... <-QUOTE}
From what I understand, staffing levels are being looked at...

It would be nice to see 24/7 support, in time I think this will have to happen, though it does take time to train staff...

Cheers ;D

Just a brief update. Apparently there is now a GDI+ jpeg exploiting virus in the wild. An analysis of where and how is given here http://www.easynews.com/virus.txt "THIS VIRUS IS NASTY!" I downloaded the zipped virus and checked it out with NOD32. Pleased to say AMON and NOD32 identify the contents of this file - possibleVirus.jpg - as Win32/Exploit.MS04-028 trojan Good to see NOD32 is on the ball, because it looks like this could be the first of many.

{QUOTE-> Just a brief update. Apparently there is now a GDI+ jpeg exploiting virus in the wild. An analysis of where and how is given here http://www.easynews.com/virus.txt "THIS VIRUS IS NASTY!" I downloaded the zipped virus and checked it out with NOD32. Pleased to say AMON and NOD32 identify the contents of this file - possibleVirus.jpg - as Win32/Exploit.MS04-028 trojan Good to see NOD32 is on the ball, because it looks like this could be the first of many. <-QUOTE}

Good to see the IMON HTTP scanner stops this before downloading!


9/27/2004 17:42:08 PM IMON archive Win32/Exploit.MS04-028 trojan connection terminated

{QUOTE-> It still vexes me a bit that ESET's response to threats depends on whether it's a weekend or not. I understand staffing problems, but it seems that a
worldwide-used AV program may need to ramp up its response ability.
John <-QUOTE}

In other words, 104 days each year they are not available. For an antivirus proggy, I really have to wonder if that's acceptable.

NOD rocks and is getting more much-deserved recogntion every day. But with that, there comes more scrutiny. Time for Eset to step up and join the big-leagues. They are right on the cusp of making it big in the US, so hopefully they won't be a victim of their own success.

I'm sorry to hear that - Eset's response to threats is immediate - in the case of a fast spreading worm it's not a problem for us to make an update in the middle of the night even on Saturday or Sunday.

{QUOTE-> I'm sorry to hear that - Eset's response to threats is immediate - in the case of a fast spreading worm it's not a problem for us to make an update in the middle of the night even on Saturday or Sunday. <-QUOTE}
Thanks Marcos, I think it us understood that the response to threats are immediate, I think more the discussion was towards 7 day, 24hr support, like the big players already have... It's the weekend siesta that is the concern ;) And no, I'm not volunteering to do the weekend shift ;)

Cheers ;D

Hi Blackspear,

>I think it us understood that the response to threats are immediate, I think more the discussion was towards 7 day, 24hr support,

The new staff is coming, so it's close.

Thanks,

jan

{QUOTE-> ...The new staff is coming, so it's close... <-QUOTE}
Hi Jan, thanks for your reply, are you indicating that Eset are about to launch 7 day/ 24 hour Tech Support?

Cheers ;D

Hi Blackspear,

>are you indicating that Eset are about to launch 7 day/ 24 hour Tech Support?

Yes - it can take some time to get more people and set it up - we'll do our best to make it as short as possible.

Rgds.,

jan

{QUOTE-> ...Yes - it can take some time to get more people and set it up - we'll do our best to make it as short as possible... <-QUOTE}
Thanks Jan, and it is understood regarding training people up...

Cheers ;D

AP4 now detected! ;)

NOD32 - v.1.880 (20040928)
Virus signature database updates:
Exploit.IE.Crashsos


{QUOTE-> As those who read slashdot or grc.security will know, AP4.jpg has been posted on the web (I am withholding a non-clickable link to this file from this post) supposedly to demonstrate the exploitation of the recent security alert/patch from Microsoft, specifically "MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution" . Whether it does, in fact, exploit this particular problem, I will leave to those far more knowledgeable about such matters than me. What it does do, is crash IE6 on all flavours of XP (patched or unpatched, irrespective of service packs).

NOD32 detects nothing peculiar about this file, which I opened untroubled in Mozilla 1.7.3 and then downloaded to one of my hard drives. However, eScan AntiVirus Toolkit Utility with current updates identifies AP4.jpg as infected by "Exploit.IE.Crashsos" Virus.

My understanding of the discussions about this matter is that it is a question of when, not if, infected JPEGs are produced that will fully exploit MS04-028 (McAfee already has been scanning for this http://vil.nai.com/vil/content/v_128461.htm). It is not clear to me that NOD is currently affording me protection from this. Before, rather than after the event would be preferable, I think :) <-QUOTE}

{QUOTE-> AP4 now detected! ;)

NOD32 - v.1.880 (20040928)
Virus signature database updates:
Exploit.IE.Crashsos <-QUOTE}


http://www.virustotal.com/flash/index_en.html

BitDefender 7 09.28.2004 -
ClamWin devel-20040822 09.28.2004 -
F-Prot 3.15a 09.28.2004 -
Kaspersky 4.0.2.24 09.28.2004 Exploit.IE.Crashsos
McAfee 4395 09.28.2004 -
NOD32v2 1.88 09.28.2004 Exploit.IE.Crashsos
Norman 5.70.10 09.28.2004 -
Panda 7.02.00 09.28.2004 -
Sybari 7.5.1314 09.28.2004 -
Symantec 8 09.27.2004 -
TrendMicro 7.1 09.26.2004 -

{QUOTE-> http://www.virustotal.com/flash/index_en.html

BitDefender 7 09.28.2004 -
ClamWin devel-20040822 09.28.2004 -
F-Prot 3.15a 09.28.2004 -
Kaspersky 4.0.2.24 09.28.2004 Exploit.IE.Crashsos
McAfee 4395 09.28.2004 -
NOD32v2 1.88 09.28.2004 Exploit.IE.Crashsos
Norman 5.70.10 09.28.2004 -
Panda 7.02.00 09.28.2004 -
Sybari 7.5.1314 09.28.2004 -
Symantec 8 09.27.2004 -
TrendMicro 7.1 09.26.2004 - <-QUOTE}

NOD and KAV lead the way!!

{QUOTE-> http://www.virustotal.com/flash/index_en.html
[snippage]
Kaspersky 09.28.2004 Exploit.IE.Crashsos

NOD32v2 1.88 09.28.2004 Exploit.IE.Crashsos

Symantec 09.27.2004 <-QUOTE}

This seems a little odd, since KAV's online scanner detected the A4.jpg as an exploit trojan on 25SEP05 (and possibly earlier... I don't know), though I don't recall the name they gave it. Symantec, with all its resources, wasn't all that
speedy either.

Is it reasonable to assume that the response time was a bit slow because this particular trojan represented more of a nuisance than a major threat? It does make sense to prioritize viruses/trojans/whatever based on the damage they might cause.

John Smith, happy NOD32 user

{QUOTE-> This seems a little odd, since KAV's online scanner detected the A4.jpg as an exploit trojan on 25SEP05 (and possibly earlier... I don't know), though I don't recall the name they gave it... <-QUOTE}
Hey John Smith, if you are talking about the dates your are seeing in Stan999's posting i.e. Kaspersky 4.0.2.24 09.28.2004 and NOD32v2 1.88 09.28.2004, I think you will find this is the latest virus signature update date that they are using...

Hope this helps...

Cheers ;D

{QUOTE-> Hey John Smith, if you are talking about the dates your are seeing in Stan999's posting i.e. Kaspersky 4.0.2.24 09.28.2004 and NOD32v2 1.88 09.28.2004, I think you will find this is the latest virus signature update date that they are using...

Hope this helps...

Cheers ;D <-QUOTE}

D'oh! It helps. Sorry I misunderstood the posting.

j.s.

{QUOTE-> ...Sorry I misunderstood the posting... <-QUOTE}
No problem, it happens to us all ;)

Cheers ;D

Now Nod detects the file (tested with the original ap4.jpg site), but even if I push "Terminate" IE shuts down. NOT a satifactory solution.

{QUOTE-> Now Nod detects the file (tested with the original ap4.jpg site), but even if I push "Terminate" IE shuts down. NOT a satifactory solution. <-QUOTE}

That happens in the "Higher compatibility" setting but IE will stay open if you choose the "Higher efficiency" setting.

Yes, it helps. Nod seems to forget my settings. Everything was on higher compatibility, even I had changed them before.

{QUOTE-> Yes, it helps. Nod seems to forget my settings. Everything was on higher compatibility, even I had changed them before. <-QUOTE}

I believe when they pushed the 2.12.2 version it reset everything to "higher compatibility".

{QUOTE-> I believe when they pushed the 2.12.2 version it reset everything to "higher compatibility". <-QUOTE}
The new release about to come out, 2.12.3 will have "Higher Efficiency" as a default setting...

Hope this helps...

Cheers ;D

Any other changes?

{QUOTE-> Any other changes? <-QUOTE}
I'm not sure on that Ron, Rumpstah is one that manages to ferret out the new features, I can’t see any major differences, other than "Higher Efficiency" as a default setting. Will have to wait for Marcos, Jan or Rumpstah to come along…

Cheers ;D

Thanks. I'm waiting. *puppy* *puppy* :)

Since JPG's are now apparently carriers, shouldn't the JPG extension now be included by default in AMON, perhaps with the next version?

The experts say these jpg-exploits can have 12 different extensions including bmp, gif, jpeg etc. So almost all graphic formats should be checked. :-\