JPEG exploit could beat antivirus software

[ronjor]

ZDNet

Antivirus software could be ill-prepared to protect corporate networks from the latest Windows vulnerability--innocent-looking JPEG files that contain security attacks.

[Mr.Blaze]

nooooooooooooooooooooooooooooooooooooooooooooooooooo!

those mofo bastard now when i go to adult sites and get my jpg's i might be geting viruses this is un acceptiable the people that do this should be publicly excuted in my opnione

maybe the rest well fall back in line

theres a unspoken line you dont cross

they just crossed it grrrrrrrrrrrrrrrrrrr grrrrrrrrrrrrrrr

is there anything to stop these

i know your pc dowenloads pics any it sees on websites

this sucks

all of cyber space can be effected in minutes not days or a few hours

all a hacker has to do is hack a few high trafic sites replace picture content with his infected content leave as nothing ever happend and no one would be the wiser

jo blow goes to the site as useal no changes but his pc automatcly dowenloads infected jpgs to gis pc temporary folder

yucccckkkkkkkk

so not cool

[ronjor]

The usenet is covered up with this newest jpg trojan. Be careful what you download.

Win32/Exploit.MS04-028 trojan

[Devinco]

Could a malicious member replace their avatar with this jpeg virus here at Wilders?
Or they could just post in a thread and embed the pic.

Hang em all!!

[nick s]

Spreading via AIM as well: The handlers have received several reports that AIM messages are being used to entice users to download and view jpegs that match current signatures for the GDIplus.dll exploit.

Nick

[ronjor]

Quote:

Originally Posted by Devinco

Could a malicious member replace their avatar with this jpeg virus here at Wilders?
Or they could just post in a thread and embed the pic.

Hang em all!!

http://www.wilderssecurity.com/showthread.php?t=49458

[Devinco]

Good point Ronjor.

With so many security experts here, an infected picture would have a very short life on this forum!

Devinco Said: "an infected picture would have a very short life on this forum! "


******************


The moment this exploit was made known....it was being blocked on my pc.......all avatars....jpg images...etc.....are no longer able to be download .........sorry guys, some of you had very nice ones.....
so what is everyone doing...waiting for the anti virus vendors to come-up with a way to "clean" this exploit.........uh uh....best get rid of the jpg yourself and block.....before infected........those nice pictures may cost you a re-format otherwise.......just my always humble thought




TheSnowGuy/ Snowman

[Devinco]

Hi SnowGuy,

I'm all patched up, so no problems here. Not even using IE.
It is now just those 3rd party apps that have the vulnerable gdiplus.dll lying around. Turning off all pictures is a little too drastic for me. I need to see nice pictures on the web. Antivirus like NOD32 and others that have an HTTP scanner will have an advantage in picking these things up.

DEV

Thats good to hear. Nope, I didn't turn off "seeing pictures" just blocked jpg......but actually I normally do block most gif......my computers are mostly for business . Another nice thing is that older WIN systems are immune..(so I am led to understand) Whenever possible I try not to rely on vendors alone........just habit of mine.

Seeya DEV....you did a nice job..

[rerun2]

To my understanding the jpeg exploit in itself is much like a downloader. Much like those annoying javascript downloaders we have seen so much of. The real concern is what the exploit downloads/installs. Depending on what it downloads/installs will determine the seriousness of the payload.

If the jpeg exploit decides to try to download/install an already known virus/trojan your AV/AT should pick it up, without necessarily having to detect the jpeg exploit. Thus stopping the payload. If the trojan is unknown along with the jpeg exploit, it will likely have more success in spreading. But detection should be added very quickly. So the importance of keeping your OS, AV, and AT up to date once again comes into play (as well as some common sense and not visiting untrusted sites). I wonder if generic signatures by AV/AT's for the jpeg exploit will be developed (if not already). And another very good point made by Link Logger regarding detection of this exploit by AV's is that ...

Quote:

First off you can't pack the file as it has to be in a jpg format otherwise the software vulnerable will likely abort reading it before being exploited and this means that the Anti Virus guys are going to have an easy time picking this malware off.

Thread can be found here http://www.dslreports.com/forum/rema...3651~mode=flat

A very good read IMO.

And ever since this exploit broke and was classified as a buffer overrun by MS, I wonder if this is the type of exploit that can be handled by a program like PrevX or by WinXP SP2's data execution protection feature.

[Mele20]

I am more concerned with the results I got from the SANS GDI tool AFTER I had patched XPPro Sp1a, IE6 and MS Office. Microsoft says I'm all patched and just hunky-dory now. On the other hand, the SANS tool shows a whole bunch of vulnerabilities! I don't know what the OS patch patched after reading the list of vulnerabilites I still have.

How do I patch Microsoft Picture 7 and Microsoft Works Suite 2003 when I click on the download from the Microsoft site, I get put in an endless loop and can't download the patches. I have read others with SP1 saying the same thing. Then I have Sonic RecordNow version 6.5 as being vulnerable. This came on my Dell so I can't ask Sonic for a newer version of the file. Is Dell going to provide me with a later version? It is questions like these that are bothering me. As for my av, I am trialing F-Prot and Frisk had a new version out on Sept 24 which protects against the exploit. That was faster than some other major avs which did not add protection until the 28th.

[Ballzo]

Your post raises some very telling and significant points that need to be addressed and emphasized.

The potential for this .jpeg vulnerability to inflict harm is enormous.

Like yourself, and many other users I'd guess, I applied the appropriate patches to both Windows XP and Office.

I ran GDI Scan prior to updating and also post updating.

I was shocked to find out that I had numerous gdiplus.dll files that were STILL VULNERABLE. These are all 3rd party apps that were still operating with older and vulnerable versions of the MS gdiplus.dll file.

I'm not sure who's responsibility it is to provide updates. I guess it's the responsibility of the vendor, but I'm not sure I really care… We're still vulnerable. MS replaced their versions on their software, washed their hands and walked away…

There are no doubt different solutions to this problem.

I know many folks that I know did the laborious process of locating and identifying other vulnerable versions of this file.

I went through my system and MANUALLY replaced each vulnerable gdiplus.dll file with a known good version. And it works… It takes time and patience, but this method works… Run a GDI Scan after doing this procedure shows my sustem has no vulnerable versions of this file..

I'm safe… I think.. I hope..

Best,

B

[Mele20]

I commend you for your patience and tenacity in replacing the individual files. However, I suspect you didn't need to do that. I now recommend that anyone running the SANS GDI tool to also run Process Viewer from System Internals.

I was concerned about the MS Picture It version 7 GDIPlus.dll which the GDI tool reported was using a old vulnerable version. I was also concerned about Sonic RecordNow which the tool also reported as using a vulnerable version of GDIPlus.dll. That tool reported a number of vulnerabilities. Today, I downloaded Process Viewer and it showed me that Sonic RecordNow and MS Picture It and MS Works are all using the XP Pro Sp1 GDIPlus.dll which was created on September 14 when I applied the OS patch. This is what MS stated would happen in their Microsoft Security Bulletin MS04-028. The only time there is reason for concern after patching the XP OS (and Offic patch if have any Office products and .NET framework upgrade if you have that) is if you have a non Microsoft application (such as my Sonic RecordNow) which uses a specialized vender version of the GDIPlus.dll. Process viewer lets you see what version of GDIPlus.dll is called for your application. In the case of my Sonic RecordNow, Process Viewer reports that the XP patched version of this dll is being used NOT the GDIPlus.dll which is in the Sonic RecordNow program folder. That version is old and vulnerable.

It appears that the SANS GDI Tool is flagging possibilities as it saw that old vulnerable version in the SonicRecordNow folder and old, vulnerable versions in Picture It and MSWorks, etc. and dutifully reported those. What is crucial though is to determine if the application actually uses those vulnerable dlls. This is where Process Viewer is invaluable. Microsoft did state that for MS applications that applying the OS patch was all that was needed. The MS applications will use the OS version of GDIPlus.dll. So, the possible problems lie only with third party applications which may have made a specialized version of the dll that the application will use and is vulnerable. In the case of Sonic RecordNow, Process Viewer reports that the application is using the XP patched version of the dll.

So, I suspect that you probably did not need to do the indivdual patching plus if you patched a vendor specialized version of the dll with the MS generic version you may have problems with that application. In cases like this, it is up to the vendor to issue a new version. However, it is rather rare for a vendor to use a specialized version of the dll. If all you did was replace the MS vulnerable version in your application's folder with the new version then that is fine but was unnecessary. I was about to do what you did and then someone during the night posted in one of the threads at dslr where we are discussing this and recommended Process Viewer because it would show the version of the GDIPlus.dll in use for a particular application.

http://www.sysinternals.com/ntw2k/fr.../procexp.shtml

[steve1955]

I dont know why this has caused such a stir:-the communication between Bin Ladens' groups was supposedly carried out by embedding codes within image files so similar exploits have been known about and used in the past.There is not a great leap from sending hidden info to an accomplice to sending hidden malicious code to unsuspecting internet users

[Devinco]

Hi Steve,

Actually, it's a huge leap. The first is merely a form of communication. The second is an attack meant to take over complete control of another computer.

[steve1955]

Hi Devinco
My point was the posible use of code hidden within images,either for communication or malicious use has been known about for ages just because it has not been exploited(or used that much as far as we know!)didn't mean the problem shouldn't have been addressed.
Makes me wonder if it was deliberately avoided because it was of use to certain goverment agencies

[Devinco]

Interesting point and very possible, although there would be no way to prove it unless there was a whistle blower.

[Peaches4U]

Avast anti-virus detects the JPEG exploit. Test was done by a friend.

[nadirah]

Quote:

Originally Posted by Peaches4U

Avast anti-virus detects the JPEG exploit. Test was done by a friend.

Excellent job done by avast anti-virus.

Quote:

Originally Posted by steve1955

Hi Devinco
My point was the posible use of code hidden within images,either for communication or malicious use has been known about for ages just because it has not been exploited(or used that much as far as we know!)didn't mean the problem shouldn't have been addressed.
Makes me wonder if it was deliberately avoided because it was of use to certain goverment agencies

It's unknown if the patch was deliberately held back by MS, but for sure it was known by certain entities.

Lot of huge security firms specialise in learning (by paying large sums of money to hackers)
about such exploits and they then keep quiet about it. They will then quietly portect the big corperations that pay them huge sums monthly to be protected against such tricks.

They certainly won't go out of their way to annoucnce it to MS/ or the world, since it would mean the value of their knowledge becomes zero.

Get this, I've just been reading all this and did a search on my pc for gdi and came up with about 40 results all with gdi in the file name or gdi as the file name, quite worrying no?
Most of them in the windows directory, 1 relating to MS Works, 1 relating to my hp deskjet's print screen program.
I've updated from microshaft but what about the rest?
What about my printer?
What about record now dx I read this could be the same and be exploited?
Seems the only way to stay safe online is to not go online in the first place.
These arzewipes who find these things out and use the exploits should have the death penalty brought back for them. as well as pedos.

[Devinco]

Staying offline isn't fool proof either. You may block malware from phoning home, but it could still destroy your data. Better to practice safe hex and keep things up to date.

[gkweb]

Hi,

don't forget to update your MS Office applications, updates splitted from the Windows updates :
http://office.microsoft.com/en-us/of...e/default.aspx

Click on "check for updates".
I don't know if it has GDI related updates, but scanning my computer with the SANS GDI scan returns me 0 vulnerable files.
Also you might find the MBSA MS tool usefull to find unpatched vulnerability on your computer :
http://www.microsoft.com/technet/sec.../mbsahome.mspx

You probably already know these both tool, but may be it can help someone

regards,

gkweb.