Infected JPEG not detected by NOD

As those who read slashdot or grc.security will know, AP4.jpg has been posted on the web (I am withholding a non-clickable link to this file from this post) supposedly to demonstrate the exploitation of the recent security alert/patch from Microsoft, specifically "MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution" . Whether it does, in fact, exploit this particular problem, I will leave to those far more knowledgeable about such matters than me. What it does do, is crash IE6 on all flavours of XP (patched or unpatched, irrespective of service packs).

NOD32 detects nothing peculiar about this file, which I opened untroubled in Mozilla 1.7.3 and then downloaded to one of my hard drives. However, eScan AntiVirus Toolkit Utility with current updates identifies AP4.jpg as infected by "Exploit.IE.Crashsos" Virus.

My understanding of the discussions about this matter is that it is a question of when, not if, infected JPEGs are produced that will fully exploit MS04-028 (McAfee already has been scanning for this http://vil.nai.com/vil/content/v_128461.htm). It is not clear to me that NOD is currently affording me protection from this. Before, rather than after the event would be preferable, I think

 

It's hard to argue with that logic. Before would be nice.

 

As Ron said, please send an email to support@nod32.com and place a link to this thread.

If you do not hear from Eset within 3 days (allows for weekends), please advise us here...

Let us know how you go… we are all interested to hear what the answer is...

Cheers

 

NOD32 - v.1.876 (20040924)

Win32/JPEGexploit.A

 

It’s this part that worries me Rumpstah, which is dependant on when Howard scanned the file and what update he was using…

Cheers

 

Excellent! It still does not detect the infection in the AP4.jpg that I mentioned, but I think that is because it is a quite different exploit. I will send the latter to support@nod32.com and place a link to this thread as has been suggested, but the more important impending threat, via MS04-028, is addressed by Win32/JPEGexploit.A

 

So, the "advanced" heuristics are not detecting it?

 

This might be a stupid observation, but I do not think NOD scans jpeg's by default.... Do you have NOD set to scan all files?

 

No, I have scanned it with everything switched on and with the latest definitions - 1.877 However, from what I can gather this particular file is not exploiting the MS04-028- Buffer Overrun in JPEG Processing (GDI+) flaw. While it was posted as though it might be doing so, it appears to be exploiting an older flaw as the affected module when IE crashes is mshtml.dll

For those of you who may wish to examine this file, the original link was posted in the following message on slashdot:

http://slashdot.org/comments.pl?sid=122855&cid=10327905

 

I have NOD set to scan everything including the kitchen sink

 

From http://virusscan.jotti.dhs.org/

---------------------------------------------------------
Service load: 0% 100%

File: AP4.jpg
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: None

AntiVir No viruses found (3.70 seconds taken)
Avast No viruses found (9.42 seconds taken)
BitDefender No viruses found (7.69 seconds taken)
ClamAV No viruses found (26.36 seconds taken)
Dr.Web No viruses found (12.44 seconds taken)
F-Prot Antivirus No viruses found (0.75 seconds taken)
F-Secure Anti-Virus No viruses found (9.64 seconds taken)
Kaspersky Anti-Virus Exploit.IE.Crashsos (7.67 seconds taken)
mks_vir No viruses found (2.68 seconds taken)
NOD32 No viruses found (4.73 seconds taken)
Norman Virus Control No viruses found (1.83 seconds taken)
-------------------------------------------------------------

From:
http://www.virustotal.com/flash/index_en.html

Results of a file scan
This is the report of the scanning done over "AP4.jpg" file that VirusTotal processed on 09/25/2004 at 04:34:13.
Antivirus Version Update Result
BitDefender 7.0 09.24.2004 -
ClamWin devel-20040822 09.23.2004 -
Kaspersky 4.0.2.24 09.25.2004 Exploit.IE.Crashsos
McAfee 4394 09.22.2004 -
NOD32v2 1.877 09.25.2004 -
Norman 5.70.10 09.24.2004 -
Panda 7.02.00 09.24.2004 -
Sybari 7.5.1314 09.25.2004 -
Symantec 8.0 09.24.2004 -
TrendMicro 7.000 09.23.2004 -



VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about abailability and continuity of this service. Do not reply this message, it has been sent by an automated process that will not handle such responses. Even wh! en the detection rate given by the use of multiple antivirus engines is far superior to the one offered by only one product, this results DONT guarantee the harmlessness of a file. There is no such a solution that can offer a 100% rate of efectiveness recognizing virus and malware.

-----------------------------------

 

And, of course, the eScan AntiVirus Toolkit Utility - which I used to identify
AP4.jpg as infected by "Exploit.IE.Crashsos" Virus - is based on the KAV scan engine and updates.

 

ROFLMAO, damn where can I get your version of Nod?

 

Dunno, but it is based on your settings

 

Do not save the ap4.jpg file to the desktop. It makes a machine unbootable to the desktop (at least after about 5 minutes of waiting; glad I have test machines laying around ). That was kind of fun. Of course if you go into safe mode and delete the file, it boots fine after that.

 

I have come across an interesting discussion on the file in question AP4.jpg, with the following being the most significant observation:

"I just build the 6a JPEG library from the IJG sources and ran it on the
AP4.jpg image through a debugger. The offending code writes data to a
non-allocated buffer. I.e it writes to a pointer pointing out in space. That
is NOT a buffer overrun issue.
Moreover, what is written is the output from the inverse DCT. That is NOT
executable code from an untrusted source. Hence it is not a security issue."

The following link is to the message from which I have quoted.

AP4.jpg discussion

 

It still vexes me a bit that ESET's response to threats depends on whether it's a weekend or not. I understand staffing problems, but it seems that a
worldwide-used AV program may need to ramp up its response ability.

The offending jpg seems a relatively minor bit of malware, but this business of writing offending code into such a common file type is alarming.

John

 

Another zoo virus. NOD32 stops malware infections. Remember that having a piece of malware on one's computer does not automatically mean it has executed. If a virus or other malware has not executed then no harm has happened. Sure we all do not want any malware, executed or non-executed, on our computers but the problem happens if a piece of malware executes. NOD32 stops in-the-wild virii from executing. Right?

Best wishes

 

From what I understand, staffing levels are being looked at...

It would be nice to see 24/7 support, in time I think this will have to happen, though it does take time to train staff...

Cheers

 

Just a brief update. Apparently there is now a GDI+ jpeg exploiting virus in the wild. An analysis of where and how is given here http://www.easynews.com/virus.txt "THIS VIRUS IS NASTY!" I downloaded the zipped virus and checked it out with NOD32. Pleased to say AMON and NOD32 identify the contents of this file - possibleVirus.jpg - as Win32/Exploit.MS04-028 trojan Good to see NOD32 is on the ball, because it looks like this could be the first of many.

 

Good to see the IMON HTTP scanner stops this before downloading!


9/27/2004 17:42:08 PM IMON archive Win32/Exploit.MS04-028 trojan connection terminated

 

In other words, 104 days each year they are not available. For an antivirus proggy, I really have to wonder if that's acceptable.

NOD rocks and is getting more much-deserved recogntion every day. But with that, there comes more scrutiny. Time for Eset to step up and join the big-leagues. They are right on the cusp of making it big in the US, so hopefully they won't be a victim of their own success.