Anyone see this? "I Love You" .jpg exploit

Discussion in 'malware problems & news' started by zopzop, Jun 5, 2008.

Thread Status:
Not open for further replies.
  1. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    i first saw it browsing a mac site, but apparently it's not only limited to macs ( i mean they are discussing it on a video game board) :
    http://forum.teamxbox.com/showpost.php?p=10982646&postcount=89

    the link to it is found on the page above, i know the there's rules against posting direct links to exploits and stuff on the forum.

    basically it's a jpg that opens up a new window with an error message and then opens up outlook express with an "i love you" message to george bush.

    anyone hear of this?
     
  2. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Saving it to the desktop (Debian), and opening it, i get this:
    jpghtml.png
     
  3. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    saving it to a desktop in windows xp opens up outlook express with the "i love you" message to george bush.

    also clicking on the link provided by the teamxbox member also opens up outlook express with the message (but not before getting a blank internet page with an error message in it).

    this is kind of scary, suppose next time someone uses this exploit to run other executables on your pc like format or something else potentially destructive.
     
  4. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    You're using SRP, don't sweat it too much:)
    The only possible problem, is an extension you didn't add to SRP. I don't know how the executable-extensions business works.

    Oh i forgot, clicking from IceWeasel (Firefox) does open Evolution, so i suppose there it's a browser thing. Which makes sense.
     
  5. malwaretesting

    malwaretesting Registered Member

    Joined:
    May 17, 2008
    Posts:
    77
    Me confused.

    When I download it my firewall asks if I want to open outlook express (and I say no since I don't use it). But this only happens when I download it (without actually clicking on it). If my firewall is off my HIPS catches it.

    When I actually try to open it (once it's downloaded), nothing happens, even with my firewall turned off.

    I have to say. I've had it up to here (touching my forehead) with malware that doesn't work right on my system. I'm about to just give up and toss my computer in the garbage.
     
  6. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    As shown in the link in the first post, this is nothing more than an html file spoofed as a jpg,
    whose code is the mailto: tag set to trigger upon viewing the file.

    The mailto: tag opens the default mail program, inserts the TO, Subject, and message body.

    People with web pages use this feature all of the time - I do also - it's a shortcut for starting an email message
    from within a web page.

    This is done automatically unless the user has something in place to block the action,
    as malwaretesting indicated.


    ----
    rich
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    Use Pop Peeper or Popcorn to peruse your email.

    Change your default mail client to accept plain text messages only.
     
  9. malwaretesting

    malwaretesting Registered Member

    Joined:
    May 17, 2008
    Posts:
    77
    So, apparently this is an issue with browsers (not really a vulnerability since nothing is actually sent). Code is executed when the browser downloads the file. Apparently it's not an issue after it's actually downloaded.

    But, why does Firefox execute anything at all. I just asked it to download the file and save it on my computer. I never asked it to open the file or scan it in any way. It seems to me the browser should be totally neutral to the contents of a file you ask it to download. I would understand this scenario if I had actually asked Firefox to open the file.

    So, that's why it doesn't make sense to me. But it's not really a huge issue. I don't think it could actually do anything malicious, but I'm not certain.
     
  10. malwaretesting

    malwaretesting Registered Member

    Joined:
    May 17, 2008
    Posts:
    77
    There was an element of tongue in cheek in my post. I guess it didn't come across like that. I'm sure if I disabled my security software, I would get the same result you showed in your screenshot.
     
  11. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    yes i understand this version is harmless. but what i was scared of is if there's a way someone could use this to launch format.com or something similar?
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You would have to ask someone who has all of the code to see if this would be possible in this case.


    ----
    rich
     
  13. malwaretesting

    malwaretesting Registered Member

    Joined:
    May 17, 2008
    Posts:
    77
    This is a browser issue, isn't it? Can a browser launch any random program, or does it just launch your mail client? I'm not sure of this, but I don't think a browser can just launch any random program. E-mail is the obvious exception (due to the relationship between a browser and mail client), which is why I think this "exploit" was made like this.
     
  14. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, many exploits have been set up as PoC to demonstrate launching of the calculator program - the .wmf exploit from a couple of years back, for example.

    Here is another one using the browser directly - the old MS06-014 MDAC exploit, now requiring an unpatched IE to run.

    The exploit downloaded an executable, renamed it to svchost.exe, then copied it to the tmp directory
    and launched it.

    I modified it to launch notepad.exe directly from the system. Partial code (won't work as is):

    Code:
    <html>
    <script language="VBScript">
    
    <snip>
    
    fname1="C:\WINNT\notepad.exe"
    
    <snip>
    
    ShellExecute fname1
    
    S.close
    </script>
    </html>
    
    I created the file script.html and ran it in the browser:

    browserlaunch_3.gif
    _________________________________________________________________

    So, scripts in html code can do many things.

    I never saw an instance in the wild where any of these exploits like .wmf launched a program already on the computer, or did damage to the computer.

    (I would like to know if anyone has seen such examples of attacks in the wild)

    Why trash the computer? The money to be made is in getting a rogue program on to the victim's computer.


    ----
    rich
     
  16. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I've not seen an example myself, but I can imagine exploit code launching another instance of the browser and use it as the downloader for the payload.
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, this is a bit different, and you may remember the Google redirect exploit, where IE crashes, then a hidden instance of IE starts which then connects out to download stuff.

    The victim could restart IE and continue on, not realizing what is happening in the background.

    But again, the end result is to download malware.

    I'm thinking of exploits which do something besides that.


    ----
    rich
     
  18. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Those exploits are nothing more than PoCs like the one you've just analyzed. As you said, destructive payloads aren't interesting right now. But the possibility is there: browser exploit > launch script engine (e.g., wscript.exe) > do nasty things (deleting files, etc)
     
  19. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hi,

    You should disable the browser's ability to automatically launch an external mail client:

    In Firefox:

    about:config

    >> Completely disable:
    network.protocol-handler.external.mailto set to false

    Or at the very least:

    >> Warn before launching:
    network.protocol-handler.warn-external.mailto set to true

    Mrk


    P.S. I will even write a little article about this ...
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This brings to mind a pertinent question: in planning for security, how much weight should one give to possibilities?

    One's mind can think of endless possibilities, which, if left to imagine the worst, can lead to never turning on one's computer!

    In your example, one can disable the script engines. In considering more possibilities, one could end up crippling most of the functions of the computer, depending on what was disabled.

    Here is one possibility I discussed recently with a friend:

    Microsoft Security Bulletin MS08-021 – Critical
    http://www.microsoft.com/technet/security/bulletin/ms08-021.mspx

    If someone came to you (anyone here) having seen this security advisory, what would you advise? At this point, a patch has not yet been released. (I'll give my response later)

    (One could substitute this thread's example of the mailto: exploit -- what would you advise someone who is concerned about this? Mrk's suggestion is for FireFox users)


    ----
    rich
     
  21. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,

    Similar for Opera, about:config, mail, set handler to 0.

    For IE users, this is a problem, because IE does not like mail handler being disabled. Best solution for IE seems to be:

    -LUA (+SRP).
    -DropMyRights if you use admin (with C or U token rather than N).
    -Disabling Outlook Express and using other mail clients, with messages set to text only; disabling Outlook Express and not just using a different mail client, because IE might decide to open the links in OE anyhow.
    - Not using IE ...

    You can all test this at home - this is a benign example:

    Here's html code, just copy-paste to a text editor, save as html, open in any of the browsers and see what happens:

    <html>
    <body>
    <a href="mailto:mailaddress@somedomain.com">Click here</a>
    </body>
    </html>

    If you set handler to 0 in Opera, Firefox, nothing happens.
    If you set to warn in Firefox, you are asked whether you want to launch an external application - and which.

    Mrk
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    What do you see as a potential threat in the use of the mailto: tag?


    ----
    rich
     
  23. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,
    Haven't really thought about it in depth.
    Gimme a few hours to ponder.
    Mrk
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    If no real threat, why disable a useful function of the browser?

    If the possibility of a threat exists, I would like to see where an attack used it.


    ----
    rich
     
  25. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    IMO, it depends on the user's risk exposure and his/her level of paranoia. For example, I'd call hardware/BIOS rootkits a no threat for everybody (at least for now). On the other hand, I'd call destructive payloads as a very low risk threat for almost everybody. The risk would be higher for an user who:
    - manages critical information (information that, if deleted/corrupted/hijacked, would bring great losses).
    - doesn't know the state (up-to-date, outdated) of his/her backups or has no backups at all.
    - has computer habits that make him/her prone to encounter malware-infested content (happy-clicking).
    For security-conscious users, destructive payloads aren't a threat.
     
Loading...
Thread Status:
Not open for further replies.