Can NOD32 detect malformed JPEGS?

Discussion in 'NOD32 version 2 Forum' started by asterisk, Oct 15, 2004.

Thread Status:
Not open for further replies.
  1. asterisk

    asterisk Registered Member

    Joined:
    Oct 15, 2004
    Posts:
    1
    As I understand it, the Microsoft JPEG vulnerability is exploited by a simple and detectable malforming of a JPEG file. The two bytes that specify the length of the comment field, must be value 2 (which is the size of the field when only these bytes are present) or more (depending on the size of the comment). If set to the illegal values of 0 or 1, then Microsoft JPEG processing malfunctions in a way that can give a hacker control of the computer.

    Microsoft's fix is to replace its flawed processing files with corrected versions. But this is not foolproof since the old versions may get reinstalled later, perhaps by some program the user installs. Some Microsoft programs make the situation worse with the 'feature' of ignoring extensions and processing misnamed JPEGS, offering hackers a way to hide the exploit.

    These image files are dangerous. It would be best to detect and exclude them. It seems simple to examine the value of the comment field variable in JPEGS. If the value is 0 or 1 then the JPEG is suspect. If 2 or more, fine. Further, all graphic files should be checked to see if they are really misnamed JPEGs.

    These corrupt image files are dangerous to have in a computer, even if it is currently patched. If the old JPEG software gets reinstalled, then the dormant files could act.

    This isn't a virus problem, true. But it is a unique and serious security issue. Does NOD32 detect malfomed JPEGs? If so, great! If not, why not?
     
  2. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Yes, NOD detect these JPEG fileas as Win32/Exploit.MSO4-028 trojan
     
  3. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
  4. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    I have to agree with Mele. You can d/l that file and NOD doesn't say anything, with definitions 1.896 (20041015)
    My other box w/Panda refuses to allow the d/l...IMHO NOD doesn't detect malformed JPEGS.
    Cheers :)
     
  5. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    No, NOD32 is ***able*** to detect JPEG/JPG files that try to exploit MSO4-028 vulnerability (malformed JPEG/JPG files). Maybe, you NOD32 isn't configured to scan all files.
    Look the picture, I tried to copy a JPG file that is malformed and try to download another backdoor.
     

    Attached Files:

  6. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Make sure your NOD is set to scan all files in AMON, IMON, NOD32 Scanner...
    If NOD isn't able to detect the JPEG/JPG file, maybe it can be a FP or a new vulnerability. I've at least 5 malformed JPEG files (a proof-of-concept, a downloader...) and all are detected as Win32/Exploit.MSO4-028 trojan.

     
  7. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
  8. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    I tried it fredra and NOD doesn't pick up anything. SP2 DEP stops jpg1 from opening though on my system at least. Jpg2 opens as it should, no buffer overflow or system crash, so there is a possibility that the files are not malicious, although the author seems to feel they are and they demonstrate his point.
     
  9. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    As of today's update, they are now detected.
    NOD32 - v.1.897 (20041018 )

    Time Module Object Name Virus Action User Info
    10/18/2004 15:43:41 PM AMON file C:\Documents and Settings\usernamehere\Desktop\jpeg\1.jpg Win32/Exploit.MS04-028 trojan

    C:\Documents and Settings\usernamehere\Desktop\jpeg\2.jpg - Win32/Exploit.MS04-028 trojan

     
  10. ?asterisk

    ?asterisk Guest

  11. ?asterisk

    ?asterisk Guest

    Slight correction to my last post . . . I failed to notice that rumstah's computer NOD32 v.1.897 detects BOTH 1.jpg and 2.jpg. However, mine only detects 1.jpg. It does not detect a problem with 2.jpg.

    I am using the original version of NOD32, not version 2. So that presents another question. Is there any reason that detection should be different when scanning these files using the same v.1.897 database?
     
  12. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    You might upload the copy of your 2.jpg here to see if it may be corrupted or something?
    http://virusscan.jotti.dhs.org/


    File: 2.jpg
    Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
    Packers detected: None

    AntiVir TR/Exploit.MS04-28 (1.22 seconds taken)
    Avast No viruses found (3.12 seconds taken)
    BitDefender Exploit.Win32.MS04-028.Gen (2.55 seconds taken)
    ClamAV No viruses found (2.77 seconds taken)
    Dr.Web Exploit.MS04-028 (4.19 seconds taken)
    F-Prot Antivirus No viruses found (0.39 seconds taken)
    Kaspersky Anti-Virus Exploit.Win32.MS04-028.b (4.12 seconds taken)
    mks_vir No viruses found (1.34 seconds taken)
    NOD32 Win32/Exploit.MS04-028 (2.25 seconds taken)
    Norman Virus Control No viruses found (1.01 seconds taken)
     
  13. ?asterisk

    ?asterisk Guest

    That service indeed shows NOD32 as detecting both 1.jpg and 2.jpg. Edited from the report:

    File: 1.jpg
    NOD32 Win32/Exploit.MS04-028 (2.44 seconds taken)

    File: 2.jpg
    NOD32 Win32/Exploit.MS04-028 (3.68 seconds taken)

    But NOD32 (Version 1), with the v.1.897 database on my computer definitely does NOT detect the same 2.jpg file. What could be the reason? Here is my log:

    Scanning log
    NOD32 1.897 (2004101:cool: NT
    Command line: /all /quit- C:\Documents and Settings\User\Desktop\JPEG VULNERABILITY DEMO!\fulldisclosure\1.jpg
    Scanning memory for viruses: OK
    Checking NOD32.EXE
    date: 18.10.2004 time: 23:14:31
    Checking disks and directories: C:\Documents and Settings\User\Desktop\JPEG VULNERABILITY DEMO!\fulldisclosure\1.jpg
    C:\Documents and Settings\User\Desktop\JPEG VULNERABILITY DEMO!\fulldisclosure\1.jpg - Win32/Exploit.MS04-028 trojan
    number of diagnosed files: 1
    number of viruses found: 1
    number of active viruses: 1
    termination time: 23:14:31 total time: 0 sec (00:00:00)

    Scanning log
    NOD32 1.897 (2004101:cool: NT
    Command line: /all /quit- C:\Documents and Settings\User\Desktop\JPEG VULNERABILITY DEMO!\fulldisclosure\2.jpg
    Scanning memory for viruses: OK
    Checking NOD32.EXE
    date: 18.10.2004 time: 23:14:38
    Checking disks and directories: C:\Documents and Settings\User\Desktop\JPEG VULNERABILITY DEMO!\fulldisclosure\2.jpg
    number of diagnosed files: 1
    number of viruses found: 0
    termination time: 23:14:38 total time: 0 sec (00:00:00)
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Have you got "Scan All Files" ticked?

    Cheers :D
     
  15. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Why not upgrade to Version 2? It is a free upgrade if your license is current. ;)

    The reason why your v1 does not detect the 2.jpg while scanning is because of the AH in Version 2. If you turn off AH in Version 2, 2.jpg goes undetected.

    I hope this helps.

     
  16. ?asterisk

    ?asterisk Guest

    Yes, your reply was helpful. The reason I haven't changed to Version 2 is that I generally like staying a bit behind the crest of the wave to avoid new problems when my computer is stable and working well. I had seen some comments about slow shutdown/bootup problems with Version 2 and didn't want to get into an install/uninstall mess. Since I have never had a single problem with Version 1, it seemed reasonable to keep using it. I knew I would be missing a nicer interface, but thought that detection would be identical with the same database. This episode shows that detection is improved in Version 2, so after my next backup I will install it. Thanks.
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Ahhhh of course ;) Doh! :D

    Cheers :D
     
Thread Status:
Not open for further replies.