Free scanner + repair for infected JPEGs (for MS04-028)

As many of you would know there is a critical vulnerability that allows attackers to gain control over a remote system simply by enticing the victim into viewing a specially-crafter JPEG file.

A free scanner has now been released to help with the detection and disinfection/repair of JPEG files infected with MS04-028 exploit code. The scanner is available in both console and GUI user interfaces, and at less than 30kbs in size it's a quick download and easy to use. More information and the direct download link can be found here:
http://www.diamondcs.com.au/jpegscan/

Please help us spread the word, and please share with your friends and colleagues to help reduce their chance of infection. Enjoy the program.

 

OOooo this is nice, Wayne!

I just did the scan.

Files: just over 63,000 (finished too fast for me to get the exact amount)
JPEGs: 10,559 exactly (I didn't know I had that many..whoops)
just about under 20 min. wow!

Thank you!

snap

Edit - oh, they are all clean.

 

nice tool !

 

Hi Wayne
thanks for link,downloaded and ran scan--no infections
Rita

 

Thank you.

 

Hi Wayne,

Many thanks. Diamondcs has saved me many a times. Always appreciate your service to your users and the community in general.

Regards,
Rich

 

Thanks a lot Wayne & team, clean again!
Nice one can choose the whole network to be scanned.

 

Thanks from me too, Wayne and the whole DCS-team !!!!!

Nice !

Just scanned with it over more than 2000 JPEG-files : clean

Thanks again.
Keep up the good work !!!

Warm regards, Jan.

 

Clean. No infections found.

 

can you tell me you've changed the MD5? thanks this is what i get
D9A58E98571E1C141A47B2F2ED6D47BD
this is from your download page
86DCD690942165F54D019FCE86BEE048

 

The MD5 is for the ZIP not the EXE, so your MD5 calculation is correct but your target isn't. That's an easy mistake to make though so I've just updated the webpage to read "ZIPfile MD5:" instead of just "MD5:" so hopefully that will prevent anyone else accidentally making that same mistake.
Thanks

 

thanks for the help and scanner, Wayne i'll try it out now.

 

your to nice to me i clearly dont deserve you

 

no infections .

 

Nice tool, no infections and best of all its free!!

Cheers

 

Now actually whats the purpose of a on-demand JPEG exploit scanner?
You are surely aware that the exploits gets executed before the browser
saves the JPEG to disk (cache), most likely because of the exception, the
JPEG file won't be saved at all to disk. So an on-demand scanner makes
no sense at all.

Furthermore, your scanner doesn't detect the two other known JPEG exploits. And all other antivirus companies added detection for MS04-28 like 2-3 weeks
ago.

And what good is it to "repair" a JPEG containing MS04-28? It's a trojan,
not a virus. Important fields are overwriten and you only can guess it's
content.

 

Stefan,

That statement is effectively the same as "what's the purpose of an on-demand virus scanner?".

Incorrect. It depends on the software used and how the images are downloaded. If I FTP into a site and download a bunch of JPEGs, none of them have been viewed. JPEGScan allows you to scan them before viewing. In some cases such as Internet Explorer then yes files are rendered and saved to disk at the same time, although if you have a link to an image you can right-click on it and choose "Save To Disk...", where you can then scan the image before viewing it.

Actually not all of them detect infected JPEGs, and of those that do, very few do it properly, as various public posts have shown. JPEGScan properly walks through each "block" in the JPEG file (as defined by the official JPEG structure), allowing it to analyse every block to check for the undersized buffer references which indicate the presence of MS04-028 infection. This is the most effective way to detect all possible variations of the exploit, regardless of where they're located in the file.

In many cases it's a real JPEG that has been modified. Repairing allows the image to be safely viewed again.

No, it's a buffer exploit. It is not a virus, it is not a trojan, although it does allow for a trojan to be downloaded and executed.

Smart analysis of blocks can determine their correct/original size, allowing the image to become correctly viewable again if the file was indeed based on a real image. (You can either manually hand-craft a MS04-028-infected JPEG or modify an existing image to become infected).

In regards to various advantages JPEGScan offers ...

- It allows you to scan images before you send them to your friends (you may have updated your system, but you have no control over others)

- It's free so you can give it to people who don't have an AV or can't even buy one as they don't have a credit card.

- It's tiny so it's easy to give to friends even on slow modems.

- It detects all known variants (including 00/01, FE/E1/E2/ED, etc). You've stated that it doesn't detect two variations, but haven't provided any evidence or links to examples, I'm assuming that you're just assuming it doesn't detect them? If you do have an undetected variant then please simply let us know.

- It allows network administrators to rapidly sweep their networks to find infected images.

- It offers a Repair capability where infected images can be restored so that they're a) no longer harmful and b) can become viewable again in most cases, assuming the file was based on a real image.

- It's a tool that compliments Microsoft's patch, especially seeing as the patch isn't 100% bulletproof. It's easy to install a 3rd-party application which uses its own potentially vulnerable version of gdiplus.dll, rendering you vulnerable all over again, so JPEGScan offers another line of defence.

Anyway, it's free - nobody is forcing you to use it, so what's the problem?

Best regards,
Wayne

 

Not at all. Regular malware (executables) must be stored on your hard disk before you can execute them. The JPEGs are parsed in RAM by the browser (IE), thus, both on-demand and on-access scanners totally fail to protect you from such exploit files.

Look at the way those JPEG exploit files are delivered, no one is downloading them from FTP or right-clicking & saving them to hard disk. They are placed on web places. The only way to catch them reliable is a HTTP scanning (LSP/proxy scanning module).

I needed less than 15 minutes to add propper detection of all variants of MS04-28 - it's a bad joke that so many antivirus companies did it wrong - or still don't have propper detection. I had more fun adding detection for the various Office exploits (MS03-37, 03-50, 04-33).

I was not talking about MS04-28 variants, I was talking about "new" exploits, they don't even have MSnn-nnn names yet. One is has a very well known sample floating around (AP4.JPG), the exploit is in the FF DA field. The other uses the FF C0 field (X/Y size fields of it). I did not assume, I actually test that your scanner doesn't detect those files. Information about those exploits is available on the various AV/security related mailing lists/pages which I assume you surely read.

The reason why I posted is because quite a few users responded to your initial posting and looked quite happy, thinking they are protected. Which they are not unless they using a HTTP stream scanner or use the MS patch.

 

This scanner, like the SANS scanner, and like Microsoft's gdiplus.dll scanner, is for MS04-028 (the most critical), and yes it does detect all variations of that. We've never said it detects other vulnerabilities - if you gave us a URL to your scanner (http://www.geocities.com/SiliconValley/Heights/7538/fwin2.htm no longer works) we'd be able to find vulnerabilities that your scanner doesn't detect either, but we've got better things to do.

PS.

A minute ago you were questioning the point of a scanner for MS04-028, yet you've written your own ... ?

 

Well, what's the purpose to release a standalone JPEG scanner when it cannot handle all known JPEG exploits?

We actually do gateway/proxy scannning so adding detection to our scan engine makes sense. The exploits are caught before they reach the users machine.

 

What's the purpose of your anti-virus scanner when it cannot handle all known viruses? As already stated dozens of times JPEGScan is for MS04-028 and yes it handles all known variants.

A password-protected zip file cannot be scanned inside by anti-virus software allowing it to get through to the end user. Also, gateway scanners only scan in common protocols on certain ports, ie. SMTP. They don't stop things like IRC, peer-to-peer protocols etc, so even with your proxy/gateway scanner your end-users would still find JPEGScan a valuable addition to their toolkit.

JPEGScan was released specifically for MS04-028 because of the scope and critical nature of this specific vulnerability. The vulnerabilities you're referring to are not anywhere near as well known or as critical or as documented and dont affect as much software, and if we start adding detection for those then we should add detection for every little vulnerability no matter how small, so where does it stop - when it becomes a full-borne anti-virus program? If other JPEG vulnerabilities become anywhere near as critical as MS04-028 (not likely) then we'll add detection, but at this stage it seems that those vulnerabilities will just be the type that regularly come and go, whereas MS04-028 is already causing a big impact, especially as there are already Do-It-Yourself JPEG construction kits out there (ie. the JPEG Downloader creator), so now any script kiddie can create MS04-028 JPEGs whereas for the vulnerabilities you're referring to their still nothing more than proof-of-concept, and aren't likely to be targetted very much considering the various other exploits that are available. Compared to what we could be doing it's a bit of a waste of time adding detection for something that virtually nobody will encounter, but obviously if they ever did become anywhere near as popular as MS04-028 then we'll add them.

 

This JPEG scanner is just to help people clean their computers of this JPEG problem.
Stefan Kurtzhals, from your posts I think you're about to turn this thread into an argument. I rather you stop posting in this thread, we guys on Wilders Security Forums have better things to do than to argue with you.

 

Nadirah

I don't think Stefan Kurtzhals was trying to create any nasty arguments eventhough he disagreed with the free scanner by DiamondCS

He was just asking some valid questions and I guess Wayne - DiamondCS answered all his questions.

Perhaps Stefan Kurtzhals is a competitor of DiamondCS? In that case I can understand where he is coming from. (you stealing my customers sort of thing ... )

If that is the case (competitor) then Stefan Kurtzhals should come up with something better than DiamondCS so that the public can test and evaluate it out. (it should be Free by the way).

Otherwise, Stefan Kurtzhals will be viewed as agressive "bad guy" because his unconstructive criticism. No point slagging people off unless you can come up with something better (especially when comes to business competition).

I still think Stefan Kurtzhals asked some valid questions and Wayne - DiamondCS handled the questions rather well so far. So no need to be agressive.

The public will be the judge.

 

I am interested in this discussion!
Regards,

Gerard