Free scanner + repair for infected JPEGs (for MS04-028)

Discussion in 'other anti-virus software' started by Wayne - DiamondCS, Oct 22, 2004.

Thread Status:
Not open for further replies.
  1. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    As many of you would know there is a critical vulnerability that allows attackers to gain control over a remote system simply by enticing the victim into viewing a specially-crafter JPEG file.

    A free scanner has now been released to help with the detection and disinfection/repair of JPEG files infected with MS04-028 exploit code. The scanner is available in both console and GUI user interfaces, and at less than 30kbs in size it's a quick download and easy to use. More information and the direct download link can be found here:
    http://www.diamondcs.com.au/jpegscan/

    Please help us spread the word, and please share with your friends and colleagues to help reduce their chance of infection. Enjoy the program. :)
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    OOooo this is nice, Wayne! :D

    I just did the scan.

    Files: just over 63,000 (finished too fast for me to get the exact amount)
    JPEGs: 10,559 exactly (I didn't know I had that many..whoops) :ninja:
    just about under 20 min. wow!

    Thank you! :D

    snap

    Edit - oh, they are all clean. *puppy*
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    nice tool ! :)
     
  4. Rita

    Rita Infrequent Poster

    Joined:
    Jun 28, 2004
    Posts:
    6,863
    Location:
    wilds of wv
    Hi Wayne
    thanks for link,downloaded and ran scan--no infections :D
    Rita
     
  5. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Thank you.

    :D
     
  6. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Wayne,

    Many thanks. Diamondcs has saved me many a times. Always appreciate your service to your users and the community in general.

    Regards,
    Rich
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks a lot Wayne & team, clean again!
    Nice one can choose the whole network to be scanned.
     
  8. FanJ

    FanJ Guest

    Thanks from me too, Wayne and the whole DCS-team !!!!! :D

    Nice !

    Just scanned with it over more than 2000 JPEG-files : clean ;)

    Thanks again.
    Keep up the good work !!!

    Warm regards, Jan.
     
  9. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Clean. No infections found. ;)
     
  10. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    can you tell me you've changed the MD5? thanks :) this is what i get
    D9A58E98571E1C141A47B2F2ED6D47BD
    this is from your download page
    86DCD690942165F54D019FCE86BEE048
     
  11. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    The MD5 is for the ZIP not the EXE, so your MD5 calculation is correct but your target isn't. That's an easy mistake to make though so I've just updated the webpage to read "ZIPfile MD5:" instead of just "MD5:" so hopefully that will prevent anyone else accidentally making that same mistake. :)
    Thanks
     
  12. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    thanks for the help and scanner, Wayne :) i'll try it out now.
     
  13. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    your to nice to me i clearly dont deserve you
     
  14. ninja_style

    ninja_style Registered Member

    Joined:
    Oct 12, 2004
    Posts:
    41
    no infections :) .
     
  15. darkmatter

    darkmatter Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    25
    Nice tool, no infections and best of all its free!! :D :D

    Cheers
     
  16. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Now actually whats the purpose of a on-demand JPEG exploit scanner?
    You are surely aware that the exploits gets executed before the browser
    saves the JPEG to disk (cache), most likely because of the exception, the
    JPEG file won't be saved at all to disk. So an on-demand scanner makes
    no sense at all.

    Furthermore, your scanner doesn't detect the two other known JPEG exploits. And all other antivirus companies added detection for MS04-28 like 2-3 weeks
    ago.

    And what good is it to "repair" a JPEG containing MS04-28? It's a trojan,
    not a virus. Important fields are overwriten and you only can guess it's
    content.
     
  17. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Stefan,

    That statement is effectively the same as "what's the purpose of an on-demand virus scanner?".

    Incorrect. It depends on the software used and how the images are downloaded. If I FTP into a site and download a bunch of JPEGs, none of them have been viewed. JPEGScan allows you to scan them before viewing. In some cases such as Internet Explorer then yes files are rendered and saved to disk at the same time, although if you have a link to an image you can right-click on it and choose "Save To Disk...", where you can then scan the image before viewing it.

    Actually not all of them detect infected JPEGs, and of those that do, very few do it properly, as various public posts have shown. JPEGScan properly walks through each "block" in the JPEG file (as defined by the official JPEG structure), allowing it to analyse every block to check for the undersized buffer references which indicate the presence of MS04-028 infection. This is the most effective way to detect all possible variations of the exploit, regardless of where they're located in the file.

    In many cases it's a real JPEG that has been modified. Repairing allows the image to be safely viewed again.

    No, it's a buffer exploit. It is not a virus, it is not a trojan, although it does allow for a trojan to be downloaded and executed.

    Smart analysis of blocks can determine their correct/original size, allowing the image to become correctly viewable again if the file was indeed based on a real image. (You can either manually hand-craft a MS04-028-infected JPEG or modify an existing image to become infected).

    In regards to various advantages JPEGScan offers ...

    - It allows you to scan images before you send them to your friends (you may have updated your system, but you have no control over others)

    - It's free so you can give it to people who don't have an AV or can't even buy one as they don't have a credit card.

    - It's tiny so it's easy to give to friends even on slow modems.

    - It detects all known variants (including 00/01, FE/E1/E2/ED, etc). You've stated that it doesn't detect two variations, but haven't provided any evidence or links to examples, I'm assuming that you're just assuming it doesn't detect them? If you do have an undetected variant then please simply let us know.

    - It allows network administrators to rapidly sweep their networks to find infected images.

    - It offers a Repair capability where infected images can be restored so that they're a) no longer harmful and b) can become viewable again in most cases, assuming the file was based on a real image.

    - It's a tool that compliments Microsoft's patch, especially seeing as the patch isn't 100% bulletproof. It's easy to install a 3rd-party application which uses its own potentially vulnerable version of gdiplus.dll, rendering you vulnerable all over again, so JPEGScan offers another line of defence.

    Anyway, it's free - nobody is forcing you to use it, so what's the problem?

    Best regards,
    Wayne
     
    Last edited: Oct 25, 2004
  18. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Not at all. Regular malware (executables) must be stored on your hard disk before you can execute them. The JPEGs are parsed in RAM by the browser (IE), thus, both on-demand and on-access scanners totally fail to protect you from such exploit files.

    Look at the way those JPEG exploit files are delivered, no one is downloading them from FTP or right-clicking & saving them to hard disk. They are placed on web places. The only way to catch them reliable is a HTTP scanning (LSP/proxy scanning module).

    I needed less than 15 minutes to add propper detection of all variants of MS04-28 - it's a bad joke that so many antivirus companies did it wrong - or still don't have propper detection. I had more fun adding detection for the various Office exploits (MS03-37, 03-50, 04-33).

    I was not talking about MS04-28 variants, I was talking about "new" exploits, they don't even have MSnn-nnn names yet. One is has a very well known sample floating around (AP4.JPG), the exploit is in the FF DA field. The other uses the FF C0 field (X/Y size fields of it). I did not assume, I actually test that your scanner doesn't detect those files. Information about those exploits is available on the various AV/security related mailing lists/pages which I assume you surely read.

    The reason why I posted is because quite a few users responded to your initial posting and looked quite happy, thinking they are protected. Which they are not unless they using a HTTP stream scanner or use the MS patch.
     
  19. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    This scanner, like the SANS scanner, and like Microsoft's gdiplus.dll scanner, is for MS04-028 (the most critical), and yes it does detect all variations of that. We've never said it detects other vulnerabilities - if you gave us a URL to your scanner (http://www.geocities.com/SiliconValley/Heights/7538/fwin2.htm no longer works) we'd be able to find vulnerabilities that your scanner doesn't detect either, but we've got better things to do.

    PS.
    A minute ago you were questioning the point of a scanner for MS04-028, yet you've written your own ... ? ;)
     
    Last edited: Oct 25, 2004
  20. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    701
    Well, what's the purpose to release a standalone JPEG scanner when it cannot handle all known JPEG exploits?

    We actually do gateway/proxy scannning so adding detection to our scan engine makes sense. The exploits are caught before they reach the users machine.
     
  21. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    What's the purpose of your anti-virus scanner when it cannot handle all known viruses? As already stated dozens of times JPEGScan is for MS04-028 and yes it handles all known variants.

    A password-protected zip file cannot be scanned inside by anti-virus software allowing it to get through to the end user. Also, gateway scanners only scan in common protocols on certain ports, ie. SMTP. They don't stop things like IRC, peer-to-peer protocols etc, so even with your proxy/gateway scanner your end-users would still find JPEGScan a valuable addition to their toolkit.

    JPEGScan was released specifically for MS04-028 because of the scope and critical nature of this specific vulnerability. The vulnerabilities you're referring to are not anywhere near as well known or as critical or as documented and dont affect as much software, and if we start adding detection for those then we should add detection for every little vulnerability no matter how small, so where does it stop - when it becomes a full-borne anti-virus program? If other JPEG vulnerabilities become anywhere near as critical as MS04-028 (not likely) then we'll add detection, but at this stage it seems that those vulnerabilities will just be the type that regularly come and go, whereas MS04-028 is already causing a big impact, especially as there are already Do-It-Yourself JPEG construction kits out there (ie. the JPEG Downloader creator), so now any script kiddie can create MS04-028 JPEGs whereas for the vulnerabilities you're referring to their still nothing more than proof-of-concept, and aren't likely to be targetted very much considering the various other exploits that are available. Compared to what we could be doing it's a bit of a waste of time adding detection for something that virtually nobody will encounter, but obviously if they ever did become anywhere near as popular as MS04-028 then we'll add them.
     
    Last edited: Oct 25, 2004
  22. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Just one tip

    while scanning it is a good idea to turn off your antivirus while scanning otherwise, especially if you have KAV it will pop up every couple of seconds with a warning ( I know I have some malware on my computer in a safe location for examination) and it also really slows down the scan with AV running

    Make sure you are NOT connected to the net first thgough if you do turn of the AV
     
  23. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    This JPEG scanner is just to help people clean their computers of this JPEG problem.
    Stefan Kurtzhals, from your posts I think you're about to turn this thread into an argument. I rather you stop posting in this thread, we guys on Wilders Security Forums have better things to do than to argue with you.
     
  24. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Nadirah

    I don't think Stefan Kurtzhals was trying to create any nasty arguments eventhough he disagreed with the free scanner by DiamondCS

    He was just asking some valid questions and I guess Wayne - DiamondCS answered all his questions.

    Perhaps Stefan Kurtzhals is a competitor of DiamondCS? In that case I can understand where he is coming from. (you stealing my customers sort of thing ... )

    If that is the case (competitor) then Stefan Kurtzhals should come up with something better than DiamondCS so that the public can test and evaluate it out. (it should be Free by the way).

    Otherwise, Stefan Kurtzhals will be viewed as agressive "bad guy" because his unconstructive criticism. No point slagging people off unless you can come up with something better (especially when comes to business competition).

    I still think Stefan Kurtzhals asked some valid questions and Wayne - DiamondCS handled the questions rather well so far. So no need to be agressive.

    The public will be the judge.

    :D
     
  25. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    I am interested in this discussion!
    Regards,

    Gerard
     
Loading...
Thread Status:
Not open for further replies.