New JPG exploit?

MrBrian · Sep 1, 2010

From 4 Image Viewers for Better Photo Viewing and Protection Against JPG Exploit:

Today my recommendation to every Windows user is to use a third party image viewer and STOP USING the default image viewer provided by Microsoft. Reason is I recently found out that there is a private JPG exploit (selling as much as $4000) that when you double click on the JPG file and you can instantly get infected by malware turning your computer into a bot. This is either done by binding the malware into the JPG file or the JPG file is able to secretly download and run the malware. This updated JPG exploit is similar to MS04-028 but still unknown by Microsoft.
Click to expand...

MrBrian · Sep 1, 2010

From same author in comments:

vdyll, I don’t know how it exactly works but I’ve seen it in action before. It’s an exploit and like i mentioned there are people selling it at $4,000 in underground forums.

This exploit only works on the default image viewer in Windows, hence using other image viewers protects the user from this exploit.
Click to expand...

Carbonyl · Sep 1, 2010

Hrm. I find this a tad bit peculiar, but without knowing more details there's really no way to judge what's going on here as anything but hearsay.

My gut instinct is to say that what the author in question observed was an iteration of the "DLL planting" issue we've seen surface recently. But, again, without more information, it's hard to say anything.

Rmus · Sep 1, 2010

This is either done by binding the malware into the JPG file or the JPG file is able to secretly download and run the malware. This updated JPG exploit is similar to MS04-028 but still unknown by Microsoft.
Click to expand...

Without more information, it's speculation as to how it is done.

The fact that this exploit is an update of MS04-028 and that it is triggered only by the MS viewers suggests that the malformed jpeg file triggers a vulnerability in a GDI DLL (buffer overflow) or something similar that only the MS viewers use.

At that time (2004) hackers were selling a tool to create the malformed jpeg files:

HTool/Exp-MS04-028
http://vil.nai.com/vil/content/v_128578.htm

A search didn't reveal any other analysis of the current exploit. However, I did find this video, but wasn't able to watch it. Someone else can watch it and see if it's related to this one under discussion.

hxxp://il.youtube.com/watch?v=Id-UYyqGxJY

----
rich

Carbonyl · Sep 1, 2010

Very interesting, Rmus! I was able to view the video with the same YouTube ID tag at hxxp://www.youtube.com/watch?v=Id-UYyqGxJY . The video shows the supposed exploit in operation, though I think it's different than the one linked in the Opening Post. The one in the YouTube video explicitly shows exploits of FireFox, Google Chrome, and IE8. The video author then claims the exploit will work in "Operah" [sic], and asks for $500. Validity of the exploit is unknown, as not much was shown beyond opening an image in the browser and then seeing a connection pop up in another window. Because the video seems to leverage more than just the Windows Image viewer, I'd say it's probably a different beast.

I'm not an expert, though, so I'm not sure how valid the "exploit" in the video was. There was a link shown to the (then live) JPG used to leverage the attack, so examining that file might be possible... but I know better than to post it here, even if it's fake!

Rilla927 · Sep 1, 2010

MrBrian said:

From same author in comments:
Click to expand...

Do you mean windows photo gallery to view pictures? Thanks for posting I d/l XnView.

Log in or Sign up

New JPG exploit?

MrBrian Registered Member

MrBrian Registered Member

Carbonyl Registered Member

Rmus Exploit Analyst

Carbonyl Registered Member

Rilla927 Registered Member

Log in or Sign up

New JPG exploit?

MrBrian Registered Member

MrBrian Registered Member

Carbonyl Registered Member

Rmus Exploit Analyst

Carbonyl Registered Member

Rilla927 Registered Member

Useful Searches