Security Watch Letter: Inside the JPEG Virus

Security Watch Letter: Inside the JPEG Virus:
"The end of summer lull for viruses and worms continues. We're still seeing new versions of RBots, and a new Bagle, but nothing with teeth. The big news appears to be the anticipation of a viral exploit of the JPEG vulnerability that Microsoft patched earlier this month. Within days of the release of the security bulletin, there was proof of concept code available on the web. As the exploit was analyzed by various security groups, it was found that it was similar to a four year old Netscape vulnerability reported by Openwall project.

Shortly after the initial proof of concept code was posted, some C language code was posted that would create a JPG file that starts a command prompt shell in Windows and opens a port. A hacking tool also became available that would allow anyone to create exploitable JPG files. On Monday, Easynews, a newsgroup service company reported getting the first JPG exploit virus."

Top Threat: JPEGS of Death

Executive Summary

Name: Windows GDI+ JPEG parsing vulnerability
Affects: Unpatched Windows 9x/Me/2000/XP systems, and other Microsoft Software.

What it does: Currently there is no real viral threat. A malicious JPG was reportedly found in porno newsgroups that downloads and executes a Trojan which opens a port on the victim's system if a specific JPEG file is viewed on a non-patched system. It also may crash Explorer on some systems.

How to prevent it: Apply either Windows XP SP2 update, or the MS04-028 update. Avoid downloading JPEGS from newsgroups. Update your antivirus (most if not all vendors are detecting the exploit).

Details

While no worm currently exists that uses the JPEG vulnerability, security experts are saying it is only a matter of time. For worm authors, the vulnerability may be the holy grail of infection vectors, as it can be passed through e-mail, web sites, IM, or downloaded programs. Additionally, many, many kinds of applications (and OS versions) can view JPEGS, offering innumerable paths for the malicious files. A worm with this kind of infection power could make Blaster's epidemic pale in comparison.

The first truly malicious version of the JPEG exploit showed up as a pornographic image on a newsgroup. Usenet newsgroup service Easynews.com posted an alert claiming they had found several JPEG images that, when viewed, will download a Trojan via an external FTP site. The images were found in porn newsgroups under the user name "Power-Post 2000". The alert claims that the Trojan is downloaded and executed. Currently the code does not propagate, only infecting the one machine the JPEG is viewed on. However, the Trojan could allow the victim's machine to be controlled remotely, possibly for propagation or other purposes.

Sample C source code dubbed "JPEG of death", published on K-Otik and Easynews, can be compiled to create JPEG files that create a shell (execution environment) and open and bind ports to the shell on the victim's system. Comments in the code indicate that the JPEG can also be named .BMP or .TIF and Windows will still execute the code. The comments also hint that a more dangerous worm may not be far behind.

As if the posting of C language source code isn't bad enough, iDefense reports that a utility is available to make it easier for anyone to create the files. The utility lets a hacker wannabe specify a web site, and file which is built into a specially crafted JPEG file. If the JPEG is viewed on an unpatched system, it will download and execute the file.

The vulnerability itself is a buffer overflow flaw in the JPEG parsing engine contained in the GDIPlus.DLL file. The file is used by the operating system, as well as many applications [[link to application list]]. It can be exploited by a specially crafted JPEG image. The JPEG specification allows the embedding of comments in the JPEG file. The comment sections start with a hex value of 0xFFFE to signal the start of the comment, followed by a two byte value. The value specifies the length of the comment, plus 2 bytes (for the field itself). The two byte field theoretically allows 65,533 bytes of comment data (invisible when the JPEG is viewed). If the comment field is empty, the length value must contain the minimum length, or a value of 2. (2 bytes in length). However, if a specially crafted JPEG file sets this length to a 0 or 1 (illegal values), it causes a buffer overflow condition, which overwrites memory structures in the DLL.…

http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx

http://www.pcmag.com/print_article/0,1761,a=136159,00.asp