JPEG GDI+ Trojan Unleashed.

[Mad Mardigan]

It was only a matter of time before someone unleashed malware that exploits the JPEG GDI+ vulnerability. Over the last two weeks various people have released proof of concept code in stages. The first code base that consisted of a corrupted JPG image file that caused an application to crash. The second code based was a JPG image that spawned a local command shell with no remote access. Within hours of the second code base released another person claimed to have made the command shell bind to a port for remote access.

Now someone has taken matters to a greater extreme by unleashing a JPEG file that causes a buffer overrun where shell code is run on the affected system. The shell code connects to a remote FTP site and downloads approximately 2MB of data, installs a Trojan service, and also installs a copy of radmin.com, which supposedly allows a remote user to interact with a system as if they were sitting at the local console. The Trojan also downloads several other tools, including fport, netcat, peek, rcrypt, and more.

 

According to Easynews, the JPEG exploit first appeared on several Usenet newsgroups that commonly contain erotic images. A possible way of detecting whether a system is infected is to look for a directory called, c:\windows\system32\system\ which might contain files named nvsvc.exe and winrun.exe. The Trojan might also open port 10002. Easynews also made packet captures available that were taken as the JPEG infected a Windows XP system.

 

This is probably only the beginning of several future exploits that might take advantage of the JPEG GDI+ vulnerability. As always, you are advised to be sure you have the latest virus signature updates on your systems, and to be sure that you've loaded the patch if necessary. You can learn more about the patch and tools that can help you identify systems that need the patch in our Security Matters blog and in our related news story, "New Tools Help with JPEG GDI+ Updates".

 

source = http://www.freerepublic.com/focus/f-news/1229010/posts

[5614]

JPEG, JPG or both? the article kinda swaps, whichever, they are both very popular and this could be a big one.

maybe gif will become popular :S

 

nice 'safe' names as normal, does this effect SP1? pressumably so however it mentions SP2 only.

[Sayonara]

There is no difference between jpg and jpeg.

 

JPEG is an acronym for Joint-Photographic Experts Group. The 3 character .jpg extension exists due to the 8-3 file naming convention.

[5614]

the difference is in the name!

 

(ok, could never tell the difference... just found out why though! thanks)

[Dave]

Doesn't surprise me that this has gotten exploited quite a lot, it was crying out for it afterall. Hopefully most people will have updated their system by now. Ha ha.

[Kedas]

You can also use PNG instead of GIF or JPG.

http://www.webopedia.com/DidYouKnow/Internet/2002/JPG_GIF_PNG.asp

http://www.webcolors.freeserve.co.uk/png/

[Cap'n Refsmmat]

Now just how does this work? Is it a browser thing that lets it execute or do you have to download the picture in the first place?

If it's browser, then I'm glad I'm on FF.

[5614]

the original article: http://www.freerepublic.com/focus/f-news/1229010/posts touches on this subject... windows XP SP2 is not effected.... SP2 has fixed something!

 

security patches for this available at:

http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx

select the operating system you have and follow links/instructions...

NOTE: on instal it recommends that you back up your computer or data or something like that, im not quite sure what this is on about, a bit worrying, i currently have downloaded but not installed the update due to this warning, you'll see it when the auto-instal thing starts, just dont click next and you'll see it safely!

 

seemingly (in reply to capn) you only have to view the image, as that will 'download' it to your computer... how else do you see images? not literal downloading but the loading of the image includes loading of the 'virus', im not sure if you are safe behind firefox, though i doubt it as it is a windows exploit NOT a program exploit, so (im assuming) FF will not save you, though im not sure.

[Cap'n Refsmmat]

Well isn't it how the browser allows the image to execute script?

[5614]

images dont normally execute scripts though so this might not be a standard firefox (FF)security issue, this isnt an IE attack so its not a IE bad FF good thingy, its a windows attack, im not 100% with FF security where this is involved, neither is anyone as nothing like this has happened until now, i would expect all users are under risk (those without the update see post #8 update included in XPs SP2) are using all browsers, as they all 'load' the image in the same way.

 

i say this using knowledge of other such 'programs' and security things, i dont know the answer - however im saying what i think!