JPG virus now in the real world?

As some of you may recall, a couple of weeks ago Microsoft announced that there was a bug in its JPG handler library which actually would allow a properly-crafted virus, embedded in a JPG image, to infect a computer.

I just had a very bizarre thing happen to my computer at work. They insist on running Windows. I opened an email on my web-based email account, which had a picture attached to it.

I should note in passing that the image was from a trusted source (another Forumosan I know), and had a personalized message and image on a topic that we discuss (he knows I’m into old Gatling guns). I wasn’t opening porno or spam, and the filesize (43K) was reasonable for a small picture.

I opened the picture; instead of the picture being displayed in full size (the usual), IE showed the “open or save” dialog (as if I were downloading the image to my computer) and in addition to the picture being displayed, Windows Media Viewer opened up and showed the video clip of the Ford(?) car decapitating the cat that stuck its head into the sunroof.

I don’t have that video on my computer at work. I don’t have any such videos on my computer at work. A search of the hard drive also didn’t turn it up. And finally, the size of the email was too small to include the video in it; 43K would be one frame, not a 30-second MPG.

I am wondering if this was a proof-of-concept test of a virus exploiting the Microsoft JPG library hole, or what.

JPG virus now in the real world?

I’d say no, but here’s the closest thing I could find with a quick google search.

I’ve had mpegs run using Media Player open websites, which in turn could lead to viruses, but I never investigate that (I just stopped using Media Player).

Note to Squidy: Still getting Invalid_sessions

Note to the note: Did you look at any of the info I posted in the Feedback forum or do a search about Invalid_sessions on phpbb.com? You should. :wink:

I miss read your question. I guess you already knew about that JPG virus thing. My answer is still no.

I believe one of the XP SP2 security features is to ask before opening JPGs attached to e-mails. In fact, you can prevent Outlook from displaying any images in e-mails. Also, the new Outlook Express as well as NAV and other programs, etc scan attachments before they enter your Inbox. So, if indeed it’s possible to insert a virus into a JPG, I’m fairly confident Norton and the like will install patches etc. But hell this is just one in a long line of Net-aches!

I tell you what is bothering me more than anything - the HUGE number of legitimate e-mails being filtered out at some point from A to B’s Inbox. This is becoming a major problem, and as much as I hate to admit it, e-mail is becoming untrustworthy. I find myself making a lot of follow-up phone calls, often only to confirm suspicions that e-mails are getting lost on one end or the other (usually the other person’s since their IT person implemented an ultra-paranoid protocol).

Well certainly Windows updates is pretty much forcing you to install the patches to stop this problem. Running massive desktop updates in a corporate environment is a like dropping the soap :eh:

One of the feature of Outlook 2003 is that attachments are automatically blocked. You can define certain document extensions to come through but for most of the other types, it’s a pain in the butt to let through. I understand this but it’s incredibly annoying. I guess it’s MS way of erecting the Great Wall defense.

[quote=“Gubo”]
I tell you what is bothering me more than anything - the HUGE number of legitimate e-mails being filtered out at some point from A to B’s Inbox. This is becoming a major problem, and as much as I hate to admit it, e-mail is becoming untrustworthy. I find myself making a lot of follow-up phone calls, often only to confirm suspicions that e-mails are getting lost on one end or the other (usually the other person’s since their IT person implemented an ultra-paranoid protocol).[/quote]

I agree that email over time has become more like a crap shoot.

On the other hand, being on the IT corporate side of things, you have to see that if they aren’t extra, super paranoid about filtering, then the resulting headache of cleaning every desktop and server in the corporate environment is enough to make a grown man cry for his mommie.

One really annoying feature I’ve found which can make this a huge aspirin popping-fest is the liberal use of pict files in people’s .sig files. A number of corporate folks like to sprinkle these things which automatically gets rejected/flagged incoming and then people ask “I haven’t received email from ABC company, can you check?” The answer is that those emails with unnecessary pict files violated company’s email content filtering policies.

It’s ugly and it’s going to get a whole lot worse.

“Thank you Bill, sir, may I please have another.”

Yes, I think it will get worse, which is why I’ve started to wonder if it might be time for us to change the way we e-mail. Let me elaborate.

I suggest we number each e-mail we send someone, or at least number each e-mail in a ‘sequence,’ which usually lasts 3-5 days. In addition to “Re: this” and “Re: that” we could add a number to each subject heading. You send me e-mail #4 in a sequence, I respond with #5, and so on. Or, our software could remember the number of e-mails I’ve sent you, and just add a digit (automatically) to each subsequent e-mail.

As I understand it, G-mail’s answer is to group e-mails in a sort of conversation. This partially addresses the point but does not account for e-mails that didn’t get through.

Now, in addition to this numbering scheme, it might be wise for programs such as Outlook to automatically generate a response message notifying us that the other person has received our e-mail. As it currently stands, such requests for responses need to be made by the sender, with the recipient opting to send an acknowledgement. This is too bulky and troublesome.

Some may balk at these suggestions - especially those who use e-mail strictly for casual purposes. But I dare say that the majority of users who rely on e-mail in their profession see a critical need to get something sorted out, and I mean FAST. Otherwise, as more and more legitimate e-mails are dumped by stupid bots that think every .doc contains a virus, people are just going to turn off e-mail and go back to faxing and telephoning. Because it’s extremely dangerous to send an e-mail and not know if the other person has received it.

One way to get around email would be to upload files onto something like yahoo briefcase and allow others access to the briefcase. The receiver could confirm by instant messenger once they had received it.

Having said that, I was playing around with my yahoo briefcase just now but it didn’t allow me to change the setting to share the files with another of my yahoo IDs: I got an error message.

btw in another thread I mentioned the s5.yousendit.com/ website which allows you to upload a file to the site. A notification is then sent to the receiver to go to the site and pick up the file. The downside is that there’s no way to tell if the receiver has got the file or not.

The headers you need to do this are already in place. Few spam filtering solutions actually pay attention to it though. What you want to look at are the Message-ID and References headers. When I send out a message, my mail program tacks on a Message-ID header with a randomized string followed by an @ and my domain name. For example:

Message-ID: 4152665C.9060002@drivel.com

If you receive that message and reply to it, your mail program should copy this into the References header in your reply, so your reply will come back with the header:

References: 4152665C.9060002@drivel.com

Plus it will have a new Message-ID that you made. If I reply again, my mailer will add your Message-ID to the References line in addition to what was already there. After many back and forths, the References line will have many message ids listed for all the messages sent around.

It would be quite easy to keep track of Message-IDs sent out and References lines received and avoid filtering messages where you see a familiar ID on the References line.

I’m not an expert at all. But I was reading recently that some people are trying to push a change to the way emails are sent by making each email wait like 8 seconds before being sent (I’m not sure if it keeps your server busy for 8 seconds, or your computer…?). Thus, spammers would suddenly be sending out like 10,000 messages a day instead of the hundreds and thousands they can do now.

Have no idea if it’d work, but sounds interesting (and better than charging per email…).

From the BBC.

http://news.bbc.co.uk/2/hi/technology/3684552.stm

[quote=“jlick”]The headers you need to do this are already in place. Few spam filtering solutions actually pay attention to it though. What you want to look at are the Message-ID and References headers. When I send out a message, my mail program tacks on a Message-ID header with a randomized string followed by an @ and my domain name. For example:

Message-ID: 4152665C.9060002@drivel.com

If you receive that message and reply to it, your mail program should copy this into the References header in your reply, so your reply will come back with the header:

References: 4152665C.9060002@drivel.com

Plus it will have a new Message-ID that you made. If I reply again, my mailer will add your Message-ID to the References line in addition to what was already there. After many back and forths, the References line will have many message ids listed for all the messages sent around.

It would be quite easy to keep track of Message-IDs sent out and References lines received and avoid filtering messages where you see a familiar ID on the References line.[/quote]
I’m not sure, but I think the e-mail client PocoMail, which I used to use, does this. It organised series of e-mails into “conversation”-esque threads, regardless of subject line, but didn’t just group every e-mail from a certain person into that thread, so I assume it worked on the Message IDs.

Well, be happy and smile, for it comes worse: Right before this weekend the first “DIY kits” came out. Now all you need to send out evil images are a few clicks, no special knowledge involved. And another good news: Even if your OS is not vulnerable, you still get the code in question executed (on Windows) if your application is. Most AV scanners should be updated by now, so don’t be surprised if even your images are scanned…

Bugtraq just had a report of seeing an exploit spotted in the wild by Easynews: easynews.com/virus.txt

They even include a sample that you can test against your AV.

… yes, there are malicious jpg-pics out in real world now which are based on a “proof of concept” exploit right now. Even a fully patched Windows system is not proof.

I can only give a german link about this: spiegel.de/netzwelt/technolo … 18,00.html

However, it is no virus, as the jpg’s will only download malicious code from a web server (no idea what this code does), but do not replicate themself.
Everybody is waiting for the self-replicating version now, wich will follow up soon judging from past experience.

Anti-Virus software is often detecting the malicious pictures too late - after they had been fully loaded by the computer.

A fully patched XP does not react to all of the malicious jpeg versions, but some.
100% protection is presently only obtained by using another browser like Thunderbird/Mozilla or other Netscape offsprings or Opera.

I know, all browsers can be affected by attacks, of course IE gets all the attention by hackers at the moment. Surfing with alternatives is safer (until they become mainstream :wink: )

I’m a computer caveman, so somebody help me. I use Firefox. Can I still see my titties without getting infected?

Someone has written a virus toolkit to embed something nasty in jpgs: theregister.co.uk/2004/09/24 … t_toolkit/

Someone has written a virus toolkit to embed something nasty in jpgs: theregister.co.uk/2004/09/24 … t_toolkit/[/quote]
So even if my titties are not in IE, I can still get infected? I thought Firefox was safe.:s

The flaw is only in a JPEG library used by Microsoft products. There is no problem with Mozilla based browsers.

Also, there is some slightly incorrect info about XP SP2 solving the problem. This solves it for Internet Explorer, Outlook Express and the OS tools itself.

This does NOT patch Office, which also has the vulnerability! This includes Word and Outlook (which is a more featurefull version than Outlook Express). If you use any of these, you need to update them as well. To do so, bring up Internet Explorer (other browsers don’t work with the updater), and open office.microsoft.com/officeupdate/ click on ‘check for updates’ and apply any updates it suggests.

[color=red]If you don’t do this, you are still vulnerable when using any of the Office suite of tools![/color]

Supposing, hypothetically speaking, that someone has a pirated copy of WinXP running on their PC, is it still possible to install the XP SP2 patch (downloaded from the MS site)?