|
poke smot!
floccinocci floofinator
Registered: 01/08/03
Posts: 5,248
|
Image viruses: A PC tech's viewpoint.
#3192126 - 09/28/04 03:37 PM (19 years, 6 months ago) |
|
|
Being a computer service tech at the local pc shop, I like to stay informed about issues that will affect us and our business in the future.
I'm sure everyone has heard about the jpeg exploit by now. Yes, a small bit of code can be placed in a measley little jpeg picture crafted to exploit this bug, and it will be executed upon anyone viewing it with an unpatched computer.
I said I'll give it a week for someone non-microsoft to figure it out, and another week for viruses and the like to come out that exploit this bug.
Last week, a fellow techie at my work showed me a small C++ program. Insert shellcode here (up to 2500 bytes, a lot for shellcode), and run. It will spit out a JPEG image using the exploit, and upon viewing the image on a vulnerable computer, that shellcode will run.
Today he showed me one of the first instances of a trojan horse utilizing this bug. When you view the infected image, the code runs. It connects to an FTP site, grabs a list of files, and then downloads those files from the FTP. It then runs a batch file.
It turns out that the trojan installs rAdmin (similar to VNC), and then connects to an IRC server. All of this is transparent to the victim, ie. they cannot tell this is going on. But all the creator has to do is go to that IRC room, pick a victim, and then he can connect to their computer and see what is on the screen, as well as control the keyboard and mouse.
This is a very rudimentary example of an exploitation of the bug. I then checked symantec's website, and noticed that another variant of this same idea was listed in their new threats. The variant simply downloads and then runs a Windows application from a website they provide. Think, this is the simple layout for a virus of any proportions. That application can delete files, infect other images, even post infected images on the user's website if it's told how to.
I give it another week until a major virus comes out that self-replicates and grows to infect at least a thousand computers. Another week, and they will have decentralized viruses that recompile infected images to look as they did before, but download the exploit code from non-centralized sources. This is where things will get nasty, as in the current stage of things one only has to take out the server from which the virus image downloads from.
Patch your computers people! <a href="https://www.mind-media.com/go.php?http://windowsupdate.microsoft.com." target="_blank">http://windowsupdate.microsoft.com.</a> Keep in mind that even if you don't use Internet Explorer, you may still be vulnerable to this glitch.
I'de like to write something to exploit the glitch, but I fear legal consequences. Keep in mind that if I were to write an exploit, it would most likely (1) not reproduce and (2) fix the problem so it can't happen again on that computer.
Edited by poke smot! (09/07/20 01:52 PM)
|
Krishna
कृष्ण,LOL
Registered: 05/08/03
Posts: 23,285
Loc: oakland
|
Re: Image viruses: A PC tech's viewpoint. [Re: poke smot!]
#3192354 - 09/28/04 05:13 PM (19 years, 6 months ago) |
|
|
it's always funny to make a virus patch that simulates the virus for a little while before letting the user in on the joke
--------------------
|
Clean
the lense
Registered: 05/11/03
Posts: 2,374
|
Re: Image viruses: A PC tech's viewpoint. [Re: poke smot!]
#3192395 - 09/28/04 05:20 PM (19 years, 6 months ago) |
|
|
do i have to get the windows update in order to avoid this or will norton do the trick?
|
Le_Canard
The Duk Abides
Registered: 05/16/03
Posts: 94,392
Loc: Earthfarm 1
|
Re: Image viruses: A PC tech's viewpoint. [Re: poke smot!]
#3192570 - 09/28/04 05:57 PM (19 years, 6 months ago) |
|
|
Thanks for the heads up on this! I was wondering though, how effective is a properly set up firewall is in preventing this?
|
poke smot!
floccinocci floofinator
Registered: 01/08/03
Posts: 5,248
|
Re: Image viruses: A PC tech's viewpoint. *DELETED* [Re: Le_Canard]
#3193051 - 09/28/04 07:29 PM (19 years, 5 months ago) |
|
|
Post deleted by poke smot!Reason for deletion: x
|
Le_Canard
The Duk Abides
Registered: 05/16/03
Posts: 94,392
Loc: Earthfarm 1
|
Re: Image viruses: A PC tech's viewpoint. [Re: poke smot!]
#3193091 - 09/28/04 07:35 PM (19 years, 5 months ago) |
|
|
Even Zonealarm Pro? It monitors outgoing traffic as well, and will tell you if any program is trying to get access to the 'net.
|
funkymonk
Get's down, withthe get-down.
Registered: 11/29/02
Posts: 8,160
Loc: saskatchewan
|
Re: Image viruses: A PC tech's viewpoint. [Re: poke smot!]
#3193195 - 09/28/04 07:54 PM (19 years, 5 months ago) |
|
|
Awesome post man! I love talking about viruses, what they do, and how they spread. It's pretty damn cool if you think about it.
Sometimes I get bored and infect myself with the latest threat virus. Just to see how it works. I just wish I new C++ alot better.
|
PhanTomCat
Teh Cat....
Registered: 09/07/04
Posts: 5,908
Loc: My Youniverse....
Last seen: 15 years, 1 month
|
Re: Image viruses: A PC tech's viewpoint. [Re: Le_Canard]
#3193263 - 09/28/04 08:09 PM (19 years, 5 months ago) |
|
|
Quote:
ToiletDuk said: Even Zonealarm Pro? It monitors outgoing traffic as well, and will tell you if any program is trying to get access to the 'net.
Yeah, wouldn't the JPG file have to request thru the firewall to get back out...? Hhhhmmmmm......... Seems logical, but does it hold any "water".... (It was a moat joke...) <SmerK>
-------------------- I'll be your midnight French Fry.... "The most important things in life that are often ignored, are the things that one cannot see...." >^;;^<
|
DF2K
Me.
Registered: 06/01/02
Posts: 5,826
Loc: The land before time
Last seen: 10 years, 3 months
|
Re: Image viruses: A PC tech's viewpoint. [Re: PhanTomCat]
#3193681 - 09/28/04 11:13 PM (19 years, 5 months ago) |
|
|
I havew written virra code before, its not that hard, actually
|
|