A virus within a JPEG
Goto page 1, 2, 3  Next  :||:
Networking/Security Forums -> Viruses // Worms

Author: NetworkguyLocation: UK PostPosted: Sat Mar 13, 2004 12:48 am    Post subject: A virus within a JPEG
    ----
I am being told that it is possible to embed a virus within a JPEG file.

Now my own thoughts are that whilst you could possibly make a virus LOOK like a JPEG file to encourage the user to double click it, it is not possible to actually embed a virus within a JPEG file.

So can it be done? I think not but am prepared to be corrected if somebody can show me documented proof of it actually having been done.

Anybody?


Last edited by Networkguy on Sun Mar 14, 2004 7:50 pm; edited 2 times in total

Author: cisco studentLocation: SFDC USA: Chico, California PostPosted: Sat Mar 13, 2004 1:02 am    Post subject:
    ----
Yes it can be done. As someone who has tried this for educational purposes you can bind a virus or trojan to another file. Then when the user opens that file a script is ran. Most anti virus programs catch embed lines of code.

Author: NetworkguyLocation: UK PostPosted: Sat Mar 13, 2004 1:07 am    Post subject:
    ----
cisco student wrote:
Yes it can be done. As someone who has tried this for educational purposes you can bind a virus or trojan to another file. Then when the user opens that file a script is ran. Most anti virus programs catch embed lines of code.


How? Where is this documented?

A JPG file does not execute and the code contained within is extracted by the application (such as Photoshop in this case). As said application is not attempting to read, look for such code (never mind execute it), how could such code work.

I have seen an example where code was hidden within a JPG but required a separate EXE application to be installed on the machine as well and the EXE had to extract the data from the JPG (so double clicking the JPG does nothing) but this is not the same as having a virus within the JPG file itself.

This is the info I have found

Quote:

14 June 2002

Picture this: a virus in a JPEG
Sophos advises on threat posed by new .JPG virus, and urges anti-virus companies to exercise restraint
Sophos, a world leader in corporate anti-virus protection, today called for the anti-virus industry to act responsibly in light of the discovery of the first virus capable of infecting JPEG graphic files.

The virus, known as W32/Perrun-A, was sent directly to the anti-virus community by its author and is considered to be a "proof of concept". It spreads in the form of a traditional Win32 executable virus (usually called proof.exe), making changes to the Registry to mean that JPEG (.JPG) graphic files are examined by an extractor (called EXTRK.EXE) before they can be viewed. If the extractor finds viral code inside the graphic file it is executed.

"Some anti-virus vendors may be tempted to predict the end of the world as we know it, or warn of an impending era when all graphic files should be treated with suspicion. Such experts should be ashamed of themselves," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Not only is this virus not in the wild, but also graphic files infected by this virus are completely and utterly harmless, unless they can find an already infected machine to assist them. It's like a cold only being capable of making people who already have runny noses feel ill."

"The virus relies entirely upon you running an infected EXE file, which is hardly rocket science," said Paul Ducklin, Head of Global Support for Sophos Anti-Virus. "Yet we are already seeing reports suggesting that this virus could spread via websites containing so-called 'infectious' images. This sounds like scare-mongering about image files to me."

Sophos has issued protection against W32/Perrun-A to customers concerned by the media reports and alerts from other anti-virus vendors.

SOURCE: http://www.sophos.com/virusinfo/articles/perrun.html



Even if the file contains extra code, how would it execute?


Last edited by Networkguy on Sat Mar 13, 2004 1:17 am; edited 1 time in total

Author: cisco studentLocation: SFDC USA: Chico, California PostPosted: Sat Mar 13, 2004 1:17 am    Post subject:
    ----
I don't really know the specifics but, you can look for a program called filebinder which should give you some more resources.

Author: kohaiLocation: New Brunswick - Canada PostPosted: Sat Mar 13, 2004 3:32 am    Post subject:
    ----
ok to be honest with ya jpg's aren't executed programs. they cannot contain viruses. Same as the old myth about mp3's containing virii it just cannot happend.

There are programs out there that will bind 2 exe's together but that is all

Author: capiLocation: Portugal PostPosted: Sat Mar 13, 2004 4:15 am    Post subject:
    ----
cisco student wrote:
I don't really know the specifics but, you can look for a program called filebinder which should give you some more resources.

What the programs you're talking about do is take one or more files and "bind" them together, producing an executable file which, when run, will extract the original files and usually run one of them - the old "Here, try this cool game" routine: you run the program, it will extract the game and run it, but it will also extract a trojan/virus/whatever.

This is done by creating a "loader/extractor" executable, which has the "binded" files within it as resources. The actual extractor code is usually small, all it has to do is use LoadResource to get each file to memory, then write from memory to disk. There are some binders that boast they don't need to extract to disk and can run from memory, obviously it's the same thing, except they skip the WriteFile part and add some minor alterations.

In either case, binders create executable programs, and that's the only way they could work. You cannot take code, append it to a JPEG file, then expect the code to be somehow miraculously extracted when the user opens the file in Photoshop or whatever. It just won't work. Remember, code is no different from data from the computer's perspective: it's all numbers. 0x50 can just as well be PUSH EAX or it can be the number 80, or ASCII character 'P', or whatever, depending on how you interpret it at the moment.

Which brings me to my second point in this post: just because a JPEG (or MP3, for that matter) file isn't executable, don't assume the application you use to open it doesn't have vulnerabilities. It's perfectly plausible that a specially crafted MP3 file, opened in the right version of the right program, may cause it to crash/hang/execute arbitrary code/etc. Think normal program bugs that could be exploited, think unchecked headers, think buffer/heap overflows, not even to mention malicious "backdoors" that could be coded in the program (pretend to be nice music player most of the time, but erase your harddrive if you open a file called foobar.mp3, or a file that contains a given note, etc).

Simple example: imagine image viewer X can only handle JPEG files of size up to 1 MB. Try to open a bigger file and it'll hang and enter an infinite loop. There's a bug, someone could send you a 2 MB jpeg file and when you open it your computer will hang. Now imagine instead of something simple like that, perhaps image viewer X has an unchecked buffer. Maybe it reads some header in the jpeg (or whatever kind of file it works with) and allocates just enough memory to hold whatever data it needs to depending on what the header said. Now imagine it starts reading the file into the buffer until it reaches EOF (not checking if it's reached the end of the buffer first). If you falsify the header and make the file larger than you said it was, you can go past the buffer - perhaps you could do a heap overflow. Or maybe it's something more complicated, the point is you can never be 100% sure that whatever program you're using has no bugs or vulnerabilities and that they can't be exploited for whatever purpose.

In conclusion:
  1. You most certainly cannot make a JPEG file execute code by itself (remember, a process doesn't magically come to life - it's created by the OS, when you ask it to run a particular executable file). Of course, if there's some malicious program already running that intercepts the loading of the file and extracts code from it, that's a different matter, but still the JPEG file isn't executing itself, it's a program that you have running that's doing whatever it wants to do (you should be trying to get rid of the malicious program in the first place);
  2. On the other hand, you cannot rule out the possibility that a malicious JPEG file could take advantage of some bug/exploit in the program you open it with. Think of a simple buffer overflow: a string that you pass on argv isn't executable in and of itself, but if the program that's reading it happens to have a bug which will let you overwrite portions of it's stack space...

Edit:
Regarding the quote from Sophos posted by Networkguy, this is precisely the example I mentioned in a). The whole trick is in the EXTRK.EXE... As reported, the virus spreads in the executable form (the proof.exe). When the user runs it, it will presumably extract EXTRK.EXE to somewhere in the system path, and make the necessary registry changes. It will then silently wait until the user opens some JPEG file. At that time, it will check for whatever arbitrary condition the virus maker imagined. It could be "Is the file size a multiple of 3? If so, format the drive", or "Does the file contain the sequence 0x01, 0x02, 0x03, 0x04? If so, erase all .DOC files because I don't like Word", or "Does the file contain some flag that tells me to extract a given portion of it and treat that as code to run? If so, read that given portion into memory and run that code", or anything the programmer wanted. The whole point here isn't the JPEG file, that's just what triggers the reaction. The point is you're already infected with EXTRK.EXE in the first place... That's the actual virus. The fact that it lays dormant, waiting for you to open a JPEG file that matches a given condition, or waiting for Friday the 13th to come by, or whatever, has no bearing whatsoever.

Author: andariel PostPosted: Sat Mar 13, 2004 11:39 am    Post subject:
    ----
I've seen some EXE files that have an JPEG icon. This may trick some people. Because a lot of people use ACDSee the icon chosen is an ACDSee JPEG icon. Some trojans like MagicPS (A program used to steal Yahoo! Messenger passwords) use this lame technique.
Thanx, andariel

Author: pinglacsonLocation: Fy_Iceworld, Philippines PostPosted: Sat Mar 13, 2004 3:36 pm    Post subject:
    ----
how about the jpeg file cupholder which opens your cd-rom drive when executed?

Author: vGLocation: Serbia PostPosted: Sun Mar 14, 2004 2:48 am    Post subject:
    ----
Yes, people, there is a thing like JPG virus... I'll give you an example link, please don't use it in any other purpose but for testing.
I don't know how it's working but I tested it myself, and it is working. It is enought to put the link in your ie and the code will be executed. Shocked

IMPORTANT: You will infect yourself if you type this link in you internet explorer.

Code:

http://kate.krashed.org/me.jpg


If someone findouts more about this kind of virus, please post it here, for the others.

JustinT: Edited, to protect those with the insatiable desire to click things that they shouldn't, unless in, strictly, a devoted test environment.

Author: capiLocation: Portugal PostPosted: Sun Mar 14, 2004 5:27 am    Post subject:
    ----
That hostname isn't resolving to any IP atm... Actually the very DNS server that was supposed to resolve it isn't responding:
Quote:
DNS Lookup: kate.krashed.org A record
Generated by www.DNSstuff.com

How I am searching:
Searching for A record for kate.krashed.org at d.root-servers.net: Got referral to TLD1.ULTRADNS.NET. [took 115 ms]
Searching for A record for kate.krashed.org at TLD1.ULTRADNS.NET.: Got referral to ns.silenthosting.net. [took 121 ms]
Searching for A record for kate.krashed.org at ns.silenthosting.net.: Timed out. Trying again.
Searching for A record for kate.krashed.org at ns.silenthosting.net.: Timed out. Trying again.
Searching for A record for kate.krashed.org at ns2.silenthosting.net.: Timed out. Trying again.
Searching for A record for kate.krashed.org at ns.silenthosting.net.: Timed out. Trying again.
Searching for A record for kate.krashed.org at ns.silenthosting.net.: Timed out. Trying again.
Searching for A record for kate.krashed.org at ns.silenthosting.net.: Timed out. Trying again.

Do you happen to have the IP for it?

Either way, even if this isn't a hoax (googling around only found like 5 or 6 hits, mostly on gamer/irc sites) this is most likely some server-side trickery, like when you click on a link that seems to point to a .txt file but in fact the server gives you a .exe or whatever, you're always safer saving instead of opening it (don't know much about how that sort of thing is done, but I've seen it happen). In the event that this is really an actual jpeg file, it's still perfectly explainable: it simply takes advantage of some IE bug - for example, I remember having read (here in SFDC, I believe) about the IE 5 buffer overflow in the bitmap processing routines they found after Win2000 source code was leaked. One could conceivably create a bitmap that, when viewed (in the affected versions of IE), would be able to place arbitrary code on the stack for execution. That still doesn't mean the bitmap is a virus, it means IE is a buggy program and that MS never heard of input verification... If you view the same bitmap in some other viewer you won't have that issue (unless it's a problem with the bitmap standard itself, in which case it just means the standard is buggy). Same thing would apply for the jpeg.

The fact that a given input file can cause a target program to misbehave (where misbehaving can be anything from crashing to running arbitrary code) doesn't mean the input file is a virus or that it somehow "executes itself"... It just means that the target program has bugs, and probably doesn't verify its input very well.

An "executable" file is only that way because the OS loads its code to memory and runs it. Code or data is all the same for the computer: it's all numbers. The mere act of loading a bunch of 1's and 0's into a region of memory doesn't mean those numbers will somehow magically "take control" of the machine... Something has to tell the CPU to jump to go read the numbers on that particular address and interpret them as instructions to execute - i.e. "jump" to the address, which is what happens every time you run a program. If you look at that jpeg file with a hex editor nothing will happen, you'll just see a bunch of numbers. In fact, you can even look at a virus infected executable file. The hex editor will load it to memory and show you its contents, nothing more, nothing less will happen.

In either case, I'd still like to get my hands on that jpeg file and take a good look at it Smile

Edits: formatting and spelling


Last edited by capi on Sun Mar 14, 2004 6:05 am; edited 2 times in total

Author: vGLocation: Serbia PostPosted: Sun Mar 14, 2004 5:37 am    Post subject:
    ----
Sorry, try this:

Code:

http://members.lycos.co.uk/janette18/me.jpg


Note: This link can infect you with some virus.

Research: It actualy downloads some exe file on you computer and then executes it. So, you can't say it a "JPG virus".

JustinT: Again, edited for security purposes.

Author: capiLocation: Portugal PostPosted: Sun Mar 14, 2004 5:52 am    Post subject:
    ----
vG wrote:
Sorry, try this (link removed for safety reasons)

Note: This link can infect you with some virus.

Research: It actualy downloads some exe file on you computer and then executes it.

Laughing We made the above two posts at practically at the same time!

Well, as I thought, the file is no jpeg at all. I just downloaded it with wget, it's an html file with the extension altered to .jpg. We can thank our browsers' willingness to silently run html code in non-html files for the whole issue... It calls some php scripts, which no doubt are the ones responsable for infecting you with an exe file as you reported - the actual virus. All explained, then: it was, as I suspected, a server-side trickery to feed you a fake file, not a jpeg that somehow executes code by itself. Here are the file's contents:
Code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//PL">
<html>
<head>
   <title>Fotki Marioli!</title>
   
<META HTTP-EQUIV="Content-type" CONTENT="text/html; charset=iso-8859-2">
<META HTTP-EQUIV="Creation-date" CONTENT="2002-12-22T14:28:18Z">
<META HTTP-EQUIV="Content-Language" CONTENT="pl">
<META NAME="Keywords" CONTENT="Insert Keywords Here">
<META NAME="Description" CONTENT="Insert Description Here">

<script language="JavaScript" type="text/javascript">

// Zmienne identyfikujace przegladarke:
var nazwa = navigator.appName;
var ekran = (typeof(screen)=="object") ? screen.width : null;
var wersja = parseFloat(navigator.appVersion);
var msie = nazwa == "Microsoft Internet Explorer";
var nn = nazwa == "Netscape";
var inna = !(msie || nn);

if (msie) {
// Jesli to MSIE, to wersja zostala zle rozpoznana.
var ws = navigator.appVersion;
wersja = parseFloat(ws.substring((ws.indexOf("MSIE") + 5 ),ws.length));
}

function go(gdzie) {
window.location = gdzie
}

// Tu umiesc instrukcje przekierowania:

if (msie && wersja>=6) go('6.php')
else go('5.php')


//-->
</script>
<noscript>

</head>
<IMG SRC="ja.jpg">
<BODY BGCOLOR="#000000" LEFTMARGIN="0" TOPMARGIN="0" MARGINWIDTH="0" MARGINHEIGHT="0">

</body>
</html>


Just a sidenote: it's not very recommendable to post a link that will infect people with a mouse click in an unaltered form... You should mangle it somehow, I know you included a warning but still many people may be tempted to click on it (perhaps even before reading the warning). You could mangle it somehow so that it doesn't become a link (kind of like the old email AT domain DOT com).

Author: ZarnickLocation: Brazil PostPosted: Sun Mar 14, 2004 6:50 am    Post subject:
    ----
Ok, so the big problem with jpg virus is the viewer, alright, but my question is this:
Doesn't all the viewers, open a jpg file the same way? I mean, all the jpg files must have the same file header, telling about the size of the image, etc.... Couldn't this be cracked and link to another .exe file? The actual virus is a .exe file, but what would triger it would be the .jpg file, isn't this possibly?

Author: capiLocation: Portugal PostPosted: Sun Mar 14, 2004 8:02 am    Post subject:
    ----
Well, that really depends on the format in question (jpeg in the example) and, most of all, it's implementation in the target program. While the definition of a standard (like JPEG) may be globally common, the way in which each program implements the reading of a jpeg file can vary - some may check everything to see that it's valid, some may skip a few checks for speed or simplicity, some may be more efficiently coded, some may be less efficiently coded, etc.

This is only to say that even though two programs open the same type of file, they may work differently under the hood. It's those differences that make up the possibility that one of them may be more vulnerable (to being fooled, crashed, etc) than the other. For example, one program might not check some header parameter and then it turns out it was invalid and it's going to end up doing a division by zero, or reading more data than it allocated memory for, or whatever.

That's why I say there's the possibility, at least theoretically, that a given program may be vulnerable to faulty behaviour caused by a malformed input file. Be it a crash, or something else. But this is really a very specific issue - some bug has to be targeted here, either at the definition of the format itself or at the way a program implements it.

For a vulnerability to be portable across different programs that handle a given format, it would have to rely on a fault in the format itself. For example, ActiveX is unsafe to begin with for its intended purpose, it's just too powerful, no need to go hacking the browser to change its behaviour when you already have readily available functions in the language that can do so much. That's an example of exploiting the format itself. Against that, one can only better the definition of the format.

Now, I don't find it very likely that a functionality of a graphics file format would provide any real tool for an attacker... What kind of information could it have? Pixel color? Width of the picture? Height? File size? I don't think those would be very helpful for anything other than making the picture look ugly, or simply turn the file into an invalid one. Here is where you would have to use a more specific exploit to gain any real purpose. You'd have to look at the code of a given picture viewer, see how it processes the headers and data, see if there's some part where it doesn't make sure that the input is correct, see what would happen if you give it false input. Maybe you can make it crash (by giving it, say, 0 when it expected the picture height, or whatever). Maybe you can get lucky and you find something that serves as a counter for a read cycle that copies data to a buffer without checking if the data has gone past the end of the buffer. You could place your code as the fake data and (depending on how the buffer was allocated) you might be able to make the program run that code later on - for example if the buffer is in the stack, and you're able to write past it, you could overwrite the function's return address and make it point to the buffer you just wrote to, which would hold your code and thereby you just made a popular "buffer overflow".

The point is this really depends on the program (the viewer) and the way it's programmed. If it checks the input properly, it won't be stupid enough to copy more bytes than it's allocated. But of course, there's no such thing as a bug-free program Wink (or at least not very common, especially in complex programs, some remote possibility is bound to be overlooked).

To sum it up, wether a given data format could be used to perform some action regardless of which program you're using to open it, really depends on the capabilities of the format you're using and how it's meant to be opened/processed. For example, I'm sure you'll agree that trying to create a virus on an ASCII text file is ridiculous - the only thing that a text editor is supposed to do with an ASCII file is load it to memory and display its contents, there's not much really to work with. Of course if there's some particular overbloated text editor X that went a step further and started implementing stupid features like macros and... uuh but wait, I'm going off on an anti-M$ speech again Wink Anyways, as software starts to get more and more overbloated, one starts to see more and more vulnerabilities. Think Word and the rise of Macro viruses (there, I said it, MS just had to make Word files so powerful they could freaking execute programming instructions), think Winamp and it's annoying tendency to open up it's little browser window with some URL just because the mp3 file had it on the comments section of the ID tag - if the URL happens to have some script that does something nasty... The Word part is actually an exploit of the file format: the Word format, that is. It's actually supposed (for some insane reason) to have the capability to execute arbitrary VB instructions etc. So, in theory, any program that completely supports the Word format will be equally vulnerable to a mal-formed Word file (i.e. one that has malicious VB code), not just MS Word (of course the smarter programs just don't run the macros, period, or you have to tell it to run them in the first place). The mp3 part I'm not certain of, are all mp3 players supposed to load each and every URL they find on a mp3 file's comments tags? I doubt it, mp3 was supposed to be music, not a damn My Favorites thingy... Laughing That, I'd call more of a Winamp specific vulnerability (in that it's Winamp itself, not the whole mp3 format, that added a stupid feature that wasn't there which presents the possibility for being exploited).

As for the specific question you asked, altering a jpeg file in a way that would make every jpeg viewer load some exe file when they open it, I don't see it happening. The jpeg format is a picture format, it has no mention (afaik) of the possibility to load some other file, let alone run anything. Hence, as for creating a vulnerability that exploits the actual jpeg specification to make each and every image viewer that supports jpeg run arbitrary code, it doesn't make much sense. The jpeg standard simply isn't powerful enough for that sort of thing, it doesn't have (or need) functionalities like telling the program to load or run other files - as such, there's no reason for the programs to implement such funcionality. So, while I do believe that it's perfectly possible for any one program, regardless of what it does (browser, notepad, game, whatever), to have a vulnerability which could allow anything from crashing the program to code execution (buffer overflow, for example), I don't think there's much chance of that vulnerability being common to all programs that do the same thing - unless the vulnerability is part of the very specification of what the programs are supposed to do, like my Word example (which could only be solved by redefining the standard, i.e. making it so macros don't autorun by default or getting rid of them period).

Of course the problem is, as we all know, there are some programs that are simply so widespread (IE, Windows, etc) that even if, for example, a given malicious jpeg file could only cause harm to someone using IE 5.5 (by exploiting some vulnerability in IE, tricking it into thinking the file is bigger than it is, or whatever), the issue would still be tremendously devastating, since so many people use IE. But that doesn't make jpegs viruses, nor does it mean they can execute code by themselves... it still requires you to use a particular version of a particular buggy viewer in order for something to happen.

Heck, I could make a 100Kb text file then send it to Win98 users and say it's a "text virus that makes Notepad popup with a thing saying it can't open big text files". Doesn't really make my text file a virus, though... Wink it just makes Win98's Notepad a limited program.

Author: Crazy PostPosted: Sun Mar 14, 2004 1:42 pm    Post subject:
    ----
Quote:
Sorry, try this http://members.lycos.co.uk/janette18/me.jpg

Note: This link can infect you with some virus.

Research: It actualy downloads some exe file on you computer and then executes it. So, you can't say it a "JPG virus".
_________________


Hey I download this file And make Scan with AV it`s Appears nothing But The Regedit doesn`t open the taskmanger the same too What this file and how can I remove it from My PC Confused

Author: Crazy PostPosted: Sun Mar 14, 2004 3:13 pm    Post subject:
    ----
Yes I thought it`s ok I can remove anything But I am still thinking what do I have to do ??
Sad



Networking/Security Forums -> Viruses // Worms


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Goto page 1, 2, 3  Next  :||:
Page 1 of 3

Powered by phpBB 2.0.x © 2001 phpBB Group