RE: Infected jpeg files?

From: Chan, Stephen (TIS, Singapore) (stephen_chanat_private)
Date: Fri Nov 09 2001 - 00:31:37 PST

Next message: Emmanuel BENOIT: "Re: vi buffer overflow"

Previous message: Kaneda Akira: "Re: vi buffer overflow"
Maybe in reply to: rginskiat_private: "Infected jpeg files?"
Next in thread: terry white: "Re: Infected jpeg files?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm just being far-fetched but what if the 'infected' jpeg contains
activation code/commands embedded using steganography.
It wouldn't contain executable code, but contains instructions for already
resident worms/trojans such as Nimda/codeRed.

Whoa! A whole new medium for controlling zombies. No vulnerability needed.
Just plain old email.

1. Send the trojan/worm via email
2. Send the activation code embedded in a jpeg.

Stephen


-----Original Message-----
From: Oliver Petruzel [mailto:opetruzelat_private]
Sent: Friday, November 09, 2001 2:24 PM
To: vuln-devat_private
Subject: RE: Infected jpeg files?


Perhaps an intereting file type to consider would be .bmp considering
the default viewer within windows is MS Paint.  I've never looked at
Paint that closely, but knowing who and what we're used to, it's quite
possible.  As mentioned, it all depends on the viewer.  And if anything
is suspect, my first look would be with default viewers in MS.  Time to
imbed and play... Results or lack thereof to follow.

oliver

> -----Original Message-----
> From: OBrien, Brennan [mailto:BOBrienat_private] 
> Sent: Thursday, November 08, 2001 8:56 PM
> To: rginskiat_private; vuln-devat_private
> Subject: RE: Infected jpeg files?
> 
> 
> Well, just my two cents here... 
> 
> Given that images are a major way of transmitting encoded 
> data, it stands to reason that the hooks could exist  -- that 
> is, it could be a transport mechanism.  However, the viewer 
> itself would have to know to look for them and have the 
> capability of doing something with them.  In otherwords, just 
> cause I'm speaking in Japanese to you doesn't mean you 
> understand what I'm saying.  
> 
> 
> 
> 
> 
> -----Original Message-----
> From: rginskiat_private [mailto:rginskiat_private] 
> Sent: Tuesday, November 06, 2001 5:23 PM
> To: vuln-devat_private
> Subject: Infected jpeg files?
> 
> Mailer: SecurityFocus
> 
> Is it possible for a virus to infect a jpeg (*.jpg) file, 
> 
> then the jpg file to infect other files?...without 
> 
> changing the files characteristics? In other words, a 
> 
> jpeg file (file.jpg) is infected and it 
> 
> remains "infected_file.jpg". It is possible for a file type 
> 
> as jpeg to have a payload or cause damage although 
> 
> it's just being viewed? Perhaps something like 
> 
> steganagraphy...except embedding vbs (or 
> 
> something) causing infection by way of the viewer? I 
> 
> guess another way of asking the question is:
> 
> 
> 
> Is it possible to get infected by just viewing jpeg files?
> 
> 
> 
> I realize that's a "wide open question" I just don't 
> 
> know how else to explain myself. Thanks in advance 
> 
> for your patience and help.
>

Next message: Emmanuel BENOIT: "Re: vi buffer overflow"
Previous message: Kaneda Akira: "Re: vi buffer overflow"
Maybe in reply to: rginskiat_private: "Infected jpeg files?"
Next in thread: terry white: "Re: Infected jpeg files?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 01:05:26 PST