Having used various JPEG formats for about 10 years now, and having worked along side software developers familiar with the inner workings of the JPEG format, I have some comments to add to this thread. #1 I have never heard of anybody ever having been infected by a JPEG file. #2 JPEG is probably the most commonly-distributed graphic format - it would make a great vector for malicious code. However, see point #1 (so as far as currently-available JPEGs on current viewers are concerned, you're probably safe). #3 As mentioned by Mathias, social engineering plays a role in which users are duped into running an executable they assume is a JPEG file. This works not just because the file system UI can be ambiguous, but because people enjoy receiving pictures (and most often more than one at a time). #4 A custom image viewer/JPEG combination could possibly act as a kind of Trojan. One could compromise a user's system by dispersing a freeware image viewer program capable of recognizing, nabbing and utilizing snippets of malicious code from compromised JPEGs. The payload is achieved when such a JPEG (probably sent as something racy or humerous) is received and viewed. This delayed payload approach would allow time for achieving a critical mass of compromised image viewers. Of course, why the writer of such a program wouldn't rather set a time bomb function into the image viewer itself would be a mystery to me. With the recent layoffs in the hi tech sector, it's possible that a disgruntled employee could insert similar malicious code into a respected and trusted software (such as an image viewer) either before they leave or even in a parallel version released on bulletin boards, etc. As usual, it's wise to look both ways before crossing the street and double clicking on file attachments... -----Original Message----- From: Mathias Dybvik [mailto:tmdybvikat_private] Sent: Friday, November 09, 2001 2:40 AM To: rginskiat_private Cc: vuln-devat_private Subject: Re: Infected jpeg files? The jpeg standard does not encompass any form of executable code in the jpeg itself. Any code you injected into a jpeg document would not be executed by the viewer. There is one exception to this: If there is a certain vulnerability/problem with a particular jpeg viewer, then it is theoretically possible to cause various forms of overflows, and possibly executing code in the viewer/client environment, by extremely carefully crafted pictures. This carefully crafted code would then have to have enough payload to reproduce, i.e. introduce a copy of itself into another jpeg file. This scenario sounds like it has probability greater than zero, yet would be very hard to implement reliably. Any implementation would likely only work on one particular version of one particular jpeg viewer, possibly only on one particular machine/software configuration. More fun use of jpeg viewer problems would probably be to upload jpegs to your web site that selectively crashed viewers/browsers you don't like. :) Steganography is information hiding. Your problem is not to hide information, but to have that information interpreted as code, and executed. The classic *illusion* of an executable jpeg, however, is the "my_picture.jpg.vbs" trick, which fools a lot of windows users that are using default settings in their file viewer. If you have "hide known extensions" enabled, then yes, it *is* possible to get infected by opening a file that *seems to be* a jpg file (but it isn't). Mathias Dybvik On Wed, Nov 07, 2001 at 01:22:40AM -0000, rginskiat_private wrote: > Mailer: SecurityFocus > > Is it possible for a virus to infect a jpeg (*.jpg) file, > then the jpg file to infect other files?...without > changing the files characteristics? In other words, a > jpeg file (file.jpg) is infected and it > remains "infected_file.jpg". It is possible for a file type > as jpeg to have a payload or cause damage although > it's just being viewed? Perhaps something like > steganagraphy...except embedding vbs (or > something) causing infection by way of the viewer? I > guess another way of asking the question is: > > Is it possible to get infected by just viewing jpeg files?
This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 11:15:49 PST