[ISN] Hackers use porn to target Microsoft JPEG flaw

InfoSec News isn at c4i.org
Wed Sep 29 03:56:06 EDT 2004


By Paul Roberts
SEPTEMBER 28, 2004 

Malicious hackers are seeding Internet newsgroups that traffic in
pornography with JPEG images that take advantage of a recently
disclosed security hole in Microsoft Corp.'s software, according to
warnings from antivirus software companies and Internet security

The reports are the first evidence of public attacks using the
critical flaw, which Microsoft identified and patched on Sept. 14 (see
story). Users who unwittingly download the poison images could have
software installed on their computers that gives remote attackers
total control over the machine, experts said.

The images were posted in a variety of Internet newsgroups where
visitors post and share pornographic images, or "binaries." The
altered JPEG images were posted to groups such as
"alt.binaries.erotica.breasts" yesterday by someone using the e-mail
address "Power-Poster at power-post.org," according to the online
security discussion group BugTraq and information posted on
Easynews.com, a Web portal for Usenet, the global network of news

The corrupted JPEG images are indistinguishable from other images
posted in the group but contain a slightly modified version of
recently released exploit code for the JPEG vulnerability called the
"JPEG of Death" exploit, which appeared over the weekend, said
Johannes Ullrich, chief technology officer of the SANS Institute's
Internet Storm Center (ISC). The ISC has also posted information about
the exploit online.

Like other exploits for the vulnerability that have appeared since
Microsoft released its patch, the JPEG of Death uses a JPEG file
formatted to trigger an overflow in a common Windows component called
the GDI+ JPEG decoder. That decoder is used by Windows, Internet
Explorer, Outlook and many other Windows applications, Ullrich said.

When opened by users, the infected JPEGs try to install a copy of
Radmin, a legitimate application that allows users to remotely control
their computers. In this case, however, the program is being used by
the remote attacker as a Trojan horse program. Infected Windows
machines are also programmed to report back to an Internet Relay Chat
channel, Ullrich said.

The images work only on computers running Windows XP, although some of
the attack features don't appear to work on all machines running that
operating system, Ullrich said.

The ISC and antivirus companies cautioned that the newly posted attack
images can't spread and aren't, technically, a "virus." However, the
exploit code could easily be modified to download a virus engine with
e-mail capability that would spread when images are opened, Ullrich

As with Sasser and other recent worms that target common Windows
components, security experts said they worry that the JPEG
vulnerability in GDI+ could spawn another major worm outbreak. The
vulnerability is remotely exploitable and can be accessed through a
long list of popular Windows applications, including Internet
Explorer, the Outlook e-mail program and Microsoft's Office

In addition to GDI+ being a standard component of Windows, different
Windows applications frequently distribute their own versions of GDI+.  
Those versions might reside in folders used by the applications and be
out of reach of the Windows patch, or they could be installed after
the Microsoft patch was applied, undoing that patch, Ullrich said.

Currently, most major antivirus software programs can spot corrupted
JPEG images. Ullrich added that antivirus software, in combination
with the Windows patch, is the only known protection from attacks that
use the GDI+ vulnerability.

More information about the ISN mailing list