You knew it was coming, and now it’s here — the latest evil spurred by the latest Microsoft security hole. It’s called the JpegOfDeath, but JPEG isn’t all it threatens. “[F]or the people out there who think you can only be affected through viewing or downloading a JPEG attachment… you’re dead wrong,” says K-OTIC’s John Bissell. “All the attacker has to do is simply change image extension from .jpg to .bmp or .tif or whatever and stupid Windows will still treat the file as a JPEG.”
Be careful with the word "virus", it's no virus.. it's an exploit. Meaning that it's a proof of concept.. and writing good exploits is hard.. is a challenge. Many security researchers probably have written exploits for this internally to test vulnerability, or to demonstrate it.. maybe people will then believe severity of the issue. But also used for penetration testing. The connect-back method is a popular method to payload an exploit.. often machines infected have a firewall or are behind a company firewall, opening a new port with a cmd.exe shell on that is not convenient, because the firewall blocks any connection attempt. A connect-back however will connect-back to an attacker machine, an outbound connection. Now, outbound connections can be restricted too, which is called egress filtering.. but it's not done at a large scale yet, though it's starting to come as an attempt (which would be very succesful) at stopping spam being send from the inside network, and to stop viruses. When the exploit is being used in a real virus however (though the exploit should become more stable than it is now, to do this) all this firewall stuff doesn't help. As the payload won't be a connect-back shell, but the virus itself and a mechanism which probably will abuse outlook for sending it to other people, there's not much one can do about this, but filtering the email or developing IDS (Intrusion Detection System) signatures for it.
Loading ...
Will JpegOfDeath Help Slay Microsoft?
Posted by: Jon Newton September 29, 2004 06:00 AMYou knew it was coming, and now it’s here — the latest evil spurred by the latest Microsoft security hole. It’s called the JpegOfDeath, but JPEG isn’t all it threatens. “[F]or the people out there who think you can only be affected through viewing or downloading a JPEG attachment… you’re dead wrong,” says K-OTIC’s John Bissell. “All the attacker has to do is simply change image extension from .jpg to .bmp or .tif or whatever and stupid Windows will still treat the file as a JPEG.”
The connect-back method is a popular method to payload an exploit.. often machines infected have a firewall or are behind a company firewall, opening a new port with a cmd.exe shell on that is not convenient, because the firewall blocks any connection attempt. A connect-back however will connect-back to an attacker machine, an outbound connection. Now, outbound connections can be restricted too, which is called egress filtering.. but it's not done at a large scale yet, though it's starting to come as an attempt (which would be very succesful) at stopping spam being send from the inside network, and to stop viruses.
When the exploit is being used in a real virus however (though the exploit should become more stable than it is now, to do this) all this firewall stuff doesn't help. As the payload won't be a connect-back shell, but the virus itself and a mechanism which probably will abuse outlook for sending it to other people, there's not much one can do about this, but filtering the email or developing IDS (Intrusion Detection System) signatures for it.