JPEG Exploit Hits Usenet, Worm Close Behind

September 28, 2004

JPEG Exploit Hits Usenet, Worm Close Behind



Courtesy of TechWeb News

An exploit attacking the most recent Windows bug is circulating on Usenet, security experts said Tuesday, that crashes machines, yet another indicator that attackers will chase the vulnerability until they've launched mass mailing-style worm-based attacks.
According to the Bugtraq security mailing list, malicious JPEG images have been posted to several adult newsgroups on Usenet. When viewed, these JPEG images crash unpatched Windows XP and Windows 2000 PCs, said the Internet Storm Center in an online advisory.

The images tried to download a backdoor Trojan to the victim systems, but were so poorly coded that all that they did was cause a crash.

"The malicious image appears to have been created with one of the more recent MS04-028 exploit kits," wrote Joshua Wright, one of the Center's online handlers. Automated tools appeared last Friday that built images which exploited the JPEG vulnerability Microsoft announced two weeks ago Tuesday.

Although this most recent attempt to exploit the Windows flaw failed, the Storm Center said that, "we suspect a working exploit is very close to widespread availability."

Finnish security firm F-Secure seconded the motion. "Things are heating up," wrote Mikko Hypponen, the company's director of anti-virus research, in his blog. "I have a nasty feeling we might sooner or later see a mass-mailer worm using a JPG image as the attachment. "

 

That is one of the MAIN reasons that I use Mailwasher to check my EMail.

Anything that does not look right or has what looks to be image attachments GOES BYE-BYE ( deleted ) right off of the server. It does not even get downloaded to my machine.

I had TWELVE ( 12 ) Emails this AM. At least three of them had a .JPG attachment. BYE-BYE.

BillyBob

 

I think I ran into one:

Application has changed since the last time you opened it, process id: 3316
Filename: D:\Program Files\Internet Explorer\iexplore.exe
The change was denied by user

---- Modules changed: 0 ----
---- New modules: 2 ----
D:\WINDOWS\system32\mscms.dll
D:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GDIPLUS.DLL

Regards - Charles

 

Charles,
What do ya think stopped the process from excecuting? Your antivirus?

Thanks
Rockit

 

Hi Rockit,

It was my 3rd pary firewall Sygate that's set to warn of .dll injections.

In reviewing the logs, I was in a MSN "see story" link, and its probable that this was legit, and if it wasn't, I don't think any damage would have resulted from my allowing it, this vulnerablity is patched with SP2. What was really disconcerting was that I just finished reading this thread, so I was startled by this and took no chances.

The problem for me at least is that I just started reading about this and don't exactly know how this trojan operates. So far the writeups are general. Is this one way that the trojan loads? I have a lot of research to do on this.

Regards - Charles

 

I have downloaded the Critical update "KB833987-x86-ENU.EXE "
from MS for XP but have not installed it yet.
Is it OK to install or has it bugs that affect the system, or is that the useless one that Arie referes too.
thanks
hwk22