Virus's in images?

Actually, this was a M$ problem...many, many times...

I know this has been hashed a bit in this group before. But...

CNN had a story today about wanting the gov't to step in to do more to protect [dumb] people from scams and viruses. In the story they talked a bit about Trojan Horses and mentioned how they can hide in many things, including images.

Now, I'm not stupid when it comes to computers but I can't help but think that this is urban legend.

Can an ordinary image, such a .jpg, contain malicious code that can be executed?

The only way I can see it happening is if there is some code attached to the end of the file and that the software used to view the image seeks out and executes the code. I am not aware of ANY software that does this. Why would one want this feature anyway?

I recall that in the previous discussion on this in this group someone claimed it could be done, but when I asked for proof all I got was ad hominem attacks.

Anyone have proof of this? Like a known infected image I can download from somewhere?

Or am I right in that this is just fantasy?

Brian

What is the difference between data (jpg or other data) and code which can be executed?

Jason

Lars M. Hansen wrote in news: snipped-for-privacy@4ax.com:

Thanks for the hint. I'll look it up.

The more I learn about how hackers do their deed, I keep hearing about this buffer overflow crap. To me, that is very poor programming to not have checks to make sure a buffer does not overflow.

If such a programmer worked for me and such a 'feature' occured in the software they wrote, they wouldn't be working for me anymore.

That is an idea I am aware of that I didn't mention in my post. I agree, it's 'totally lame'. It also does not fit into what I am looking for.

From the way people have talked about this, I'm under the impression that one would be able to hide exectuable code inside an ordinary image file. That is, if you load the file into an image viewing program, you see the expected image. But somehow there's supposed to be this executable code hidden in the file that plants a virus or other some such thing onto your computer.

I simply fail to see how this is possible, hence my asking.

Brian

"Jason Edwards" wrote in news:31s0q7F3f3jmrU1 @individual.net:

Go find a jpeg of your favorite swimsuit model and 'execute' it.

See my reply to Lars for more information.

Brian

If the programmer who wrote the image viewing program did not include checks to protect against buffer overflows, loading an image file using that program could overflow a buffer, resulting in some of the image file being stored in memory beyond the buffer.

If a hacker knows the buffer overflow exists, he can create an image file which contains executable code in the part of the image file that gets stored beyond the buffer. If the overflow overwrites memory the system is using to store code before execution, the hacker's code will be executed instead.

The above is a very simplistic explanation, but hopefully describes how non-executable files can be malicious.

Create a simple batch file, rename it to test.jpg, double click on it using IE, it will run. File extensions mean very little when it comes to MS Products, IE and some of the others are setup to look inside the file and not really at it's extension.

Well, since there have been patches for Unix, Linux, and even Microsoft concerning this, how much more proof does one need? That many coders would not have written patches for all those platforms for no reason. Not to mention that Linux users everywhere would have loved to say that *nix wasn't vulnerable. ;)

Ok. The computer crashed, no surprise there. It's not difficult to get the computer to execute it as code. Obviously this does not mean it will do anything sensible. But suppose I made a file with a jpg extension which _did_ contain valid code...

Jason

See above for more inforamtion too :)

It is a trivial matter to put code in an image file. But it is not necessarily easy to get it executed as code. Your image viewing program may simply display a random looking pattern. If your image viewing program has a flaw which causes it to overwrite code with data from the image file then what will happen if that data is deliberately replaced with valid code?

Jason

Oh there are plenty of bugs and security holes in *nix. They just don't cause such big problems because the the user and the applications are severely restricted as to what access they have. Windows on the other hand tends to allow all users write access everywhere including the operating system files.

Correct - but note that the buffer overflow may occur in a library (dll on windoze), and therefore affect any program which uses the library - which may well be most programs that parse a given type of file. The GDI+ overflow discussed elsewhere in this thread is a recent example.

Probably not, but it depends on how the malformed file was constructed.

True - but how did you determine you wanted to read 32 bytes? If you got that information from the file, and it was deliberately misleading, and you did not take steps to avoid being misled, bad things could happen.

The file format specification tells the programmer how the file is supposed to be structured. If the programmer simply assumes all input files will be correctly structured, the program is likely to be buggy and exploitable. Writing secure code starts with the assumption that all inputs are garbage and/or malicious until verified correct.

No doubt about it. It happens because programmers are trained and paid to deliver functionality. There is frequently little incentive to deliver the functionality securely, because that takes longer and costs more.

"Jason Edwards" wrote in news:31t4koF3e9jhiU1 @individual.net:

Then it's not an image. It's a program.

BTW, I did the same thing as you.

If I changed a .jpg to an .exe, it either didn't run or crashed, never affecting the OS (W2kSP4). Interstingly, 2 of the 3 image editing/viewing programs I have still recognized the .exe file correctly as the image format it truely was. The one that did not was a Photoshop 5.0 and obviously relied on the extension to tell it what the file was. I could not force it to open 'any' file.

If I changed an .exe to a .jpg none of my image viewing/edit programs would open it. They all said it was an invalid file. I also could not get the file to run, either by double click, or start->run.

Brian

Triffid wrote in news:JEaud.37289$dC3.1191557 @news20.bellglobal.com:

Make sense to me. However, this would be specific to a given piece of software. It would only work for the target program. In a sense, then, this would be much like all the other buffer overflow problems in that have popped up. It would affect some users but not all.

But then, if this malformed image file is loaded into a program that is not affected by the buffer overflow, woudl the image display correctly without any obvious 'damage'?

Also, I'm not sure that there can even be a buffer overflow from just parsing an image file.

I'm not the best programmer in the world but everytime I write a program that parses a data file, I've never had to worry about buffer overflows. In fact, I'm not sure how I could make it happen. If I want to read in 32 bytes of data, my program reads in 32 bytes. If there's more than that, the program doesn't suddenly somehow read in more.

Buffer overflows still sound like sloppy programming to me.

Brian

Leythos wrote in news:MPG.1c22c37d10b30e91989c2f@news- server.columbus.rr.com:

Just tried that. Didn't happen.

I made a simple batch file with only one command, 'tree'. I named that file x.jpg. When I double clicked on the file, windows tried to open it with the program associated with jpg files, which then returned an error on the bad file.

BTW, I'm on W2kSP4.

Brian

Lars M. Hansen wrote in news: snipped-for-privacy@4ax.com:

Ok...just read about it. To me, it boils down to sloppy programming.

Like I said in another post, I'm not the best programmer in the world, but perhaps I should try writing my own jpg parser so I can see what's going on. I am still having trouble understanding how buffer overflows can occur except by design.

Brian

Try to open it in IE and see what happens on an unpatched system.

Do the same thing, only doing FILE/OPEN from Internet Explorer.

Leythos wrote in news:MPG.1c242503ec3921a989c4b@news- server.columbus.rr.com:

I have Internet Explorer 6, but haven't sought out and installed any patches. I don't use IE so I don't know what patched 6 may already incorporate.

Anyway, doing file->open on an .exe renamed to .jpg resulted in my default image viewer program being opened and attempting to view the image, which of course didn't work.

Brian