June 13, 2002 11:40 AM PDT
New virus communicates by pictures
Dubbed the first "JPEG infector" by security company Network Associates, the W32/Perrun virus has two parts: infected JPEG images that contain the virus's payload and a viral program that extracts the code from the images and infects other JPEGs on the system as they are opened.
Because PCs have to be infected by the extractor virus before any code hidden in image files can affect them, the program is more a computer-science curiosity than a threat, said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team.
"We are not saying that this is a problem," Gullotto said. "We gave it a low risk, but we haven't seen anything like this before." A digital image carrying code for W32/Perrun is easy to spot, he said, because the image is corrupted by the new code.
PC users should note that they can't be infected by opening a JPEG image. Rather, a virus on an infected computer copies code into a digital image and waits for the JPEG to get passed along to other infected systems. The virus on those systems will read the code fragment in the JPEG image and follow the instructions. Users who haven't been infected by the extractor virus can open an infected digital image and nothing will happen.
The extractor file only infects computers running Microsoft Windows and doesn't include a mass-mailing component. And, in fact, the virus has not been released on the Internet, but has been sent only to major antivirus companies by the creator of the code.
However, the code has opened up a debate among antivirus researchers as to whether viruses with multiple parts could represent a new threat to PC users.
With some rather simple improvements, the virus could pose a threat, Gullotto said.
One obvious modification, which has already been discussed among the virus community, is using steganography--a technique to hide data in pictures--to allow such programs to embed code in images without corrupting the picture.
An upgradable virus is not a new event in the virus world. Hybris, a worm that slowly infected a large number of computers on the Internet last year, could be upgraded with encrypted plug-ins that were posted to Usenet, security experts have said.
Researchers have long worried about the evolving technology in viruses, and the latest critter to climb out of the Internet shows that the arms race with virus writers hasn't slowed.
But for Gullotto, the real lesson is one of foresight.
"People should start becoming more leery of JPEG files," he said. "If there is a chance that we can get ahead of the virus curve in educating the users, we should."
1 commentJoin the conversation! Add your comment