September 28, 2004 8:32 AM PDT

Trojan horse exploits image flaw

Internet watchers say they've spotted infected images that could implant a back door into a Windows computer if they are viewed.

EasyNews, a provider of Usenet newsgroups, said it has identified two JPEG images that take advantage of a previously identified flaw in the way Microsoft software handles graphics files. Windows users could have their computers infected merely by opening one of those Trojan horse images.

The report of the widely expected exploit comes less than a week after sample code appeared that demonstrated how to take advantage of Microsoft's programming error. Some security researchers worry that the ubiquity of JPEG images provides an unprecedented opportunity to spread malicious code through file-trading networks, the Web or spamming.

But the Trojan horse images may not be as threatening as a more sophisticated version of the exploit could be.

"These JPEGs did not replicate, so this is not a virus," antivirus software company F-Secure stated in its Weblog. "Apparently they tried to use these JPEGs to download Trojan (horse programs) to vulnerable computers, but the download sites should be down by now."

Windows' Graphic Device Interface Plus (GDI+) software contains a JPEG-processing vulnerability that affects dozens of Microsoft products, including the Office suite. Windows XP and Windows Server versions are vulnerable unless a Microsoft patch has been installed in the last few weeks or, in the case of XP, if the systems have been upgraded to Service Pack 2.

Other Windows versions may be at risk depending on what applications are installed. The issue does not affect non-Microsoft operating systems such as Linux and Mac OS X.

Developers at Santa Monica, Calif.-based EasyNews created a short program to scan JPEG files flowing through their system for identifying features of the GDI+ exploit.

"It paged my cell phone at 6:47pm PDT on 9/26/2004 for the first hit, and 7:52pm PDT on 9/26/2004 for the second hit," one of the developers wrote in a Web posting.

Mike Minor, EasyNews' chief technology officer, said he had been monitoring the Usenet feed for 36 hours before discovering an infected image. "We couldn't find any other trace of any other posts from that IP address," Minor said. EasyNews has not spotted any infected JPEGs since the two it identified late Sunday.

Once the Trojan horse is activated by viewing the image, it connects to an FTP (File Transfer Protocol) site and downloads software that installs a back door in the infected Windows machine.

3 comments

Join the conversation!
Add your comment
What they leave out...
that even if your unpatched... this is detectable and blockable by virus scanners... in particular my gf has a pirated copy so i had to make sure but norton does block this... so they only way you can be vulnerable is by not having a updated computer or updated virus scanner. and if you dont well... arent you just waiting for something bad to happen to your computer?
Posted by volterwd (466 comments )
Reply Link Flag
more info please
When covering virus/trojan news, I would like to see links/information on

1. How to detect infected jpgs, viruses, trojans;
2. How to remove the virus or trojan from your system; and
3. Links to sites with more detailed information or virus software homepages.

Thanks
Posted by office (2 comments )
Reply Link Flag
Just go to EasyNews.com
There is a link to the virus, what it does, what files it downloads, and the ports used.
Posted by Tex Murphy PI (165 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.