Trojan horse exploits image flaw

By Declan McCullagh and Robert Lemos
Staff Writers, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
- Google
- Newsvine
- Yahoo! Bookmarks
- Twitter
- Stumbleupon
E-mail
Print

Related Stories: E-mail firm baits hackers with security challenge
September 27, 2004; Security firm looks to hire alleged Sasser author
September 20, 2004; Major graphics flaw threatens Windows PCs
September 14, 2004; Image flaw pierces PC security
August 5, 2004

Internet watchers say they've spotted infected images that could implant a back door into a Windows computer if they are viewed.

EasyNews, a provider of Usenet newsgroups, said it has identified two JPEG images that take advantage of a previously identified flaw in the way Microsoft software handles graphics files. Windows users could have their computers infected merely by opening one of those Trojan horse images.

The report of the widely expected exploit comes less than a week after sample code appeared that demonstrated how to take advantage of Microsoft's programming error. Some security researchers worry that the ubiquity of JPEG images provides an unprecedented opportunity to spread malicious code through file-trading networks, the Web or spamming.

But the Trojan horse images may not be as threatening as a more sophisticated version of the exploit could be.

"These JPEGs did not replicate, so this is not a virus," antivirus software company F-Secure stated in its Weblog. "Apparently they tried to use these JPEGs to download Trojan (horse programs) to vulnerable computers, but the download sites should be down by now."

Windows' Graphic Device Interface Plus (GDI+) software contains a JPEG-processing vulnerability that affects dozens of Microsoft products, including the Office suite. Windows XP and Windows Server versions are vulnerable unless a Microsoft patch has been installed in the last few weeks or, in the case of XP, if the systems have been upgraded to Service Pack 2.

Other Windows versions may be at risk depending on what applications are installed. The issue does not affect non-Microsoft operating systems such as Linux and Mac OS X.

Developers at Santa Monica, Calif.-based EasyNews created a short program to scan JPEG files flowing through their system for identifying features of the GDI+ exploit.

"It paged my cell phone at 6:47pm PDT on 9/26/2004 for the first hit, and 7:52pm PDT on 9/26/2004 for the second hit," one of the developers wrote in a Web posting.

Mike Minor, EasyNews' chief technology officer, said he had been monitoring the Usenet feed for 36 hours before discovering an infected image. "We couldn't find any other trace of any other posts from that IP address," Minor said. EasyNews has not spotted any infected JPEGs since the two it identified late Sunday.

Once the Trojan horse is activated by viewing the image, it connects to an FTP (File Transfer Protocol) site and downloads software that installs a back door in the infected Windows machine.

See more CNET content tagged:
trojan horse, Usenet, back door, JPEG, flaw

Add a Comment (Log in or register) 5 comments

What they leave out...
by volterwd September 28, 2004 12:26 PM PDT: that even if your unpatched... this is detectable and blockable by virus scanners... in particular my gf has a pirated copy so i had to make sure but norton does block this... so they only way you can be vulnerable is by not having a updated computer or updated virus scanner. and if you dont well... arent you just waiting for something bad to happen to your computer?; Reply to this comment View reply
Processing

more info please
by office September 29, 2004 8:26 AM PDT: When covering virus/trojan news, I would like to see links/information on

1. How to detect infected jpgs, viruses, trojans;
2. How to remove the virus or trojan from your system; and
3. Links to sites with more detailed information or virus software homepages.

Thanks; Reply to this comment View all 2 replies
Processing

Latest tech news headlines

Foxmarks syncs your passwords across PCs
Posted in Webware by Rafe Needleman

October 15, 2008 5:19 PM PDT
IMDB turns 18
Posted in News - Gaming and Culture by Daniel Terdiman

October 15, 2008 5:17 PM PDT
FBI targets rise in cybercrime from U.S. and abroad
Posted in News - Politics and Law by Stephanie Condon

October 15, 2008 4:19 PM PDT
See all headlines

Resource center from CNET News sponsors

You Need The Speed of Norton 2009

Introducing Norton Internet Security™2009

With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
IDC: Netbook shipments up, expect constrained IT budgets
Economic turmoil drives lowered consumer and professional spending on PCs, but makes cheaper Netbooks more attractive.
Gallery
Photos: Solar business heats up the Golden State
The Open Road
Ah, the irony! SAP freezes internal IT purchases
SAP is halting internal IT purchases. Should its customers do the same?
Coop's Corner
Vint Cerf backs Obama for U.S. president
Internet legend says he's casting his vote because of Obama's position on Net neutrality.
Video
'Prototype This' invents the future
News - Wireless
FCC chairman backs use of 'white space' spectrum
The chairman of the FCC said Wednesday that he supports the use of unused "white space" spectrum for wireless broadband services.
Video
Apple laptop redesigns and a lower price
News - Gaming and Culture
IMDB turns 18
You might not know it, but the site that has become the definitive repository of information about movies is older than the Web.
News - Cutting Edge
'60 Minutes' video: Drone warfare in Iraq
UAVs like the Predator are a highly valued asset for the U.S. military as it pursues "fleeting and perishable" targets. Lesley Stahl reports.
Gallery
Photos: 'Popular Mechanics' breakthroughs
Webware
Foxmarks syncs your passwords across PCs
Use more than one computer and hate managing passwords on them? Check this out.
Green Tech
Tesla Motors replaces CEO, plans layoff
Elon Musk, company investor and chairman, will take over as CEO, replacing Ze'ev Drori, who will join the board. Layoffs are also planned as part of a corporate review.