RE: Infected jpeg files?

[Krul Thomas <Thomas.Krul () ocipep gc ca>]

Having used various JPEG formats for about 10 years now, and having worked
along side software developers familiar with the inner workings of the JPEG
format, I have some comments to add to this thread.

#1 I have never heard of anybody ever having been infected by a JPEG file.

#2 JPEG is probably the most commonly-distributed graphic format - it would
make a great vector for malicious code. However, see point #1 (so as far as
currently-available JPEGs on current viewers are concerned, you're probably
safe).

#3 As mentioned by Mathias, social engineering plays a role in which users
are duped into running an executable they assume is a JPEG file. This works
not just because the file system UI can be ambiguous, but because people
enjoy receiving pictures (and most often more than one at a time).

#4 A custom image viewer/JPEG combination could possibly act as a kind of
Trojan. One could compromise a user's system by dispersing a freeware image
viewer program capable of recognizing, nabbing and utilizing snippets of
malicious code from compromised JPEGs. The payload is achieved when such a
JPEG (probably sent as something racy or humerous) is received and viewed.
This delayed payload approach would allow time for achieving a critical mass
of compromised image viewers. Of course, why the writer of such a program
wouldn't rather set a time bomb function into the image viewer itself would
be a mystery to me.

With the recent layoffs in the hi tech sector, it's possible that a
disgruntled employee could insert similar malicious code into a respected
and trusted software (such as an image viewer) either before they leave or
even in a parallel version released on bulletin boards, etc.

As usual, it's wise to look both ways before crossing the street and double
clicking on file attachments...


-----Original Message-----
From: Mathias Dybvik [mailto:tmdybvik () hotmail com]
Sent: Friday, November 09, 2001 2:40 AM
To: rginski () co pinellas fl us
Cc: vuln-dev () securityfocus com
Subject: Re: Infected jpeg files?


The jpeg standard does not encompass any form of executable code in the jpeg
itself. Any code you injected into a jpeg document would not be executed by
the viewer.

There is one exception to this:

If there is a certain vulnerability/problem with a particular jpeg viewer,
then it is theoretically possible to cause various forms of overflows,
and possibly executing code in the viewer/client environment, by extremely
carefully crafted pictures. This carefully crafted code would then have to 
have enough payload to reproduce, i.e. introduce a copy of itself into
another jpeg
file. 

This scenario sounds like it has probability greater than zero, yet would be
very hard
to implement reliably. Any implementation would likely only work on one
particular 
version of one particular jpeg viewer, possibly only on one particular
machine/software 
configuration. 

More fun use of jpeg viewer problems would probably be to upload jpegs to
your web site that selectively crashed viewers/browsers you don't like. :)

Steganography is information hiding. Your problem is not to hide
information,
but to have that information interpreted as code, and executed. 

The classic *illusion* of an executable jpeg, however, is the
"my_picture.jpg.vbs" trick, which fools a lot of windows users that are
using default settings in their file viewer. If you have "hide known
extensions" enabled, then yes, it *is* possible to get infected by opening a
file that *seems to be* a jpg file (but it isn't).

Mathias Dybvik

On Wed, Nov 07, 2001 at 01:22:40AM -0000, rginski () co pinellas fl us wrote:
> Mailer: SecurityFocus
>
> Is it possible for a virus to infect a jpeg (*.jpg) file, 
> then the jpg file to infect other files?...without 
> changing the files characteristics? In other words, a 
> jpeg file (file.jpg) is infected and it 
> remains "infected_file.jpg". It is possible for a file type 
> as jpeg to have a payload or cause damage although 
> it's just being viewed? Perhaps something like 
> steganagraphy...except embedding vbs (or 
> something) causing infection by way of the viewer? I 
> guess another way of asking the question is:
>
> Is it possible to get infected by just viewing jpeg files?