McAfee Manufactures Virus Threat 787
The latest "news" to come out of the AV industry is New Virus Infects Picture Files. McAfee put up their description and made sure to issue a wide-spread press release to stir up some interest. McAfee's spokesdrone fans the flames:
- "Potentially no file type could be safe."
That evolution should make computer users think twice about sending pictures or any other media over the Internet, Gullotto said.
"Going forward, we may have to rethink about distributing JPGs."
Now, if you know much about computing, you may be a little suspicious of this. JPEGs are compressed image files that only contain data representing an image to be displayed, not code to be executed. A modification of that data might screw up the picture of your cat dangling from the edge of the kitchen table you like so much, but it won't turn the image into a potential virus transmitter, because the programs that display JPEGs don't read them with an eye toward executing the code. An image file is just data to be displayed. The line between "data" and "code" is a little bit fuzzy - often particular characters or a particular file can be both data and code, depending on the context of how other code handles it. Or a particular file can include both data and code separately, like a Microsoft Word file that includes data (your text) and code (some macro designed to be executed by Word when the document is opened).
But for JPEGs there's a well-designed standard, and it doesn't include executing code of any sort. If a JPEG-handling program doesn't like the data it sees, it should just stop trying to display the image, not decide to start executing code from the image. JPEGs are mostly harmless.
McAfee's claim of a virus spread through JPEGs requires one essential element: you have to have already been infected by ANOTHER virus transmitted by some actual executable code. What it comes down to is:
Once you're infected with a virus, the virus can set you up to be infected by other viruses.
No shit, Sherlock. Once you have enemy code running on your system, you're toast. A virus could alter Microsoft Word so that opening any Word document at all would erase every file on your hard drive, making every single Word document in existence a deadly threat -- to you, and to you alone. But this isn't a new virus threat of any sort. It isn't a breakthrough. It's a consequence of being infected, not a new method of being infected.
Two weeks ago, we ran a story about a cross-platform virus. Like this one, it didn't really exist in the wild. Like this one, it was mainly a PR ploy (by Symantec, in that case). But we thought it had at least some minimal technical interest as a bit of code that would run under Windows or Linux.
McAfee and Symantec (and all the other AV vendors out there) are waging a PR war to "discover" ever more news-worthy viruses to defend against. To get maximum coverage, your new virus needs to do something unique or different -- make your computer turn green, or infect something previously uninfectable, or whatever it might be. Compare this to Klez, a very basic virus similar in most ways to viruses that have gone before, which is still out there looting and pillaging tens of thousands of computers every day, but isn't ideal for AV vendors because they don't have a monopoly on the cure.
The press is catching on, to some tiny extent at least, that most virus alerts are fictitious and just designed to drum up business for the vendors. But it's far easier to repurpose a vendor's press release and call it a story than to dig into real threats that exist on the Internet, and the causes of those threats. Today, like last year and the year before and five years ago, there are major email-borne virus threats out there. (There are still old-school viruses out there too, transmitted by sneaker-net or by downloading suspicious software, but email is clearly the way to go for the discriminating virus creator.) All the real email virus threats share a few distinguishing characteristics:
- They only affect Microsoft Windows. If you aren't running Windows, you are safe.
- They're usually transmitted by email. If you know enough on your own, or you've had a half-hour class in "Email 101", you should be able to avoid executing random files received by email.
- They auto-execute in Microsoft Outlook or Outlook Express. Microsoft has finally made some progress, after many years, in reducing the vulnerability of their flagship email programs. So if you have a recent or fully-updated version of these programs, you may not be as vulnerable as people running older versions. Nevertheless, this was (and still is, since so many people don't have recent or fully-updated versions) a primary vector.
And that's really it. If you don't run Windows, you're safe. If you have basic email skills, you're safe. If you don't run Outlook, you're safe. That's the story of modern viruses, and fortunately or un-, it's a pretty boring one.
McAfee, and Symantec, and everyone else involved in the anti-virus FUD business: lay off. I mean that literally, as in, "Lay off the people you employ for the purpose of drumming up new virus threats." Lay off the public relations people you employ to say things like, "We may have to rethink about distributing JPGs." Lay off the BS. There's a real market for your product, people who (for whatever reason) are using Windows and/or Outlook, and haven't received the half-hour training course necessary to avoid viruses. You can market to them based on your fast responses to real virus threats - you don't need to manufacture any more.
Virus programs are worse than the virus (Score:4, Informative)
Re:well.... (Score:3, Informative)
JPEG format is so fucking complicated that everyone uses libjpeg. And guess what ? There's no buffer overflow in libjpeg.
This is the reason there never is any question when importing/exporting JPG (compared to TGA/TIFF/BMP) about compatibility.
there was a bug in netscape.... (Score:3, Informative)
Go do a google search, it returns plenty about it.
Re:Linux. My anti-virus. (Score:5, Informative)
Re:well.... (Score:1, Informative)
Re:Key points for Windows/Outlook users (Score:3, Informative)
Actually, I'm using Trend Micro's Viruswall on my mail server at work, and it has been close to perfect. Sure, some recent viruses spread so fast that they get around the 'Net before the auto-update grabs the latest virus defs from Trend (a matter of hours), but we haven't had a single infection since we installed it a year ago. If I remember correctly, Trend has had a working update released within twelve hours of every major virus threat hitting the net over the last year. Most were available and installed on my server before I even knew the virus existed. Even if a virus did get through, once the virus defs were updated to catch it, it would have a difficult time spreading within the company. We have about 400 users. Viruswall's kinda spendy, but if you have a lot of users runnin' Winders I'd say it's definitely worth the money. Especially when you consider how much we've saved in licensing fees and technical headaches we would have if we installed AV software on every desktop. Viruswall is the only part of our entire mail system that isn't free software.
Sort of like the double free zlib bug (Score:3, Informative)
Very wicked, but you had to a) know the type of system and b) the viewer the person was using. This sort of technique, using data to act as code is clever and quite real. In fact, there is nothing different between this and those URL hacks for IIS; data appears where it wouldn't normally be expected and it can be leverage into code space and executed.
However, in the case of JPEG, considering its block oriented format it would be quite difficult to engineer a buffer overflow condition.
Actually, JPEGs have been dangerous in the past... (Score:5, Informative)
http://www.openwall.com/advisories/OW-002-netsc
(I recall that this bug was successfully exploited; that advisory seems more tentative..)
Re:Darn... and I just updated my anti-virus softwa (Score:5, Informative)
What's particularly interesting, however, is for anyone who remembers the origin of McAfee -- they started out as a shareware/freeware shop. Corporations "had" to pay, individuals were "encouraged" to pay, and educational (and possibly non-profit) were totally free to use it at no cost.
They've long since abandoned that license and even abandoned free updates. You have to pay for support every 12 months, which I dislike. Particularly since at irregular intervals they change their core engine and render all older versions of the software incompatible with new updates.
Re:Internet Explorer breaks the rules. (Score:2, Informative)
I invite you to try that with Opera, Mozilla, Konqueror, or any other browser, and watch them say "hey, this isn't any JPEG I recognize". IE's fucked-uped-ness isn't the fault of anyone but Microsoft - blame them.
Don't jump the gun... (Score:3, Informative)
any sort.
However, if you know of bugs in the jpeg decoder (and on Windows it should be built-in to the system, so you only have to find a bug in a single decoder), then you could craft a jpeg such that the decoder chokes on it, overruns some buffer, and get it execute code that way (same method as with any other buffer overflow really). I'm sure Michael meant well, but they say that jpegs are by definition safe is just too naive.
Re:Get With the Program! (Score:5, Informative)
Instead of relying on an antivirus program to protect me from those images (do they even detect those images?), I use a user style sheet [squarefree.com] to make links to goatse.cx brown and crossed-out instead of blue and underlined. Here's the CSS:
a[href*="goatse.cx/"]
{
text-decoration: line-through ! important;
color: brown ! important;
}
Re:Linux. My anti-virus. (Score:3, Informative)
GIF/JPEG comment vulnerability in Netscape [monash.edu.au]
Good thing this wasn't widely deployed around the world, or bought by millions during Christmas time. Having a small marketshare does offer a lot of "protection". Most virii writers are going for a large impact.
Why IBM got out (Score:3, Informative)
All in all, the IBM website was very informative, very honest, and killed their antivirus business. Oh well. I guess MacAfee, Norton and all the rest think dentists are stupid for telling their customers to brush their teeth.
Re:Conspiracy? (Score:3, Informative)
You'll be really pissed off what the non-assuming 500k browser-cached picture off the Internet quietly hides a MEGA virus that will toast your entire machine, innocently awaken by a harmless worm you mistakenly opened up elsewhere.
As I read the McAfee press release, it didn't give the virus a severity, just an "FYI" stuff like this will be happening down the road (which it will). I guarantee we will see a virus like this eventually, given the massive amount of images on the web.
No, a stenograph could not be used to transmit a virus. Viruses can't be secret. A program designed to view the "correct" data must be unaware of the stenograph or it has failed.
Let's say I have an old-fashioned bitmap image and I use the least significant bit of every byte to encode one bit code or text. My bitmap viewer will display an image that looks almost exactly the image prior to stenography. Then I widely distribute my bitmap, but only people who know where to look (every 8th bit) will be able to extract the hidden message. When certain people read the file using their Secret Decoder Programs they'll know what the message was.
Stenography is a sophisticated form of security by obscurity for data, not a method for transmitting mobile code.
It doesn't make sense to distribute a virus in two parts. A virus doesn't need to be 30K to be really malicious or destructive. And you'd still have to get the decoder in somehow and have the stenographic data already downloaded. A stenographic encoder or decoder for lossy formats like jpeg or mp3 is rather large by itself. The initial virus would have to include a decoder for the stenographic data, which would probably exceed the size of the code it could hide. It just isn't very feasible.
Re:Darn... and I just updated my anti-virus softwa (Score:3, Informative)
*bollocks* (Score:5, Informative)
This is NOT a hoax, or FUD. There IS FUD in the A/V industry, but this isn't it. The press release does a bad job of explaining why the JPEG virus is a big deal. However it DOES say (clearly) that this virus is not a danger in itself - it's a proof of concept. Without going into more detail than would be prudent, *please* believe me when I say that there are significant reasons (a) why this PoC virus is significant, and (b) why virus writers will be exploiting concepts from this virus to make Very Bad Malware. Hey , why should it bother me, I run Linux! Well *i* run Linux too, in fact I develop my code on Linux; it will affect us when the world's NSP backbones are choked with worm scans, ARP requests and buffer-overflowing HTTP requests. This IS going to happen. And, whatever Sophos would like you to believe, this is NOT a case of NAI/McAfee whipping up a hype over nothing. I can't say anything more, but I'm going to take the chance of losing my job by not posting anonymously in order to emphasise how much I mean this.
It's sooooooo frustrating knowing things about this and not being able to talk about it...
Re:Darn... and I just updated my anti-virus softwa (Score:3, Informative)
Actually, www.sarc.com provides a free klez removal tool, which will fix all executables, etc. which were infected by klez.