McAfee Manufactures Virus Threat 787
The latest "news" to come out of the AV industry is New Virus Infects Picture Files. McAfee put up their description and made sure to issue a wide-spread press release to stir up some interest. McAfee's spokesdrone fans the flames:
- "Potentially no file type could be safe."
That evolution should make computer users think twice about sending pictures or any other media over the Internet, Gullotto said.
"Going forward, we may have to rethink about distributing JPGs."
Now, if you know much about computing, you may be a little suspicious of this. JPEGs are compressed image files that only contain data representing an image to be displayed, not code to be executed. A modification of that data might screw up the picture of your cat dangling from the edge of the kitchen table you like so much, but it won't turn the image into a potential virus transmitter, because the programs that display JPEGs don't read them with an eye toward executing the code. An image file is just data to be displayed. The line between "data" and "code" is a little bit fuzzy - often particular characters or a particular file can be both data and code, depending on the context of how other code handles it. Or a particular file can include both data and code separately, like a Microsoft Word file that includes data (your text) and code (some macro designed to be executed by Word when the document is opened).
But for JPEGs there's a well-designed standard, and it doesn't include executing code of any sort. If a JPEG-handling program doesn't like the data it sees, it should just stop trying to display the image, not decide to start executing code from the image. JPEGs are mostly harmless.
McAfee's claim of a virus spread through JPEGs requires one essential element: you have to have already been infected by ANOTHER virus transmitted by some actual executable code. What it comes down to is:
Once you're infected with a virus, the virus can set you up to be infected by other viruses.
No shit, Sherlock. Once you have enemy code running on your system, you're toast. A virus could alter Microsoft Word so that opening any Word document at all would erase every file on your hard drive, making every single Word document in existence a deadly threat -- to you, and to you alone. But this isn't a new virus threat of any sort. It isn't a breakthrough. It's a consequence of being infected, not a new method of being infected.
Two weeks ago, we ran a story about a cross-platform virus. Like this one, it didn't really exist in the wild. Like this one, it was mainly a PR ploy (by Symantec, in that case). But we thought it had at least some minimal technical interest as a bit of code that would run under Windows or Linux.
McAfee and Symantec (and all the other AV vendors out there) are waging a PR war to "discover" ever more news-worthy viruses to defend against. To get maximum coverage, your new virus needs to do something unique or different -- make your computer turn green, or infect something previously uninfectable, or whatever it might be. Compare this to Klez, a very basic virus similar in most ways to viruses that have gone before, which is still out there looting and pillaging tens of thousands of computers every day, but isn't ideal for AV vendors because they don't have a monopoly on the cure.
The press is catching on, to some tiny extent at least, that most virus alerts are fictitious and just designed to drum up business for the vendors. But it's far easier to repurpose a vendor's press release and call it a story than to dig into real threats that exist on the Internet, and the causes of those threats. Today, like last year and the year before and five years ago, there are major email-borne virus threats out there. (There are still old-school viruses out there too, transmitted by sneaker-net or by downloading suspicious software, but email is clearly the way to go for the discriminating virus creator.) All the real email virus threats share a few distinguishing characteristics:
- They only affect Microsoft Windows. If you aren't running Windows, you are safe.
- They're usually transmitted by email. If you know enough on your own, or you've had a half-hour class in "Email 101", you should be able to avoid executing random files received by email.
- They auto-execute in Microsoft Outlook or Outlook Express. Microsoft has finally made some progress, after many years, in reducing the vulnerability of their flagship email programs. So if you have a recent or fully-updated version of these programs, you may not be as vulnerable as people running older versions. Nevertheless, this was (and still is, since so many people don't have recent or fully-updated versions) a primary vector.
And that's really it. If you don't run Windows, you're safe. If you have basic email skills, you're safe. If you don't run Outlook, you're safe. That's the story of modern viruses, and fortunately or un-, it's a pretty boring one.
McAfee, and Symantec, and everyone else involved in the anti-virus FUD business: lay off. I mean that literally, as in, "Lay off the people you employ for the purpose of drumming up new virus threats." Lay off the public relations people you employ to say things like, "We may have to rethink about distributing JPGs." Lay off the BS. There's a real market for your product, people who (for whatever reason) are using Windows and/or Outlook, and haven't received the half-hour training course necessary to avoid viruses. You can market to them based on your fast responses to real virus threats - you don't need to manufacture any more.
Good article, good idea (Score:4, Interesting)
You could make some money offering training classes on how to avoid common viruses.
Anti-Virus software is a virus (Score:1, Interesting)
Most gnarly viruses anti-virus software cannot catch anyway.
No let's not take them on... (Score:2, Interesting)
abstraction. Virus companies must PROMOTE
thier product for the good of everyone.
These companies make money by making sure you don't notice any interruption in the use of your computer.
Think, If the average computer user never noticed an interuption wouldn't they one day say "why am i spending this much on an anti virus package that dosen't do anything for me"
Any computer that has a virus can potentially be part of a DoS attack. all of a sudden you're not only losing money on the customers that don't have anti virus packages but on those that get hit by DoS attacks (despite having anti-virus SW)
it is in ALL of our best interests that everyone has an anti virus package. and it is a RESPONSIBILITY of these companies to make sure that they promote knowledge of how much dammage a virus can do.
if symmantec et al. make money in the process SFW ... we need them ... more than you realize
Years ago - early 90s (Score:3, Interesting)
Therefore, this story is not a big surprise.
Klez owns (Score:4, Interesting)
I'm lead tech at a small computer store. The massive onslaught of Klez in the wild makes us techs more money per day than a good, strong lightning storm will in a week with modem replacements. People in the general public that aren't in the "know" on computers are deathly afraid of viruses, and generally have no idea how to protect themselves.
Most of the John Q Publics out there buy a cheap computer from *.mart that has MS Windows pre-loaded on it that has virus protection software that will expire in 3 months, or require the end user to manually update the definitions. Most of them have no idea that their protection will run out, or that they need to update their software in order to keep it up to date and protecting them from the latest greatest virus.
So these folks turn to their cousin's brother who knows a bit about computers, and ends up screwing the computer up worse, or finds that they are unable to remove the virus from the computer. That's when they turn to us, and other techs. And they're generally willing to pay good money to get rid of the virus, have up to date protection that actually works installed, and be shown how to keep it up to date for a very long period of time, not to mention given a quick tutorial on what to open in their email and what to delete immediately.
In a perfect world un-educated folk wouldn't be given the option to purchase un-educated software, but until that time comes they need to rely on people that do know something about computers, and on software that can help protect them from their own lack of knowledge.
Re:If you aren't running Windows, you are safe... (Score:2, Interesting)
As of now there are zero, I mean 0 known virus threats for MacOS X. According to my antivirus software that I bought for my new mac. What a mug I felt.
Even for Mac OS 9 there are very few viruses.
Buffer overflows (Score:5, Interesting)
The next question is does such an exploit exist and does it affect enough users that it could gain critical mass? The answer is probably no. Every piece of image software, emailer, browser uses it's own implementation jpeg. This is true even on Windows where there was no way to read a jpeg file via Win32 until recently. Even apps that just use libjpeg will use different versions, might be customized and compiled with different flags. So the landscape is too hetrogeneous to favour a virus.
If I had to lay money down, I would say this is McAfee playing up a threat (just like Ashcroft and dirty bombs) for their own interests.
Real JPEG virus (Score:3, Interesting)
Suppose you found a bug in IE that let you execute code packaged in a JPEG. With some clever coding, it would still display normally, but it would alter all other JPEGs on the system. When a web developer gets infected, his web site will spread the virus. It could spread quite widely.
Re:Simple Virus Protection Schemes (Score:1, Interesting)
Why does my LiveUpdate download so much data? (Score:2, Interesting)
On reading this article, it occurs to me that I run this utility every week or two (mostly to get a chance to drink my coffee) and it downloads on the order of 200K of data.
Does anyone have any evidence that they might be "padding" the downloads to make sure there is often something to download, or that the download is large, to ensure that people think "Oh, there's a lot of bad stuff out there, I better keep my subscription!"?
Just a paranoid thought.
Windows (Score:3, Interesting)
Until a virus comes out that seeks out Linux boxes, uses several well known vulnerabilities to attempt to get root only to then set itself up on that box and seek out other boxes to infect.
What? You thing that everyone who runs Linux as a server keeps it fully up to date with all the latest patches?
Face it, if you're connected to the internet -you're stupid to assume you're safe.
So, to correct you: If you don't run Windows you're safer .
Welcome to the world of security marketing (Score:3, Interesting)
The main problem these days is that security software sales are driven not by business decisions, but by fear. Fear of virii, 3v1l h4ck3rz, etc. Once you're buying something out of fear, it's really easy for the sales folks to play off that to make their product sound like it's the ultimate safety blanket.
I hate it. Not just because it's unethical, but also because it makes my job of evaluating products much harder. I can't even trust the feature lists in deciding which products to evaluate, since some of those are full of lies & vaporware. I keep wanting to explain the Tragedy of the Commons to the sales folks that try this c*$p, but they're always too stupid to understand it.
sigh.
Sophos tells McAffee to get real (Score:3, Interesting)
Picture this: a virus in a JPEG
Sophos advises on threat posed by new
Sophos, a world leader in corporate anti-virus protection, today called for the anti-virus industry to act responsibly in light of the discovery of the first virus capable of infecting JPEG graphic files.
The virus, known as W32/Perrun-A, was sent directly to the anti-virus community by its author and is considered to be a "proof of concept". It spreads in the form of a traditional Win32 executable virus (usually called proof.exe), making changes to the Registry to mean that JPEG (.JPG) graphic files are examined by an extractor (called EXTRK.EXE) before they can be viewed. If the extractor finds viral code inside the graphic file it is executed.
"Some anti-virus vendors may be tempted to predict the end of the world as we know it, or warn of an impending era when all graphic files should be treated with suspicion. Such experts should be ashamed of themselves," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Not only is this virus not in the wild, but also graphic files infected by this virus are completely and utterly harmless, unless they can find an already infected machine to assist them. It's like a cold only being capable of making people who already have runny noses feel ill."
"The virus relies entirely upon you running an infected EXE file, which is hardly rocket science," said Paul Ducklin, Head of Global Support for Sophos Anti-Virus. "Yet we are already seeing reports suggesting that this virus could spread via websites containing so-called 'infectious' images. This sounds like scare-mongering about image files to me."
Sophos has issued protection against W32/Perrun-A to customers concerned by the media reports and alerts from other anti-virus vendors.
Re:Darn... and I just updated my anti-virus softwa (Score:4, Interesting)
But what about... (Score:2, Interesting)
You know the one, it's a signature that says: "Hi, I'm a signature virus. Copy me into your
Seriously though, I always get pissed when i open an avi, asf or quicktime movie with an url embedded in it, so you are sent to some website after viewing your favorite pr0n/movie/music video. This could also run commands on your local machine.
Ok, you should get a "do you want to execute this command" warning, but chances are it's possible to exploit this.
So jpeg no, but I wouldn't be surprised by an avi/mov virus.
Yup, there really ought to be a law (Score:3, Interesting)
It was called "truth in advertising," which has gone completely by the wayside. Corporate speech is not the same as individual speech, and is NOT entitled to the same constitutional protections.
Individuals' rights to lie may be constitutionally protected
I am not normally one to advocate new legislation, but in this particular case it is sorely needed.
We need firm, explicit, unequivocable laws requiring truth in advertising and marketing (and yes, that includes press releases), with real punishments, involving real sums of money (and/or real jail time) for those who violate the law. It is the only way corporate entities like McCaffee will ever be forced to modify that sort of behavior, and the only way consumers will ever have even a remote chance of making an informed purchase
Internet Explorer breaks the rules. (Score:3, Interesting)
It contained the following code, wich was instantly executed by IE 6.
var pik;
var temp;
function test(temp) {
pik = temp * 100
setTimeout("window.location.href='telnet://w
}
for (i=0;i
1000 , how thoughful to not make an endless loop.
A link to the code, edited to only run once.
http://peterj.freeshell.org/code.jpg
I dont know the reason for a webbrowser to execute code in a file that ends with JPG, Maby it's a way of IE to work even if a user has put the wrong file ending.
Still I think IE is the best web-browser and i would use it on all platforms if it was available.
W3C's web-browser Amaya
will not execute code in JPEGS , but then http://www.w3.org/ is one of the few pages that will display correct in that browser.
Re:Simple Virus Protection Schemes (Score:4, Interesting)
It doesn't really matter how widespread the platform is.
Safe Hex (Score:2, Interesting)
There used to be a cooperative movement for AV software called Safe Hex International and they were responsible for collecting examples of viri from volunteers and methods for identifiying them were also developed by volunteers. AFAIK, Amiga AV S/W was relying on the efforts of that particular group of people. However, it seems to have dissolved since 1998.
However right now there is another thing called
Virus Help Denmark (http://home4.inet.tele.dk/vht-dk/) - I am not sure if there is another cooperative effort such as this. - oh, well...
You obiously don't know much about computing. (Score:1, Interesting)
You don't know much about computing. Let an expert explain it to you
Take a look at the GIF or JPEG file format standards. You'll notice that these data formats contain fixed length data blocks, or variable length data blocks where the length of the block is specified in the header.
It would be possible to specify a bad format that would cause a faulty JPEG or GIF decoder to overrun one of its internal buffers, perhaps corrupting the call stack, and causing it to start executing malicious "data" as code.
This danger is no different from finding buffer overrun problems in Microsoft IIS.
Since most folks aren't afraid to open GIF or JPEG files, if a virus writer manages to find a way to overrun a buffer in Microsoft's GIF or JPEG decoder he may have himself a vector.
I do know it's possible to crash Microsoft's "fax and image" viewer--the default viewer for JPEG on XP--with a badly formed JPEG file. And the thought has occurred to me that I can spread a virus this way if I can control the ovverrun.
It's certainly not as easy as using and IIS data ovverrun--many people have installed different default GIF/JPEG viewers, and the code changes from one version of the OS to another, but it's not impossible.
Think of it this way: An HTTP request contains NO EXECUTABLE CODE, yet a simple HTTP request was spreading CodeRed because it exploited a buffer overrun. The same technique can easily spread a virus in a GIF and JPEG.
Let me go out on a limb: I think you'll see the next GIF/JPEG virus within the next 60 days. There are too many people right now thinking about it.
Public Mailing List Virus Protection (Score:2, Interesting)
Disinfection is accomplished by sending ninja technical support people to the homes of all the recipients and deleting the offending messages before the recipient gets infected.
I'd be curious to see the programatic solution, though.
P.S. So what if it's off topic!
Re:Virus programs are worse than the virus (Score:2, Interesting)
dig -x 208.47.125.33
;; ANSWER SECTION:
33.125.47.208.in-addr.arpa. 1D IN PTR gary7.nsa.gov.
Strange logic (Score:2, Interesting)
Surely it is sensible to be defending against potential threats before you are actually exposed to them? In other words, if a threat actually exists in the wild, it will be too late for a lot of people to download the right updates. Especially with this "Warhol Worm" idea going around.
If there was a security hole in a server and the vendor said "this hasn't been exploited in the wild", surely that would be a sign of the vendor's incompetence?