Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Editorial

McAfee Manufactures Virus Threat 787

Posted by michael from the virus-laboratory-has-new-sinister-meaning dept.
The sleaze has gotten out of hand; it's time to roast a group of 20 or so companies whose profits are directly linked to creating fear in their customers, who have to keep discovering new sources of fear to improve their bottom line - or in the absence of new discoveries, keep inventing new sources of fear. Yes, it's time to take on the anti-virus software vendors.

The latest "news" to come out of the AV industry is New Virus Infects Picture Files. McAfee put up their description and made sure to issue a wide-spread press release to stir up some interest. McAfee's spokesdrone fans the flames:

  • "Potentially no file type could be safe."

    That evolution should make computer users think twice about sending pictures or any other media over the Internet, Gullotto said.

    "Going forward, we may have to rethink about distributing JPGs."

Now, if you know much about computing, you may be a little suspicious of this. JPEGs are compressed image files that only contain data representing an image to be displayed, not code to be executed. A modification of that data might screw up the picture of your cat dangling from the edge of the kitchen table you like so much, but it won't turn the image into a potential virus transmitter, because the programs that display JPEGs don't read them with an eye toward executing the code. An image file is just data to be displayed. The line between "data" and "code" is a little bit fuzzy - often particular characters or a particular file can be both data and code, depending on the context of how other code handles it. Or a particular file can include both data and code separately, like a Microsoft Word file that includes data (your text) and code (some macro designed to be executed by Word when the document is opened).

But for JPEGs there's a well-designed standard, and it doesn't include executing code of any sort. If a JPEG-handling program doesn't like the data it sees, it should just stop trying to display the image, not decide to start executing code from the image. JPEGs are mostly harmless.

McAfee's claim of a virus spread through JPEGs requires one essential element: you have to have already been infected by ANOTHER virus transmitted by some actual executable code. What it comes down to is:

Once you're infected with a virus, the virus can set you up to be infected by other viruses.

No shit, Sherlock. Once you have enemy code running on your system, you're toast. A virus could alter Microsoft Word so that opening any Word document at all would erase every file on your hard drive, making every single Word document in existence a deadly threat -- to you, and to you alone. But this isn't a new virus threat of any sort. It isn't a breakthrough. It's a consequence of being infected, not a new method of being infected.

Two weeks ago, we ran a story about a cross-platform virus. Like this one, it didn't really exist in the wild. Like this one, it was mainly a PR ploy (by Symantec, in that case). But we thought it had at least some minimal technical interest as a bit of code that would run under Windows or Linux.

McAfee and Symantec (and all the other AV vendors out there) are waging a PR war to "discover" ever more news-worthy viruses to defend against. To get maximum coverage, your new virus needs to do something unique or different -- make your computer turn green, or infect something previously uninfectable, or whatever it might be. Compare this to Klez, a very basic virus similar in most ways to viruses that have gone before, which is still out there looting and pillaging tens of thousands of computers every day, but isn't ideal for AV vendors because they don't have a monopoly on the cure.

The press is catching on, to some tiny extent at least, that most virus alerts are fictitious and just designed to drum up business for the vendors. But it's far easier to repurpose a vendor's press release and call it a story than to dig into real threats that exist on the Internet, and the causes of those threats. Today, like last year and the year before and five years ago, there are major email-borne virus threats out there. (There are still old-school viruses out there too, transmitted by sneaker-net or by downloading suspicious software, but email is clearly the way to go for the discriminating virus creator.) All the real email virus threats share a few distinguishing characteristics:

  • They only affect Microsoft Windows. If you aren't running Windows, you are safe.
  • They're usually transmitted by email. If you know enough on your own, or you've had a half-hour class in "Email 101", you should be able to avoid executing random files received by email.
  • They auto-execute in Microsoft Outlook or Outlook Express. Microsoft has finally made some progress, after many years, in reducing the vulnerability of their flagship email programs. So if you have a recent or fully-updated version of these programs, you may not be as vulnerable as people running older versions. Nevertheless, this was (and still is, since so many people don't have recent or fully-updated versions) a primary vector.

And that's really it. If you don't run Windows, you're safe. If you have basic email skills, you're safe. If you don't run Outlook, you're safe. That's the story of modern viruses, and fortunately or un-, it's a pretty boring one.

McAfee, and Symantec, and everyone else involved in the anti-virus FUD business: lay off. I mean that literally, as in, "Lay off the people you employ for the purpose of drumming up new virus threats." Lay off the public relations people you employ to say things like, "We may have to rethink about distributing JPGs." Lay off the BS. There's a real market for your product, people who (for whatever reason) are using Windows and/or Outlook, and haven't received the half-hour training course necessary to avoid viruses. You can market to them based on your fast responses to real virus threats - you don't need to manufacture any more.
This discussion has been archived. No new comments can be posted.

McAfee Manufactures Virus Threat More

McAfee Manufactures Virus Threat

Comments Filter:

  • You mean . . . (Score:3, Funny)

    by vegetablespork ( 575101 ) <vegetablespork@gmail.com> on Friday June 14, 2002 @09:34AM (#3700832) Homepage
    . . . that all this time, the satire about the virus development divisions of anti-virus software companies actually contained a kernel of truth? Who woulda thunk it?
    • that all this time, the satire about the virus development divisions of anti-virus software companies actually contained a kernel of truth?

      Actually I think they farm this out to their overseas operations in Bulgravia or someplace similar. Keeps it better for the bean counters. Plausible denial, etc.

      Although I can see the scandal if it was found that they actually do have virus writers on payroll someplace.

  • Darn... and I just updated my anti-virus software (Score:5, Insightful)

    by eaddict ( 148006 ) on Friday June 14, 2002 @09:34AM (#3700833)
    I use AVG from Grisoft [grisoft.com] and just updated the signature file. I am SOOooo glad I use a freeware/shareware product that keeps up with REAL virus and not marketing. As they say here in the U.S. "There ought to be a law..."

    • Re:Darn... and I just updated my anti-virus softwa (Score:4, Insightful)

      by tony clifton ( 134762 ) on Friday June 14, 2002 @09:55AM (#3701039)
      Open-source anti-virus would be very cool, but it's really labor intensive and the signature databases are the vendor's crown jewels.. as it were.

      The Virus Bulletin's VB100 test [virusbtn.com] rates AVG fairly low. Do other tests rate it higher?

    • Re:Darn... and I just updated my anti-virus softwa (Score:4, Interesting)

      by fatwreckfan ( 322865 ) on Friday June 14, 2002 @10:21AM (#3701264)
      I used AVG for quite a while, but I very VERY rarely get viruses. I thought AVG was great. Then my brother got Nimda, so I recommended he download it and clean his machine. And it didn't work. New infected files kept being detected by AVG until eventually he went and bought Norton which fixed the problem right away. Freeware may be good, but not great.

    • Re:Darn... and I just updated my anti-virus softwa (Score:5, Informative)

      by Zathrus ( 232140 ) on Friday June 14, 2002 @10:28AM (#3701308) Homepage
      Appreciate the reference... I have a new copy of McAfee AV 6.0 at home, but, well, it sucks. It locked up both my computer and my wife's computer repeatedly. She finally removed it. I finally blew away Windows and installed Linux.

      What's particularly interesting, however, is for anyone who remembers the origin of McAfee -- they started out as a shareware/freeware shop. Corporations "had" to pay, individuals were "encouraged" to pay, and educational (and possibly non-profit) were totally free to use it at no cost.

      They've long since abandoned that license and even abandoned free updates. You have to pay for support every 12 months, which I dislike. Particularly since at irregular intervals they change their core engine and render all older versions of the software incompatible with new updates.
      • You have to pay for support every 12 months, which I dislike. Particularly since at irregular intervals they change their core engine and render all older versions of the software incompatible with new updates.

        How can you expect them to fund their research efforts without some sort of recurring income? If they are public, they are also doing the 12 month license thing so they can give some sort of future projections so their stock price doesn't ride a roller coaster. I agree that releasing FUD press releases is sleazy, but the recurring license thing lets them employ good people in stable jobs. Unfortunately, life in commercial software is not as simple as it is for open source software. Sure, you can get paid writing OS software, but some people don't like the idea of living with 5 other roomates and eating cold pizza for breakfast every day. If they are actively updating their virus definitions, then the cost should be worth it.

        Now if MSFT made a virus cleaner, you would probably have to wait 3 months for a patch. From what I've seen, the AV companies tend to come out with fixes fairly quickly. Having people available to do that type of work on short notice takes some money.

        • "Researching" is a joke. It's merely a tech support thing of "Hey, you found a new virus. Neat...give it to us and will put it in the definition file." Nevermind CLEANING the virus; the only solution for every virus problem nowadays is deleting the file. Virus cleaning used to be sort of an artform, but now they are too lazy for their own high-paying jobs.
          • I think I read somewhere that most of the new virus defs are submitted by the "whitehat" virus writers (you know, the ones that write them for educational purposes and the virus is usually one step away from being actually functional). In addition, I'd be shocked & amazed if the AV ppl didn't have some programmers writing new virii. As a preemptive measure (but good for FUD, too).
    • ... and at one time there was.

      It was called "truth in advertising," which has gone completely by the wayside. Corporate speech is not the same as individual speech, and is NOT entitled to the same constitutional protections.

      Individuals' rights to lie may be constitutionally protected ... corporate rights to lie are not (unless more than an average number of justices have been smoking crack of late).

      I am not normally one to advocate new legislation, but in this particular case it is sorely needed.
      We need firm, explicit, unequivocable laws requiring truth in advertising and marketing (and yes, that includes press releases), with real punishments, involving real sums of money (and/or real jail time) for those who violate the law. It is the only way corporate entities like McCaffee will ever be forced to modify that sort of behavior, and the only way consumers will ever have even a remote chance of making an informed purchase ... i.e. the only way there will ever be a remote chance for the free market to work as intended (and as it is advocated to supposedly work).
    • Reading email recently I had a good laugh. There was a .sig at the bottom that said

      "Outgoing mail is certified Virus Free.
      Checked by AVG anti-virus system http://www.grisoft.com)."

      But there wasn't a message digest, a pgp signature, or anything. What's to stop me from taking that signature and appending it to my email, especially just before I send out an infected file? Or if I were a virus writer, having my virus include this in some of its email payloads?

      AVG's message is training people to trust a message (and all attachments) based on a simple text sig. What could be more easily faked?

      Seems like a backwards step in security, to me.
  • I guess I better not scan in my poster of the kernal tree rendered as Tux. Thanks, thinkgeek!

  • Good article, good idea (Score:4, Interesting)

    by mpweasel ( 539631 ) <mprzyjazny@@@gmail...com> on Friday June 14, 2002 @09:37AM (#3700864) Homepage
    Attention, AV companies:

    You could make some money offering training classes on how to avoid common viruses.
    • Yeah, but then their revenue would dry up as people started to actually get a clue and spread that clue to the other clueless trailer-living people.

      but judging from current day, they probably don't have anything to worry about after all.

  • Aren't there laws (Score:3, Insightful)

    by Black Aardvark House ( 541204 ) on Friday June 14, 2002 @09:37AM (#3700865)
    Against misinformation the public via the news channels? I understand they want business, but using FUD techniques will only backfire and cause major distrust among the public.

    Would you want to use a product from an entity you don't quite trust?
  • When I first heard about this yesterday, I was thinking "So what? This is the same kind of Windows&Outlook-only virus problem that's been painfully well documented and explained". I saw no point in the FUD coming from the anti-virus people. Good to see someone else makes those observations, and in such a public forum.

    -----
    Apple hardware still too expensive for you? How about a raffle ticket [macraffle.com]?

  • Key points for Windows/Outlook users (Score:5, Insightful)

    by Peyna ( 14792 ) on Friday June 14, 2002 @09:37AM (#3700869) Homepage
    It's pretty simple to stay safe, and I have repeated this many many times to customers when I worked at an ISP. If you are using Windows or Outlook, do not open an attachment if you don't know what it is. It's very simple. I don't care if it says "This is very important, Bob and you must open this now." Unless you know specifically what it is and you were expecting it, don't open it. There is no need to, and you aren't going to miss out on much.

    Of course, in the case of stupid users, there are some steps you can take on the server side to filter some viruses, but it's not perfect. In the end, patch Outlook, and educate your users. You could probably pretty easily drop any potentially executable attachments before they even got to Outlook (which drops many of them on its own).
    • there are some steps you can take on the server side to filter some viruses, but it's not perfect

      Actually, I'm using Trend Micro's Viruswall on my mail server at work, and it has been close to perfect. Sure, some recent viruses spread so fast that they get around the 'Net before the auto-update grabs the latest virus defs from Trend (a matter of hours), but we haven't had a single infection since we installed it a year ago. If I remember correctly, Trend has had a working update released within twelve hours of every major virus threat hitting the net over the last year. Most were available and installed on my server before I even knew the virus existed. Even if a virus did get through, once the virus defs were updated to catch it, it would have a difficult time spreading within the company. We have about 400 users. Viruswall's kinda spendy, but if you have a lot of users runnin' Winders I'd say it's definitely worth the money. Especially when you consider how much we've saved in licensing fees and technical headaches we would have if we installed AV software on every desktop. Viruswall is the only part of our entire mail system that isn't free software.

    • Bull (Score:3, Insightful)

      by Erris ( 531066 )
      do not open an attachment if you don't know what it is. It's very simple. ...Of course, in the case of stupid users, there are some steps you can take on the server side to filter some viruses..."

      It's simpler than that, don't use Outlook. Try Balsa, Pine, Mutt, Mozilla or exim. They all do the job.

      I resent your presumption and the way you blame the user. At work I've had several Outlook viruses autoexecute with NO ACTION ON MY PART. Would you call me a stupid user? In fact, you should never call any user stupid because their software screwed them. It's the program's fault that it can be broken not the users. The programer should consider all possible user actions and have well defined error code responses to them, especially when they are going to sell the silly code as a non modifiable binary.

  • wrong assumption... (Score:2, Insightful)

    by iramkumar ( 199433 )
    They only affect Microsoft Windows. If you aren't running Windows, you are safe...

    No you are not. Its not what fscking OS you are running, it about what OS and applications are running on the system to which you gave your credit card number and your SSN. Its about what OS your company runs to store the employee databases. You can hide your head in sand and pretend that you are safe ofcourse..

  • Get With the Program! (Score:5, Funny)

    by Sloppy ( 14984 ) on Friday June 14, 2002 @09:38AM (#3700880) Homepage Journal

    JPEGs are compressed image files that only contain data representing an image to be displayed, not code to be executed.

    Shows what you know. You Linux lusers don't even have Microsoft ActiveJPEG Technology yet?!?

  • I am sure I can prevent my computer from being infected just by using common sense (don't open unexpected attachments, download only from trustworthy sites, etc). Even if I did get infected, I could just re-ghost my drive and be done with it. Sure I have to make current ghost images, but I do that anyway and storage is cheap these days. On the up side, I don't have to take the performance hit of running AV software, and I don't have to deal with constant updates.

    • Re:Is AV software really necessary? (Score:4, Insightful)

      by BradleyUffner ( 103496 ) on Friday June 14, 2002 @09:52AM (#3701011) Homepage
      "I am sure I can prevent my computer from being infected just by using common sense (don't open unexpected attachments, download only from trustworthy sites, etc). Even if I did get infected, I could just re-ghost my drive and be done with it. Sure I have to make current ghost images, but I do that anyway and storage is cheap these days. On the up side, I don't have to take the performance hit of running AV software, and I don't have to deal with constant updates."

      They key is that the virus scan software tells you when you have a virus. What if you somehow get infected with a virus that gives no outright signs of infection? You could be making your backups for months without relizing that you data was compimized. The virus could have gotten in though some buffer overflow attack, or something that was no fault of your own. Without the anti-voris software you have no idea how far back you need to go for a good backup, or if any of your backups are even good.
  • A friend of mine who's into conspiracy theories thinks that the anti-virus companies like McAfee also have people writing the viruses - so they can sell "subscriptions" to keep the definitions updated.

    I'm reserving judgement on that one until a virus is actually tracked back to an author who's affiliated with an anti-virus company.

    But I *do* wish they cut out the FUD. It's bad enough getting my weekly dose of "Delete jdbgmgr.exe from your system! It's a virus!" from my friends and relatives, who then get dutifully pointed to www.snopes.com to read "Inboxer Rebellion," without having people who supposedly know better promoting the same kind of crap.

  • bah (Score:4, Insightful)

    by ceejayoz ( 567949 ) <cj@ceejayoz.com> on Friday June 14, 2002 @09:39AM (#3700888) Homepage Journal
    I'm running Windows and Outlook, and I haven't been infected with a virus yet. It's just common sense... "MY WIFE NUDE.JPG.exe" probably isn't something I want to open. The real anti-virus software is common sense, but there don't seem to be many available copies out there. :-/
    • In fact, if the file name say "MY WIFE NUDE.JPG", I don't recommend opening it. (Well, ok, if it was MY wife, no problem. Quite the cutie. But I know some people's wife who.... *SHUDDER*)

  • well.... (Score:4, Insightful)

    by jeffy124 ( 453342 ) on Friday June 14, 2002 @09:39AM (#3700889) Homepage Journal
    say an attacker knows you use a certain program to view JPEGs, or other data/multimedia files. This attacker knows that certain program contains a buffer overflow, and how to exploit it. The attacker can assemble a specially formed file that exploits the overflow and opens a backdoor on your machine, granting himself some level of access to your computer (most likely user level access). Combined with knowledge of a local root hole, the attacker now has root access to your machine (ie, he 0wns j00). The attacker delivers this specially formed file to you in some manner (email, webpage, etc).

    Suddenly, this "data" file is now containing a virus, isnt it?

    • Re:well.... (Score:3, Informative)

      by freuddot ( 162409 )
      No. For one simple reason :

      JPEG format is so fucking complicated that everyone uses libjpeg. And guess what ? There's no buffer overflow in libjpeg.

      This is the reason there never is any question when importing/exporting JPG (compared to TGA/TIFF/BMP) about compatibility.

      • Re:well.... (Score:3, Insightful)

        by jeffy124 ( 453342 )
        bad reasoning. you cannot assume that there arent any overflows in code. Take MS recently. Before releasing WinXP, they say they weeded out all the overflows. Then UPnP's hole was exposed -- a buffer overflow.

        also, i didnt restrict myself to just JPEGs. Note that I said any other data file.

        Lastly, the recent security vuln in the zlib library (last March) was also such an example. The decompresser assumed normal data (ie, data made using the compressor half of zlib), and as a result a specially formed "compressed" data could exploit the hole, segfaulting the program using zlib.
    • I would bet that most people using windows XP using MS Picture Viewer or whatever to view them. Especially since I think that is what it uses to preview them. It would be interesting to see if that is exploitable in some way.

      I heard this on the news last, I figured the virus just went around deleting *.jpg or corrupting them, not really 'infecting' them.
    • Do any of you remember the double free zlib bug [cert.org]?

      Very wicked, but you had to a) know the type of system and b) the viewer the person was using. This sort of technique, using data to act as code is clever and quite real. In fact, there is nothing different between this and those URL hacks for IIS; data appears where it wouldn't normally be expected and it can be leverage into code space and executed.

      However, in the case of JPEG, considering its block oriented format it would be quite difficult to engineer a buffer overflow condition.
  • Someone should make a special program to detect and turn off Virus programs! I get a lot of calls from family members complaining about their slow computers, I check it out and they have the defacto McAfee install which checks all email, boot sector and floppy on boot, and (the worst one) EVERY exe before it starts. This causes a horrible delay everytime you do anything! I refuse to install any AV software on my computer simply because I am not stupid enough to open any of these files, and I consider the AV software itself to be a performance affecting Virus.

  • The Kid (Score:2, Insightful)

    by Wierd Willy ( 161814 )
    There was a Charlie Chaplin movie, silent, made in 1926? that was about a glazier(Charlie) who needed to drum up some business, so he employed a small boy to run around town, breaking windows. The victims of this nefarious window breaking were then offered "discounts" if they purchased charlies services. Odd, how history seems to repeat itself....
  • ... unless you're using a Mac. Oops.

    Not Windows = Linux, right?
    • Okay, it is a slow day so I will bite.

      As of now there are zero, I mean 0 known virus threats for MacOS X. According to my antivirus software that I bought for my new mac. What a mug I felt.

      Even for Mac OS 9 there are very few viruses.
    • unless you're using a Mac. Oops.

      Umm... what Mac virus are you talking about? There isn't a damn thing in the wild right now except a few platform-independent Word macro bugs. Too bad for them that I can open Word files in AppleWorks and avoid macros entirely.

      I own Norton AV but run my Mac without AutoProtect. I've never found a virus during my manual scans (except for some spare copies of Sircam, Nimda, etc, that I keep for educational purposes).
  • Just because an image file consists of data, if a poorly designed decoder has been written, then if the data is corrupted, you could end up spewing data over stack or even main memory.

    If you had some control over what data is written, then you could get the decoder to write out what amounts to a virus, and then get the decoder to execute it (by trashing the stack).

    I won't use JPEG as an example, but some lossless compression, such as GIF. Instead of having the image compressed, you could have your program compressed. Decompressing the data would effectively copy the code into some memory location. The difficult bit would be getting the decoder to actually execute it.

    Don't forget that such a virus doesn't actually need to spread itself in images; it could be a simple bootstrap loader in the images that downloads a larger virus with its own payloads.
  • For the average computer user a virus is an
    abstraction. Virus companies must PROMOTE
    thier product for the good of everyone.

    These companies make money by making sure you don't notice any interruption in the use of your computer.

    Think, If the average computer user never noticed an interuption wouldn't they one day say "why am i spending this much on an anti virus package that dosen't do anything for me"

    Any computer that has a virus can potentially be part of a DoS attack. all of a sudden you're not only losing money on the customers that don't have anti virus packages but on those that get hit by DoS attacks (despite having anti-virus SW)

    it is in ALL of our best interests that everyone has an anti virus package. and it is a RESPONSIBILITY of these companies to make sure that they promote knowledge of how much dammage a virus can do.

    if symmantec et al. make money in the process SFW ... we need them ... more than you realize

  • One little quibble (Score:3, Insightful)

    by burgburgburg ( 574866 ) <splisken06.email@com> on Friday June 14, 2002 @09:44AM (#3700934)
    I agree wholehardedly with about 99% of the article (I also saw the JPEG thing and thought it ridiculous and hilarious, in a dark and depressing way).

    One statement of yours needs modification:

    They only affect Microsoft Windows. If you aren't running Windows, you are safe.

    There have been macro viruses which have inadvertently worked on the Mac versions of Word and Excel. I would correct the statement to:

    They only affect Microsoft products, primarily Windows. If you aren't running Windows, you are almost entirely safe.

  • Even spammers are catching on (Score:5, Funny)

    by artemis67 ( 93453 ) on Friday June 14, 2002 @09:45AM (#3700939)
    Check out this spam email a bunch of people in my office got yesterday:

    -=-=-=-=-
    Return-Path: postmaster@salisbury.net
    Received: from salisbury.net (12.152.4.9) by myoffice.com with ESMTP (Eudora
    Internet Mail Server 3.0.3); Wed, 12 Jun 2002 23:08:21 -0400
    Date: Wed, 12 Jun 2002 23:09:46 -0400
    Message-Id: 200206122309.AA2564817116@salisbury.net
    Mime-Vers ion: 1.0
    Content-Type: text/plain; charset=us-ascii
    From: "postmaster " postmaster@salisbury.net
    Reply-To: postmaster@salisbury.net
    To: people in my office
    Subject: WARNING: YOU WERE SENT A VIRUS
    X-Mailer:
    X-Mozilla-Status2: 00000000

    On 06/12/2002 at 23:09:45 Our special virus software on our servers at salisbury.net
    reported that your were sent an Email Virus containing the Unknown Virus in the Unknown File attachment.
    The subject of the E-mail was "L Specifies the length". The E-mail containing the virus from kbndl@salisbury.net has been quarantined on our servers to prevent further damage. The virus never made it to your mailbox. (emphasis mine)

    Internet Of Salisbury, Inc. provides this service free to our customers while other providers charge
    a monthly fee. Though this software should catch up to 99 percent of viruses, a new virus could make it in.
    If you are not running Anti-Virus software you should ASAP!

    Please Contact N-Techsolutions @ 704-638-2422 or visit their website at:
    http://www.n-techsolutions.com Look for the Norton Anti Virus Special!     (emphasis mine)

    Please do not call Internet Of Salisbury, Inc.
    -=-=-=-=-

    Not that there was ever any question about sleazy spammers being out there, but this one takes the cake.

  • Ever heard of a buffer overflow? (Score:5, Insightful)

    by autopr0n ( 534291 ) on Friday June 14, 2002 @09:45AM (#3700940) Homepage Journal
    Now, if you know much about computing, you may be a little suspicious of this. JPEGs are compressed image files that only contain data representing an image to be displayed, not code to be executed. A modification of that data might screw up the picture of your cat dangling from the edge of the kitchen table you like so much, but it won't turn the image into a potential virus transmitter, because the programs that display JPEGs don't read them with an eye toward executing the code

    No, and HTML readers don't download HTML with an expectation to run the code natively, but it can happen thanks to bugs in IE.

    Just like Outlook, the program you deride for its ubiquity, a huge, huge number of jpegs are viewed through the Microsoft libraries. If a hole was discovered in that library, it could be used as a vector for viruses.

    The truth of the matter is that if you run windows, there is a real risk of getting a virus from things other then just running .exe files. In windows 98/2k you can be infected simply by clicking on a file once (because of the little preview window thing). Holes in Word, outlook, IE, IIS, and even windows explorer have made things completely ridiculous.

    Also, Your list of things not to do to catch a virus reminds me like avoiding pregnancy via the 'pull out' method. Sure it might improve your chances, but it won't 'protect' you in any real sense.

    I don't think viruses on Linux have any real future, due to the fact that the most obvious holes would get fixed quickly, but if you run windows you really should get some Anti virus software.

    • Re:Ever heard of a buffer overflow? (Score:5, Funny)

      by zbuffered ( 125292 ) on Friday June 14, 2002 @11:17AM (#3701804)
      Also, Your list of things not to do to catch a virus reminds me like avoiding pregnancy via the 'pull out' method. Sure it might improve your chances, but it won't 'protect' you in any real sense.

      I think this is a bad analogy. His list reminds me of avoiding pregnancy via the "if it looks like a vagina, don't put your penis in it" method, which is significantly more effective.

  • McAfee has been doing this since '93 (Score:4, Insightful)

    by phsolide ( 584661 ) on Friday June 14, 2002 @09:45AM (#3700942)

    It's been more-or-less common knowledge that McAfee has done this since the Michelangelo scare [vmyths.com] in 1993.

    I recommend going to vmyths.com to read their "rantings" section.

    Let me predict that about 50% of the replies in this thread will consist of arguments like "Well even if we did get rid of MSFT products we'd still have a virus problem: look at staoG or Bliss or Ramen or the '88 Internet worm."

    Those replies are guilty of a flaw called The Excluded Middle where one argues that a situation that in reality has a spectrum of situations only has the 2 extreme cases. In this case the replies will say that even Linux has viruses and worms (true and probably inescapable for a Turing-complete computer) so doing away with the source of 99.44% of viruses and worms won't solve the problem.

    Of course this is crap. I'm still getting hits from Code Red I v2 nearly 10 months after it was released. When was the last time you got a sadmind/IIS hit? The problem isn't to eliminate 100% of all worms chainmails and viruses the problem is to keep worms chainmails and viruses from ramping up the exponential part of the logistics curve.

    • Re:McAfee has been doing this since '93 (Score:5, Insightful)

      by EllF ( 205050 ) on Friday June 14, 2002 @10:10AM (#3701177) Homepage
      You might want to reconsider your use of logical terminology. The law of the excluded middle does not represent a simplification of a multivariate system down to only two options.

      Quoting from Barker's The Elements of Logic: "One well known type of tautology has the form 'P v -P'. This is sometimes called the 'law of the excluded middle', because it reflects the fact that any given sentence must be either true or false, there being no third alternative."(Barker, p. 91, 5th ed.)

      Regardless, I can't decipher the point you were trying to make. Yes, most posters are aware that not all virii are due to buggy Microsoft code. Aside from the logic error (which isn't that big a deal, as your point doesn't depend on what you call it), you're saying that such an awareness is flawed, because *other* vectors of infection - which you say exist in any Turing-complete system - merely exist?

      Ease up on the tech-speak, friend, and you've arrived at one of the fundamental points of computer security: it is a process, never an endpoint. I don't know anything about virii "ramping up the exponential part of the logistics curve", but I do know that the posters who are aware that other problems exist besides Microsoft vulnerabilites are not guilty of any flaw in their reasoning. Whether they cite past infections, myths, or actual virus problems, they are demonstrating an awareness of the nature of virus infections. Perhaps you'd like to clarify your prediction? :)

  • Years ago - early 90s (Score:3, Interesting)

    by hottoh ( 540941 ) on Friday June 14, 2002 @09:45AM (#3700948)
    Years ago - early 90s, the AV vendors had cash 'awards' for new virus discoveries.

    Therefore, this story is not a big surprise.

  • The profit model for Anti-Virus software requires (Score:5, Insightful)

    by neo ( 4625 ) on Friday June 14, 2002 @09:47AM (#3700968)

    a steady stream of new threats. There was another model for anti-virus
    software. One that didn't have a patch model, but it was ignored because
    profit driven companies require "revenue streams".

    Rather than having a program that removes a virus from your system after
    you've been infected or which requires an "inoculation" to recognize
    viruses, the other system looks at program activities.

    The actions taken by a virus are painfully obvious when you look at them
    from a macro point of view (no pun intended). While not a trivial coding
    task, it's possible to monitor for these types of action and freeze a
    program that would take them. More over, with an ample supply of ram and
    CPU, new programs could be tested in a "Safe Zone" the first time they are
    run, ensuring that problem programs would be caught in the act.

    Unfortunately this type of protection doesn't require incremental upgrades
    from Anti-Virus companies and so we're stuck with something that can make
    profits rather than something that works pro-actively. Thus is the basic
    flaw of capitalism.

  • there was a bug in netscape.... (Score:3, Informative)

    by Chaostrophy ( 925 ) <ronaldpottol.gmail@com> on Friday June 14, 2002 @09:47AM (#3700969) Homepage Journal
    That let really large comments in the jpeg overflow a buffer, and so that means you could write an exploit. You want to bet that some common MS products don't have a similar bug?

    Go do a google search, it returns plenty about it.

  • Klez owns (Score:4, Interesting)

    by dlur ( 518696 ) <dlur&iw,net> on Friday June 14, 2002 @09:47AM (#3700970) Homepage Journal

    I'm lead tech at a small computer store. The massive onslaught of Klez in the wild makes us techs more money per day than a good, strong lightning storm will in a week with modem replacements. People in the general public that aren't in the "know" on computers are deathly afraid of viruses, and generally have no idea how to protect themselves.

    Most of the John Q Publics out there buy a cheap computer from *.mart that has MS Windows pre-loaded on it that has virus protection software that will expire in 3 months, or require the end user to manually update the definitions. Most of them have no idea that their protection will run out, or that they need to update their software in order to keep it up to date and protecting them from the latest greatest virus.

    So these folks turn to their cousin's brother who knows a bit about computers, and ends up screwing the computer up worse, or finds that they are unable to remove the virus from the computer. That's when they turn to us, and other techs. And they're generally willing to pay good money to get rid of the virus, have up to date protection that actually works installed, and be shown how to keep it up to date for a very long period of time, not to mention given a quick tutorial on what to open in their email and what to delete immediately.

    In a perfect world un-educated folk wouldn't be given the option to purchase un-educated software, but until that time comes they need to rely on people that do know something about computers, and on software that can help protect them from their own lack of knowledge.

  • Things like this are what happen when the news media are owned by giant corporations. They do not care about truly informing the public, they care about selling papers, ads, etc. And what's the best way to do that? Scary headlines.

    50% of the news nowadays is reprinted press releases from companies. There should be some kind of accountability, both for the misleading/false statements coming out of these corporations, and for the idiot reporter that took this "news release" off the fax and submitted it for print without any kind of fact checking.

    -Just my $.02
    Wulfhere
  • I'm just gonna start ranting and hopefully a point will come out of this somehow ;). Anyway, who cares? Seriously... I haven't had a virus since I was 15 or so and know better now. If this "marketing hype" is to just sell virus scanners but scares the public into being more secure then thats fine with me. Potentially means less code red in my logfiles and less klez complaints to deal with. Look, yeah hyping something up thats bad so you can sell a cure sucks and is rather unethical, but the vast majority of computer users have no clue on why they get virus's besides some vague knowledge that it has to do with the internet. So, again... whatever. Calm down. Take some deep breaths. Do some pushups. Go conspire about something that matters. Now some additional things because well goddamn it, this is my post and I'll say what I want and you'll listen. Please spare the +5 funny "what virus? i use linux" and "windows, by definiton it is a virus" post. Please Please Please. Please follow the directions I gave above before posting them. As for linux and virus... soon my pretty... you will have your virus. Yeah yeah, root blah... blah... doesn't mean your home directory can't get wiped and doesn't mean some sad bastards out there don't run linux in root. Anyway I'd like to close this with a little simpson's quote:

    Actually can't remember it, but it had something to do with flu shots and flanders and not believing in them and it was funny. Just trust me it had some relevance to all this.

  • Not entirely the case (Score:3, Insightful)

    by OpenMind(tm) ( 129095 ) on Friday June 14, 2002 @09:50AM (#3700995)
    If you have basic email skills, you're safe.

    Unfortunatley, this is not entirely true. Quite a few of these viruses are happy to infect non email files once they get on a network via the email vector. We haven't seen many where I work, but we have seen a few that will infect various system files. Then, when a user logs into that system, the virus infected system will gleefully infect any exe's on the network that that user has write access to. Log into a machine like this as a domain administrator, and the chances of it getting to every machine on the network without them opening any email message is quite good.

    Some of them will replace .jpg and mp3 files with dummy executables that Explorer will foolishly make look like the original files. So common MP3 shares and such make a pretty good vector for crossing the network, as well.
  • I run Windows (as well as linux) because of software I must use that is only available for windows. I use Outlook because it is the ONLY program available that does everything it does and syncs so nicely with my Palm. I know there are horrendous security holes. And guess what, I have never been sent an email virus. Every time my computer catches viruses it is off of other people's removable media, or, from a malicious web page trying to infect me. No, I'm not going to turn off scripting, or activeX, or anything else because then my web browsing experience is limited.

    Anti-virus makers are in the business of letting people use their computers with the freedom and expectations they were designed for. Not just to protect the uninformed. I've noticed the uniformed are the ones who never update their virus profiles, and never let the full scan go through....and then are even more suprised and frustrated when a virus infects their machines.
  • I mean really; so what? A company tries to drum up business. To Ma and Pa MidAmerica viruses are a scary thing.

    Windows isn't going away, neither are bored teens and so we can conclude that viruses (virii if you like) aren't either. MacAffee and Symantec have the most popular AV systems at the moment and of coure they are trying to come up wih something interesting to talk about.

    We all use *nix, I assume we all avoid Outlook like the plauge (that it is) and so why are we "supposed" to get angry about this?

    I would assume that the Windows machines we own (for gaming, or to keep our SOs off of our OS X boxes) are locked down tight and more than likely using either NAV or MAV so how pissed can we really get about this?

    Be thankful there are viruses to fight. It's probably a big part of your job.

  • Half hour class? (Score:5, Funny)

    by jayhawk88 ( 160512 ) <jayhawk88@gmail.com> on Friday June 14, 2002 @09:52AM (#3701015)
    BS. Lusers are called lusers for a reason. I'm not talking about every Windows user here, but all it takes is one to be a problem.

    With some people, You can tell them to their face "Do not open emails from people you do not know", print it out in 124 point font banners hung over their cubicles, show them pict-o-grams of evil viruses destroying their data, bring Special Guest Star Burt Lancaster to reinforce the point, and drop by daily with the message written in icing on delicious chocolate cake. The minute you turn your back, they're off checking out the cool new Shakira screen saver someone sent them. The point is, it's still a problem, and it's not a problem you can completely solve with "30 minute training courses".

    And please don't lay this all on Windows and Outlook either. Yes, there are some questionable design decisions in these programs. But if the whole world was running Linux or something similar, people would be causing problems running everything as root, or whatever other stupid things you can do to get yourself in trouble.

    Do McAfee and Symantec sometimes go overboard with their warnings to sell more copies of their software? Of course they do. What company doesn't? Or did you think it was absolutely, positively necessary to see your doctor about Prilosec?

    • Argh-"Don't open email from people you don't know" (Score:5, Insightful)

      by chrisvr ( 41985 ) on Friday June 14, 2002 @11:49AM (#3702113)
      Sorry, but I'm tired of hearing this piece of crap "solution".

      Anyone who works in an ourward-facing business capacity (read: not most IT people, but most everyone else at the company) generally receives email from people they don't know, and they don't have the luxury of simply trashing it. If you work in customer service, marketing, accounting, sales, you have to check out these emails and see if they are for real. Fine, not the ones that are obviously spam, but the spammers are getting smarter and disguising their spam as legitimate email. Just because the address is unfamiliar doesn't mean that it can be trashed.

      Any IT person who thinks they can issue the "Don't open emails from people you don't know" edict and then just crawl back into their cubicle with a smug little CYA attitude is living in a fantasy world. Stop making such an unrealistic demand of your "lusers" (who, BTW generate the business needed to pay your paycheck, process the invoices needed to get you your latest gadgets and do all those things you hate so that you can stay happily employed.)

      Instead; treat with them with either a) respect or b) a grade school mentality. In either case, please assume that they are really not sitting at their cubicles trying to think up the best way to make your life hell. Assume that they just want to do their job, and the computer is one of the tools they need to do it. Just as most of them don't know how to program their speed dial or change the copier's toner, they don't know or care about the inner workings of the computer. That's YOUR job. Make it fool proof if needed. Explain as necessary. Give them a reason to trust that you are not simply trying to make THEIR job more difficult. That distrust works both ways; if a "luser" thinks you are just making unrealistic demands that make them unble to do their job, they're going to ignore you and do what they need to do to get their job done, and you're left with cleanup duty when something goes wrong.

      And above all, work with them. Understand what their needs are (do they receive unsolicited business mail? does it have attachments that they have to read? so what are they supposed to do?) and then help them understand the consequences that viruses can have and minimize their risk of catching and spreading one. Yeah, sure, that means actually pulling yourself away from Slashdot and Doom tournaments for a while, but that's the way it goes when the company pays you money to do your job.

  • Buffer overflows (Score:5, Interesting)

    by DrXym ( 126579 ) on Friday June 14, 2002 @09:52AM (#3701017)
    An exploit could well exist - it requires a prevalent implementation of the jpeg standard to be vulnerable to some kind of buffer overflow. It happened with WinAMP and the MP3 format recently so it could also happen with any other kind of file format.


    The next question is does such an exploit exist and does it affect enough users that it could gain critical mass? The answer is probably no. Every piece of image software, emailer, browser uses it's own implementation jpeg. This is true even on Windows where there was no way to read a jpeg file via Win32 until recently. Even apps that just use libjpeg will use different versions, might be customized and compiled with different flags. So the landscape is too hetrogeneous to favour a virus.


    If I had to lay money down, I would say this is McAfee playing up a threat (just like Ashcroft and dirty bombs) for their own interests.

  • Besides the obvious 'don't run random executables', keep in mind that by default, Windows has 'Hide File Extensions Of Known File Types' enabled. So, Joe End User thinks he's opening BritneySpearsNaked.jpg, when he's really running BritneySpearsNaked.jpg.exe. Never mind the fact that Joe End User doesn't realize that this 'jpg' doesn't have the normal .jpg icon.

    I believe this is one of the worse Windows offenses, yet gets zero press.

    Plus... rather than delete all attachments in a panic, it's fairly easy to save to disk, then scan with your favorite AV software prior to opening/running/etc.
  • What's next? By using your computer while you have a cold you could hose your hard drive? But, for only $9.95 McAffee makes these plastic covers to keep YOU from infecting your computer...

    In all seriousness, does anybody dispute that at least some percentage of our remaining "tech" economy is held up by victimzing the ooh-aah/Joe Sixpack crowd into paying $2500 for an $800 box, and other such silly "what the market will bear" injustices?

    I predict another shakeout in a few years when the kids who are becoming experts in grade school become the consumers and not their tech-phobic baby boomer parents who think high price == high quality and service. Guess what? The next generation doesn't think that way.

    Even my 11 year old cousin knows that inexpensive Dell gear blows, and he figured it out without an indoctrination from me...
  • How many of these virii are written by the anti-virus software writers. Doesn't it seem really strange that updates to detect, fix or remove these virii are almost immediately available? It just seems to me that someone can't really analyze what these things do and write a fix that fast. I mean, the software writers have to most to gain.

  • Real JPEG virus (Score:3, Interesting)

    by crow ( 16139 ) on Friday June 14, 2002 @09:54AM (#3701038) Homepage Journal
    I'm surprised that McAfee's consultant (they admit that they received the virus from the author; they didn't deny hiring him) didn't create a real JPEG virus. It shouldn't be too difficult; just select an application that is widely-used to view image files, and then look for a buffer-overflow bug that can be exploited with a non-standard file.

    Suppose you found a bug in IE that let you execute code packaged in a JPEG. With some clever coding, it would still display normally, but it would alter all other JPEGs on the system. When a web developer gets infected, his web site will spread the virus. It could spread quite widely.
  • ...saying a lot of what we all knew. I read the article on CNN about the "JPG virus", and it was obvious that they'd either got it totally wrong, or were trying to hype it.

    One of my favorite quotes was:
    Until now, viruses infected program files -- files that can be run on their own. Data files, like movies, music, text and pictures, were safe from infection. While earlier viruses deleted or modified data files, Perrun is the first to infect them.

    Uhm... see. I had always thought that Word documents were data files (text). And I remember them being particularly responsible for a whole lot of annoying macro virii.

    But on the Katzian subject, at least it was obvious that michael knew more about the subject than the people who wrote (and were interviewed) for the article I quoted. And it was nice to see an article that presented a bigger picture.

    However, just because every [fox.com] other [cnn.com] news [msnbc.com] outlet [abcnews.com] in the world spends all their time trying to expose shocking stories about conspiracy, etc, etc -- all of which could probably be titled something like "capitalists still trying to make money off of consumers" -- doesn't mean that /. should follow suit and do the same thing. Unless, of course, michael does some actual investigative research and finds out something *new* and *exciting* or *revealing* and then has something to tell us.

    What's my point? Well - Slashdot already links to other stories from other news sources. We don't need to steal their shitty journalism too. We already have our own style of shitty journalism.

  • Windows (Score:3, Interesting)

    by Mr_Silver ( 213637 ) on Friday June 14, 2002 @10:08AM (#3701154)
    If you don't run Windows, you're safe.

    Until a virus comes out that seeks out Linux boxes, uses several well known vulnerabilities to attempt to get root only to then set itself up on that box and seek out other boxes to infect.

    What? You thing that everyone who runs Linux as a server keeps it fully up to date with all the latest patches?

    Face it, if you're connected to the internet -you're stupid to assume you're safe.

    So, to correct you: If you don't run Windows you're safer .

  • Aww crap (Score:4, Funny)

    by lokki ( 585269 ) on Friday June 14, 2002 @10:08AM (#3701155)
    I give it 45 minutes before the storm of emails from family, friends, etc., arrives warning about this one.

    All caps, of course.

    ::sigh::

  • Welcome to the world of security marketing (Score:3, Interesting)

    by gclef ( 96311 ) on Friday June 14, 2002 @10:08AM (#3701161)
    Seriously, as cynical as it sounds, this happens every day in security marketing. I've had sales reps look me in the eye and straight-out lie about their products. When caught, they'll back off frantically, or try to talk their way out of it, but never admit that they lied.

    The main problem these days is that security software sales are driven not by business decisions, but by fear. Fear of virii, 3v1l h4ck3rz, etc. Once you're buying something out of fear, it's really easy for the sales folks to play off that to make their product sound like it's the ultimate safety blanket.

    I hate it. Not just because it's unethical, but also because it makes my job of evaluating products much harder. I can't even trust the feature lists in deciding which products to evaluate, since some of those are full of lies & vaporware. I keep wanting to explain the Tragedy of the Commons to the sales folks that try this c*$p, but they're always too stupid to understand it.

    sigh.

  • Want to tell McAfee and Norton NO MORE? (Score:4, Insightful)

    by Jucius Maximus ( 229128 ) on Friday June 14, 2002 @10:10AM (#3701178) Journal
    Then don't buy their products. Vote with your dollars by spending them elsewhere.

    Go out and get FRISK Software'sF-Prot [complex.is] antivirus instead. It is competently written with timely updates. I have relied on it since before I ever heard of the internet. There are DOS, Windows (network or standalone) and ($free) Linux versions. They do not generate hype or nasty bloated programs. They do generate a good antivirus product.

    I do not work for this company. I am just a satisfied customer. You can get free trials [f-prot.com] on their site. Prices: US$25/yr for single private license, US$2/machine for corporate or educational ($40min) and there are extra educational discounts.

  • Sophos tells McAffee to get real (Score:3, Interesting)

    by Havokmon ( 89874 ) <rick&havokmon,com> on Friday June 14, 2002 @10:13AM (#3701197) Homepage Journal
    http://www.sophos.com/virusinfo/articles/perrun.ht ml

    Picture this: a virus in a JPEG
    Sophos advises on threat posed by new .JPG virus, and urges anti-virus companies to exercise restraint
    Sophos, a world leader in corporate anti-virus protection, today called for the anti-virus industry to act responsibly in light of the discovery of the first virus capable of infecting JPEG graphic files.
    The virus, known as W32/Perrun-A, was sent directly to the anti-virus community by its author and is considered to be a "proof of concept". It spreads in the form of a traditional Win32 executable virus (usually called proof.exe), making changes to the Registry to mean that JPEG (.JPG) graphic files are examined by an extractor (called EXTRK.EXE) before they can be viewed. If the extractor finds viral code inside the graphic file it is executed.
    "Some anti-virus vendors may be tempted to predict the end of the world as we know it, or warn of an impending era when all graphic files should be treated with suspicion. Such experts should be ashamed of themselves," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "Not only is this virus not in the wild, but also graphic files infected by this virus are completely and utterly harmless, unless they can find an already infected machine to assist them. It's like a cold only being capable of making people who already have runny noses feel ill."
    "The virus relies entirely upon you running an infected EXE file, which is hardly rocket science," said Paul Ducklin, Head of Global Support for Sophos Anti-Virus. "Yet we are already seeing reports suggesting that this virus could spread via websites containing so-called 'infectious' images. This sounds like scare-mongering about image files to me."
    Sophos has issued protection against W32/Perrun-A to customers concerned by the media reports and alerts from other anti-virus vendors.

  • [*]Anti-Virus software pop-ups worse than virus? (Score:3, Funny)

    by tenzig_112 ( 213387 ) on Friday June 14, 2002 @10:16AM (#3701224) Homepage
    This onion-like story may have been prescient:

    Anti-Virus Software Pop-Up Reminders Behave Much Like Virus [ridiculopathy.com]

  • Actually, JPEGs have been dangerous in the past... (Score:5, Informative)

    by Tom7 ( 102298 ) on Friday June 14, 2002 @10:22AM (#3701267) Homepage Journal
    Netscape 4 on linux had an exploitable hole in their JPEG decoder. That is, a specially crafted JPEG could be used to execute arbitrary code on the target's machine. Could that code then "infect" other JPEGs? Sure. Would it actually spread? No, but if there were a similar bug in the default windows JPEG viewer, it wouldn't be surprising at all to see a similar worm spread.

    http://www.openwall.com/advisories/OW-002-netsca pe -jpeg.txt

    (I recall that this bug was successfully exploited; that advisory seems more tentative..)

  • Old news (GIFs and viruses) (Score:3, Insightful)

    by Reziac ( 43301 ) on Friday June 14, 2002 @10:50AM (#3701532) Homepage Journal
    Back a decade or so, there was a similar "scare" involving the possibility of putting executable code in the generally-unused comment field of GIF files.

    While it was demonstrated to be doable, it never occurred in the wild.

    The hitch being that GIFs aren't self-executing files. To be executed, the virus code would need to be extracted and run by whatever program is viewing the GIF. Relying on the chance of some 3rd party app doing just what you need it to do is a lousy way to propagate viruses. So while it was an interesting concept, it never went anywhere because it simply wasn't practical.

  • Internet Explorer breaks the rules. (Score:3, Interesting)

    by spaic ( 473208 ) on Friday June 14, 2002 @10:53AM (#3701563)
    Someone posted a link on IRC to a JPEG image min_tjej.jpg, That's my_girlfriend.jpg for those who's not familiar with swedish.

    It contained the following code, wich was instantly executed by IE 6.

    var pik;
    var temp;
    function test(temp) {
    pik = temp * 100
    setTimeout("window.location.href='telnet://ww w.gay . om:80'",pik);
    }
    for (i=0;i

    1000 , how thoughful to not make an endless loop.
    A link to the code, edited to only run once.
    http://peterj.freeshell.org/code.jpg

    I dont know the reason for a webbrowser to execute code in a file that ends with JPG, Maby it's a way of IE to work even if a user has put the wrong file ending.

    Still I think IE is the best web-browser and i would use it on all platforms if it was available.
    W3C's web-browser Amaya
    will not execute code in JPEGS , but then http://www.w3.org/ is one of the few pages that will display correct in that browser.

  • Halitosis (Score:3, Funny)

    by PicassoJones ( 315767 ) on Friday June 14, 2002 @11:06AM (#3701703)
    Be sure to look out for the new halitosis worm!

    In case you don't get the allusion, listerine invented a disease called halitosis and claimed that Listerine cured it--very much like what today's anti-virus industry is doing.

    Now, they use it as a scientific-sounding term for bad breath

  • Don't jump the gun... (Score:3, Informative)

    by h4x0r-3l337 ( 219532 ) on Friday June 14, 2002 @11:07AM (#3701708)
    But for JPEGs there's a well-designed standard, and it doesn't include executing code of
    any sort.


    However, if you know of bugs in the jpeg decoder (and on Windows it should be built-in to the system, so you only have to find a bug in a single decoder), then you could craft a jpeg such that the decoder chokes on it, overruns some buffer, and get it execute code that way (same method as with any other buffer overflow really). I'm sure Michael meant well, but they say that jpegs are by definition safe is just too naive.

  • Much trickiness possible with MIME types... (Score:3, Insightful)

    by double_h ( 21284 ) on Friday June 14, 2002 @11:56AM (#3702184) Homepage
    I'm not an expert on exactly how and when a file's MIME information gets parsed, but I know enough that I don't totally discounted the possibility of a trojan or virus masquerading as a JPG.

    For instance, if I take an animated GIF, rename it to image.jpg, and link it on my website, the server (or browser) is still smart enough to know it's really a GIF and display it as intended.

    I've seen people use similar tactics on free web hosts which don't allow external image linking. They link the file as "image.txt" (the web hosts do allow external linking of text files), but it shows up as an image just fine.

    If tactics like this could be used maliciously, I don't think it'd be a trivial task -- after all, if I click on link.jpg and the browser tells me it wants to fire off an .exe, I'll know something is amiss. And I DO think the major AV vendors are some of the worst FUD mongers out there. But I also think it pays to be cautious, and not shrug off the possibility of a threat entirely just because it is couched in a lot of overblown hype.

  • Is Windows a virus? (Score:4, Funny)

    by Lord_Slepnir ( 585350 ) on Friday June 14, 2002 @11:59AM (#3702201) Journal
    ".... you have to have already been infected by ANOTHER virus..."

    "They only affect Microsoft Windows. If you aren't running Windows, you are safe. "

    This speaks for itself....

  • Why IBM got out (Score:3, Informative)

    by Arandir ( 19206 ) on Friday June 14, 2002 @12:21PM (#3702386) Homepage Journal
    IBM used to sell the excellent IBM Antivirus program. They also had a webpage that explained viruses. But IBM was too honest for their own good. Their website had articles about how you can't catch a virus from a jpeg, tips on how to avoid viruses, and a diatribe from Gibson on how virus writers weren't evil geniuses but malcontent dumbnuts.

    All in all, the IBM website was very informative, very honest, and killed their antivirus business. Oh well. I guess MacAfee, Norton and all the rest think dentists are stupid for telling their customers to brush their teeth.

  • *bollocks* (Score:5, Informative)

    by Cally ( 10873 ) on Friday June 14, 2002 @07:27PM (#3705161) Homepage
    Disclaimer: I work for McAfee, on our VirusScan anti-virus product. I've read various internal discussions about this thing, and the threat it poses. I've met, and spoken with, Vinny (Gullotto), the AV expert quoted in the /. story.


    This is NOT a hoax, or FUD. There IS FUD in the A/V industry, but this isn't it. The press release does a bad job of explaining why the JPEG virus is a big deal. However it DOES say (clearly) that this virus is not a danger in itself - it's a proof of concept. Without going into more detail than would be prudent, *please* believe me when I say that there are significant reasons (a) why this PoC virus is significant, and (b) why virus writers will be exploiting concepts from this virus to make Very Bad Malware. Hey , why should it bother me, I run Linux! Well *i* run Linux too, in fact I develop my code on Linux; it will affect us when the world's NSP backbones are choked with worm scans, ARP requests and buffer-overflowing HTTP requests. This IS going to happen. And, whatever Sophos would like you to believe, this is NOT a case of NAI/McAfee whipping up a hype over nothing. I can't say anything more, but I'm going to take the chance of losing my job by not posting anonymously in order to emphasise how much I mean this.

    It's sooooooo frustrating knowing things about this and not being able to talk about it...

Slashdot Top Deals

Keep up the good work! But please don't ask me to help.

Close