AV products mixed on detecting new malicious .jpg files

An automated kit to aid in generating exploits for Microsoft's recently announced .jpg vulnerability is now widely available.

An automated kit to aid in generating exploits for Microsoft's recently announced .jpg vulnerability is now widely available and will make it simple for even unskilled attackers to compromise dozens of unpatched applications, say experts. They fear an automated worm is the next step.

"JPGDown.A is a simple tool that makes it trivial for even unskilled attackers to author MS04-028 hostile .jpg files [and] significantly increases the likelihood of widespread attacks," said Ken Dunham, director of malicious code at Reston, Va.-based iDefense Inc. "The threat scene for MS04-028 is similar to that of Blaster in 2003. Within a few days exploit code surfaced, and then improved exploit code, followed by a Trojan tool, Trojans and worms. It is likely that Trojans, and possibly worms, will soon emerge in the wild now that such a tool and exploit code exists in the virus writing underground."

AV companies couldn't detect these hostile .jpg files when word of the tool became public last week. Trend Micro, Symantec and most of the other large AV vendors began detecting these files on midday Friday.

In an advisory to its customers, TruSecure Corp. in Herndon, Va., said: "The kit creates a .jpg that can be linked to any file on a Web server. It does not spread autonomously, yet. The kit is designed to execute the main code. Under this usage, the .jpg would be hosted on a Web page or sent in an e-mail. Upon rendering on a vulnerable system, the embedded downloader would fire and retrieve other malicious content, usually a backdoor and a proxy. If this follows the pattern used in the current families of bots, it would also patch the vulnerable .dll."

Atlanta-based Internet Security Systems Inc. (ISS) yesterday reported active exploitation of the same flaw. "This vulnerability may be exploited to execute arbitrary code on the targeted system, and further exploit refinement may lead to the development of a network worm."

Some industry experts think the real threat will come when bots begin to exploit the .jpg flaw.

"Bots are leading the way in cutting-edge badness," said David Kennedy, director of research services at TruSecure. "For months bots and the people who create them have been evolving and refining their techniques. The situation has developed where new vulnerabilities are exploited in a new bot variant within hours of the vulnerability becoming public knowledge. With so many computers probing constantly for vulnerable systems, a new vulnerability and hence a new population of vulnerable systems is highly prized among the botheads."

In TruSecure's advisory, Bruce Hughes, director of malicious code research, cautioned, "The kit is just one indicator of interest in this vulnerability. We cannot ignore the possibility others are working on this vulnerability, will succeed in creating malicious code and that code will be missed by antivirus products."

Hughes added: "Antivirus is most effective when checking all file types, not just executables. Adding .jpeg and .jpg to the executable file types is only partially effective because an attacker could rename the .jpg to .gif and still succeed."

A full list of vulnerable Microsoft and Avaya products is available in the ISS alert.

Read more on IT risk management