‘JpegOfDeath’ Using Windows Weakness To Spread Trojan

Online attackers today are using popular sources of pornographic images to target a recently revealed weakness in Microsoft software and to spread a Trojan that can provide remote access and control of infected computers.

Just two weeks after Microsoft warned of a vulnerability in virtually all versions of Windows that could allow attackers to install malicious code when computer users view JPEG images online, the first significant attacks were made public today.

The attacks first surfaced on Usenet, a network of thousands of mostly privately owned directories that predates the World Wide Web. The network has long been a popular place to store and share pornographic images. Symantec, a company that offers computer security software, said it was aware of fewer than 50 infections of the Trojan as of this afternoon.

Security firms and administrators of Usenet say they began seeing the code, known as JpegOfDeath and Hacktool.JPEGShell, on Sunday.

The flaw targeted by the code, known as JPEG MDI +, was revealed earlier this month by Microsoft and the Internet Storm Center. On September 14, Microsoft issued a patch for the flaw — and noted that Windows XP users who had already applied the SP2 update were not vulnerable.

Within days, security companies began stepping up their warnings after quickly written exploit code began to appear in various online iterations.

Sounding the Warnings

The code that has appeared on Usenet is actually a variation of that first exploit script, security firms said, and appears, by some accounts, to still be in the development stage.

Though Usenet administrators said the code installed a Trojan and downloaded a host of other programs to an infected machine, the Internet Storm Center said its tests of the code simply crashed machines that the code was attempting to infect.

A message on Easynews.com, a portal used to access usegroups, described the code as “nasty” and said that it appears that among the programs it installs is one that allows remote control of a targeted machine.

Security firms were quick to refresh their warnings about the threat.

Internet Security Systems said the JPEG approach might be an especially effective way to spread the Trojan because such files are “typically viewed as a benign and trusted file format” and can often be opened through multiple programs without any added warnings or intermediate steps.

Security firm F-Secure warned that the vulnerability appears to be drawing more than the typical interest among the hacking community and that given the speed at which the first exploit attempts appeared, more sophisticated offspring are sure to come.

F-Secure director of antivirus research Mikko Hypponen said the current code is not a virus because it does not automatically replicate and spread itself.

Trusted Format

But, he said, a mass mailing worm using a corrupt JPEG image might be inevitable. “Things are heating up,” he said.

Security firm Sophos has labeled the exploit “critical” because of the ability of an attacker to take remote control of a machine and because the vulnerability exists in virtually every version of Windows.

Meanwhile, there were other warnings that a modified version of the JPEG code could be created that includes a network worm.

Sophos consultant Graham Cluley said security firms are especially concerned about the vulnerability and the ensuing exploits because JPEGs are such a commonly used format for viewing images online.

“It’s extremely serious,” Cluley said. “All computer users and network administrators should be taking steps to update their virus software and apply the available patch from Microsoft.”