Any real case of picture files embedded with trojan?

Any real case of picture files embedded with trojan?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Anti-Virus Software    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Any real case of picture files embedded with trojan? John Smith 09-23-2005
Posted by John Smith on September 23, 2005, 1:17 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I wonder if anyone ever heard of a real case involving picture
files embedded with trojan? I know such an idea has been proven
workable, but is there any real case?

I did a search on the Net and found many sites that say you cannot
be infected by just viewing pictures but ....

On September 20th, Taiwan's China Times reported that police there
put into custody five people accusing them of collecting user IDs
and passwords by spreading porn pictures embedded with trojan,
apparently some kind of keylogger. According to the news, they
spread the infected pictures by e-mail or by putting them on web
sites such as yahoo or kimo and letting people download them.

Over a year, the suspects have collected more than 100,000 user
IDs and passwords. Because of the amount of the data collected,
the head of the suspects had to hire other accomplices to help
processing the data.

Although the news clearly used the term "trojan embedded in porn
pictures", I'm not convinced that's what really happened.


Posted by David H. Lipman on September 23, 2005, 1:48 am
If you were  Registered and logged in, you could reply and use other advanced thread options

| I wonder if anyone ever heard of a real case involving picture
| files embedded with trojan? I know such an idea has been proven
| workable, but is there any real case?
|
| I did a search on the Net and found many sites that say you cannot
| be infected by just viewing pictures but ....
|
| On September 20th, Taiwan's China Times reported that police there
| put into custody five people accusing them of collecting user IDs
| and passwords by spreading porn pictures embedded with trojan,
| apparently some kind of keylogger. According to the news, they
| spread the infected pictures by e-mail or by putting them on web
| sites such as yahoo or kimo and letting people download them.
|
| Over a year, the suspects have collected more than 100,000 user
| IDs and passwords. Because of the amount of the data collected,
| the head of the suspects had to hire other accomplices to help
| processing the data.
|
| Although the news clearly used the term "trojan embedded in porn
| pictures", I'm not convinced that's what really happened.

There have been demonstration viruses which can code a virus in a JPEG but it
requires a
"helper" program to be installed on the destination to remove the virus and run
it. It just
easier to have the "helper" application be the actual infector. Albeit, maybe
said
application could receive a "plug-in" to add additional functionality to the
infector. I
know that there have been viruses using UseNet to obtain plug-ins to add
functionality.

W32/Perrun -- http://vil.nai.com/vil/content/v_99522.htm

"This appending virus is the first reported JPEG infector. It is multi-component
in nature,
requiring an extractor file to extract (and execute) the virus body from
infected JPEG
files.

Infected JPEGs are unable to replicate on non-infected machines - ie. machines
without the
extractor component installed (hooked in the Registry)."

The other problem is that a specially crafted JPEG, GIF or other image file may
cause a
buffer overflow condition in the Microsoft GDI+ rendering engine and thus could
be
exploited.
http://vil.nai.com/vil/content/v_128356.htm

Microsoft Security Bulletin MS04-028
Buffer Overrun in JPEG Processing Could Allow Code Execution (833987)
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

I haven't heard anything contributed to moving graphic file formats; AVI, MOV,
MPEG, etc.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm




Posted by Roger Wilco on September 23, 2005, 1:46 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> I wonder if anyone ever heard of a real case involving picture
> files embedded with trojan? I know such an idea has been proven
> workable, but is there any real case?
>
> I did a search on the Net and found many sites that say you cannot
> be infected by just viewing pictures but ....
>
> On September 20th, Taiwan's China Times reported that police there
> put into custody five people accusing them of collecting user IDs
> and passwords by spreading porn pictures embedded with trojan,
> apparently some kind of keylogger. According to the news, they
> spread the infected pictures by e-mail or by putting them on web
> sites such as yahoo or kimo and letting people download them.
>
> Over a year, the suspects have collected more than 100,000 user
> IDs and passwords. Because of the amount of the data collected,
> the head of the suspects had to hire other accomplices to help
> processing the data.
>
> Although the news clearly used the term "trojan embedded in porn
> pictures", I'm not convinced that's what really happened.

Someone posted this a while ago, and luckily also posted the actual
article which stated that the trojans executables were "disguised" as
picture files (which is an entirely different thing). While it is true
that data filetypes can be crafted to exploit broken software (viewer
application or OS) I strongly suspect that the article you refer to is
authored by someone who doesn't know the difference or considers the
difference between "being a picture file" and "being disguised as a
picture file" as a matter of semantics.

Just saw news about a levee breach in New Orleans and the newscaster
indicated her belief that the different terms "breach", "overflow", and
"broken" or "failed" were all equivalent and a matter of semantics.
<sigh> She was using all those terms interchangably even while the
'ticker' along the bottom clearly stated the engineers' claim that the
affected levee was still structurally intact - in fact it was expected
to behave in this manner, though not so soon.

Even in here people like to dismiss arguments as a matter of semantics
when in fact there are reasons that different words have different
meanings within certain contexts especially when the those words are
used technically.




Similar ThreadsPosted
Talk about text files and embedded malware... May 27, 2008, 11:24 am
Slacker Virus in PowerPoint files (embedded Excel objects) July 20, 2008, 1:39 pm
Does Internet Explorer 7 REALLY have a VBS:zulu virus embedded in it? October 20, 2006, 12:10 am
Scanning inside multi-part rar and zip files, unpack files January 29, 2008, 1:23 am
Is this a real virus November 12, 2005, 4:14 am
the real truth?? April 22, 2007, 6:12 am
Ebay verification .... Is this for real? August 28, 2005, 6:44 pm
eMachine real slow December 17, 2005, 8:56 pm
F-prot DOS run in Windows DOS BOX or real mode MS-DOS August 18, 2005, 11:59 pm
Email Real Time Scanners December 15, 2005, 9:42 pm

The site map in XML format XML site map

Contact Us | Privacy Policy