|
Posted by cquirke (MVP Windows shell/use on April 24, 2007, 5:31 pm
If you were Registered and logged in, you could reply and use other advanced thread options
On Thu, 19 Apr 2007 14:40:53 -0400, "Russell L. Smith" <r dot l dot
>A recent VirusScan log showed that VirusScan found a JPG file on my web site
>infected with Exploit-ANIfile.c (Trojan). I read the Microsoft security
>bulletin, the info on the McAfee site, and searched the net - I can find no
>mention of this virus infecting JPG files. Can anybody point me to
>documentation that mentions this virus infecting JPG files? Thanks for your
>assistance.
You can put an exploit into any type of file.
Whether it will "get traction" depends on whether the OS is smart
enough to refuse to pass it to the exploitable surface.
For example, a smart OS will say "hey, this file is named as if it
were a .JPG file, yet this content is ANI" and then, being aware of
this, it will say "I'm NOT passing this content to the ANI
interpreter, I'm stopping right here with an alert".
A really stupidly-designed OS will say "oh look, here's some ANI
content that's been named as a .JPG; I guess this is just an honest
mistake, I'll pass it to the ANI handler".
Guess which behavior is likely with Windows?
I know ANI exploits sprawl over to .CUR and perhaps .ICO, but I dunno
about .JPG; I know that a previous WMF exploit did indeed spread to
.JPG, as a classic example of absent type discipline that greatly
enlarges the risk when some file format is found to be exploitable.
You may be able to knock some sense into Windows. Look in the details
of IE's security settings, for "open based on content, not extension".
Yep, that is set to ENABLED by duuuuuhfault for the Internet Zone and
presumably Trusted, Intranet and "My Computer", too. It is set to
Disabled for Restricted Zone, so there's at least some clue that this
is risky behavior... but hey, we can trust the Internet, right?
>-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
>----------------------- ------ ---- --- -- - - - -
|
|
Posted by cquirke (MVP Windows shell/use on April 25, 2007, 7:59 pm
If you were Registered and logged in, you could reply and use other advanced thread options
On Tue, 24 Apr 2007 18:47:26 -0400, "David H. Lipman"
>From: "cquirke (MVP Windows shell/user)"
>| You can put an exploit into any type of file.
>| Whether it will "get traction" depends on whether the OS is smart
>| enough to refuse to pass it to the exploitable surface.
>| I know ANI exploits sprawl over to .CUR and perhaps .ICO, but I dunno
>| about .JPG; I know that a previous WMF exploit did spread to .JPG
>Attached is a perfect example.
>It is a screen capture of an Avira submission report based upon files I
submitted Yesterday.
>"The file '0day.jpg' has been determined to be 'MALWARE'. Our analysts named
the threat
>EXP/Ani.Gen"
Hmm... in this XP SP2 PC, I tried renaming an .ANI as .JPG, and it
"opened" in the MS viewer that usually shows .JPG, which stated the
file wasn't displayable. I then tried the same in IView, which said
"this is an .ANI named as a .JPG; rename?"
The trouble with this sort of testing is that this PC has no default
action for .ANI files, so I can't tell whether the content within the
renamed .JPG was ever being handled as .ANI
>-------------------- ----- ---- --- -- - - - -
Tip Of The Day:
To disable the 'Tip of the Day' feature...
>-------------------- ----- ---- --- -- - - - -
|
|
Posted by David H. Lipman on April 25, 2007, 8:12 pm
If you were Registered and logged in, you could reply and use other advanced thread options
|
| Hmm... in this XP SP2 PC, I tried renaming an .ANI as .JPG, and it
| "opened" in the MS viewer that usually shows .JPG, which stated the
| file wasn't displayable. I then tried the same in IView, which said
| "this is an .ANI named as a .JPG; rename?"
|
| The trouble with this sort of testing is that this PC has no default
| action for .ANI files, so I can't tell whether the content within the
| renamed .JPG was ever being handled as .ANI
|
I think it is how the web page loads the JPG (ANI Exploit) as content on a
miscreant web
site.
I have seen ANI Exploits in; HTML, JS and JPG files.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
| Similar Threads | Posted | | Urgent System Message; Virus --- #2 - Your computer is infect | July 26, 2006, 6:20 pm |
| Zero kb files | June 19, 2007, 12:08 pm |
| Re: Help with what to do with files | August 15, 2007, 11:45 am |
| lost files | July 1, 2005, 10:59 am |
| Something is blocking almost all .exe files! | September 14, 2005, 2:05 pm |
| Files missing | January 25, 2006, 3:46 am |
| Tag.sys files -- hacker? | June 30, 2006, 3:41 pm |
| Mystical files | February 5, 2007, 12:47 pm |
| Help determining what to do with files | August 15, 2007, 10:38 am |
| Files Won't Open | June 3, 2008, 2:26 pm |
|
XML site map