Void's Forums

[Void Main]

According to Micro$oft, the viruses/worms are usually released after they post a patch on Windows Update. The patches are reverse engineered & the exploits are then released.

So, I think its a chicken & egg situation.. 8)

It's interesting that this only happens to Microsoft. After all, security patches are released all the time for Linux, source code included, and this isn't a problem. I have yet to see a real live virus in Linux. I certainly have seen exploited services due to poor upkeep but not once have I ever seen a virus, or know anyone else who has.

[byrdman]

I really like this topic and I am glad I got so many people's attention. This is the most frustrating topic for me, also, because everything that Void explained, has happend to my network. I am a IT manager for a nation wide construction company. I have 300+ users that are REALLY good at putting up buildings. I have 1 (one) CEO that does not believe in our department being a Big Brother type of system. So in other words, we have NO web monitoring software, NO Internet policies, and NO restrictions on where our users are allowed to go. Its great for us because we don't have to go through any red tape when we want to buy equipment but we are an "OPEN Book" type of environmnet. Although, we try to block out web mail like AOL, MSN and Hotmail. Even though I send out Emails almost monthly about not double-clicking on unknown attachment, they still do. We can not baby sit our users every day, and because of that, we get MS viruses. I am running Fedora on my laptop (FC2) and I can do everything that my co-horts can do. I can almost guarentee that if I went to upper management and said, " I can do everything you are doing, but for free!!" They would say, "Why haven't you done so already." Well, I have. We use Linux for everything on the "outside", we use Big Brother network monitoring, apache for our webserver, sendmail for our mail filtering/forwarding, named for dns, squid for our web monitoring (when needed), snort for intrusion detection, and cacti/mrtg for graphing. If I would to put together a price list for similar software for the above, I would probably get a raise. But our upper management doesn't know we have those in place. They don't care. They just want to make sure when they double click on IE, it gets them to the internet. and when they double click on Outlook, it opens up their email. Everything else is behind the scenes. By the way, I have Void to thank for all the open source we use in our network. Thanks Void!!

[Void Main]

No problem, just don't let the owner know I was involved when he finds out you aren't using a Microsoft solution. :)

[Void Main]

Interesting related article:

http://isc.sans.org//diary.php?date=2004-09-25

[Void Main]

More JPEG exploit stuff:

http://www.easynews.com/virus.html

I'm in the process of writing a program (hacking existing programs) to capture JPEG files off the wire and check them for trojan code.

[Void Main]

I have written a couple of simple little scripts that when used in combination with driftnet will grab infected JPEG files off the wire and save them in a directory. I would like to hack driftnet so all of this is done internally, along with reporting the source and destination addresses associated with the infected JPEG. Right now the only way I can get the source and destination addresses is by also adding an experimental snort rule that will alert on infected JPEG files.

Here is a Perl script and bash script (bash script calls driftnet and pipes output to the Perl script:

findjpegsploit.pl:

Code: Select all

#!/usr/bin/perl
##########################################################
# findjpegsploit.pl
# Make sure jpeg tools are installed
# Take input from driftnet -a
# Check for exploit
# Save exploits to /root/jpginf
# Save false alarms to /root/jpgfls (for more checking)
##########################################################
 
use File::Copy;
 
while(<STDIN>) {
  chomp;
  $file = $_;
  if (!/jpeg$/) {
    unlink("$file");
  } else {
    @stat = stat($file);
    $size = $stat[7];
    open HANDLE, $file;
    sysread(HANDLE, $input, $size);
    close HANDLE;
    if ($input !~ /^\xff\xd8/) {
       print "not a jpeg\n";
    }
 
    # Look for one of the followoing byte sequences in JPEG
    # FF E1 00 00
    # FF E1 00 01
    # FF E2 00 00
    # FF E2 00 01
    # FF ED 00 00
    # FF ED 00 01
    # FF FE 00 00
    # FF FE 00 01
    if ($input =~ /\xff[\xe1\xe2\xed\xfe]\x00[\x00\x01]/s) {
 
       ($sec, $min, $hour, $day, $mon, $year) = localtime();
       $year += 1900;
       $mon = sprintf("%02d", $mon + 1);
       $day = sprintf("%02d", $day);
       $hour = sprintf("%02d", $hour);
       $min = sprintf("%02d", $min);
       $sec = sprintf("%02d", $sec);
       $fname = $year . $mon . $day . $hour . $min . $sec . ".jpg";
 
       # Look for Comment length of "-0" or "-1".
       @debug = `djpeg -debug $file 2>&1 > /dev/null`;
       if (grep (/Comment, length \-*[01]:/i, @debug)) {
          print "jpeg " . $file . " has trojan at " . localtime() . "!\n";
          $fname = "/root/jpginf/" . $fname;
          # Copy infected JPEG to /root/jpginf directory
          copy($file,$fname);
       } else {
          print "False hit at " . localtime() . "!\n";
          $fname = "/root/jpgfls/" . $fname;
          # Copy false hit to /root/jpgfls directory
          copy($file,$fname);
       }
    }
    # keep temp jpg directory cleaned up
    unlink("$file");
  }
}


findjpegsploit.sh:

Code: Select all

#!/bin/bash
###############################################################
# Find Trojan JPEGS
# Make sure driftnet and findjpegsploit.pl are in your path
# Set your sniffer interface below
# Run this as root
###############################################################
 
SNIFFINTERFACE="eth1"
 
mkdir -p /root/jpeg /root/jpginf /root/jpgfls
driftnet -i $SNIFFINTERFACE -a -m 1000 -d /root/jpeg | findjpegsploit.pl


[Void Main]

Snort rule that seems to work, along with the above code in files:

http://voidmain.is-a-geek.net/files/jpegsploit/

[Ice9]

Void, I discussed this with some guys at work and they all thought this was pretty good stuff.
One of the tings they said was that it would be very useful in the form of a squid redirector/plugin.
Just to give you some of their feedback

Would it bother you if they took a shot at it, is it something you wanna try yourself or would you rather have nobody else touch the code?

[Void Main]

I had already thought of that but haven't worked on it. You could set up a transparent Squid proxy and it would be trivial to create a simple redirector script that would check for and filter out infected JPEG files. Only problem is, it would only filter trojan jpeg files coming via web browser. Wouldn't stop one coming via mail into someone's email. Virus scanners now detect this though, at least the one we run here at work (Trend) so if your virus software is up to date you should be covered, even if you aren't patched (which would be the best thing to do). I'm glad I don't have to worry about this garbage since I don't run Windows at home or at work.

[Ice9]

Void Main wrote:

I'm glad I don't have to worry about this garbage since I don't run Windows at home or at work.

Me neither, at home the only pc still running windows is the one for the kids (triple boot Win98/Win2K/FC2), their web access is limited to my white list and even if that pc was infected it wouldn't affect anyone else since both my wife and I only run Linux.

I'll talk to the techies about the squid thingie and I'll keep you posted on whatever they come up with.

[Void Main]

You let your kids use Windows? Isn't that child abuse? :) Nope, my kids use Linux or nothing in my house. I've been waiting for them to bring something home from school that required Windows but amazingly enough it has never happened. My daughter is in 11th and my son is in 9th grade. They use OpenOffice.org and Mozilla and so far I've not heard any complaints about not being able to do anything and they are both near the top in their class.

[Ice9]

Void Main wrote:

You let your kids use Windows? Isn't that child abuse? Nope, my kids use Linux or nothing in my house. I've been waiting for them to bring something home from school that required Windows but amazingly enough it has never happened. My daughter is in 11th and my son is in 9th grade. They use OpenOffice.org and Mozilla and so far I've not heard any complaints about not being able to do anything and they are both near the top in their class.

I know
The oldest one (9y) uses Linux most of the time but the youngest one (6y) doesn't understand yet why he can't play the same games as his classmates.
As far as applications go, they use OpenOffice, Trillian and Mozilla/Firefox.

I've had problems with my wife only because she doesn't understand why we go through the hassle of using OpenOffice to open MS Office files and sometimes having to re-format the page becausethe layout is screwed up, I tried to explain but she claims I'm over-reacting

So games are what made me install Windows on their pc, I've nearly reached the stage where I'm going to wipe off Win98 and I've made it very clear that Windows XP was never gonna be an option.

[Void Main]

the youngest one (6y) doesn't understand yet why he can't play the same games as his classmates.

That's when I say, go get your ball and glove and get the neighbor kids and go play some catch. :) You wouldn't believe how much fun kids can still have going outside and actually playing with other kids. :) They would rather I give them that answer than give them one of my 10 minute lectures that usually start out something like "Why can't you play the same games as your friends? Because we value our privacy and we don't need any spyware, adware, viruses, etc getting into our personal computers. You can't interact with 50 year old perverts pretending to be 15 year old girls. It's for your protection. Microsoft is evil. Blah, blah, blah, blah. " :)

[Ice9]

Void Main wrote:

They would rather I give them that answer than give them one of my 10 minute lectures ...

Hehe
This is the same kind of lecture I gave them when they asked for an Xbox and MSN Messenger.
Nowadays nobody even dares to say anything when a webpage doesn't display as it should, because they don't wanna hear me raving about how bad Microsoft and IE are for public health

But ... on a positive not my 9 year old is starting to understand why I'm against using Windows and he talks about it at school.

[Void Main]

This is the same kind of lecture I gave them when they asked for an Xbox and MSN Messenger.
Nowadays nobody even dares to say anything when a webpage doesn't display as it should, because they don't wanna hear me raving about how bad Micro$oft and IE are for public health :wink:

Man, we could be twins!

But ... on a positive not my 9 year old is starting to understand why I'm against using Windows and he talks about it at school.

That's awesome! Hopefully they're not making fun of how senile you are. :)