RE: [Full-Disclosure] Xmas virus on the cards ?

• Previous message: Anders: "Re: [Full-Disc]: [Full-Disclosure] Xmas virus on the cards ?"
• Maybe in reply to: security squirrel: "[Full-Disclosure] Xmas virus on the cards ?"
• Next in thread: Schmehl, Paul L: "RE: [Full-Disclosure] Xmas virus on the cards ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: full-disclosure@lists.netsys.com
Date: Thu, 18 Dec 2003 08:54:54 -0500

This seems to take advantage of an IE 6.0 (prior to Windows XP SP2)
"feature"...

http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/monik
er/overview/appendix_a.asp

In short, when IE is NOT given any other hints as to the type of content of
a particular link - that is, the link does not come from <A IMG...> or an
HTML email message with MIME type information in it, but simply is pointed
right at http://foo.com/I_am_not_really_an_image.JPG - IE will evaluate the
header bytes of the object, a la the UNIX "file" command, and if it is one
of I think 28 formats that IE can puzzle out, IE will "helpfully" launch it
with the "correct" handler application.

This is clearly taking "serve pedantically, accept openly" waaaay too far.

Actually, even Microsoft realizes this. Our named MS support rep told me
that XP SP2 will address this. I hope he means that it will totally remove
this Bad Idea(TM) from IE, but only time will tell that.

Simple example, put up a copy of something_innocuous.exe and label it
something_innocuous.jpg and then point your web browse straight at
http://the.host/something_innocuous.jpg. It won't appear as a broken JPG
image - it will ask you if you want to open or save the executable...

-Jay Libove, CISSP

-----Original Message-----
From: security squirrel [mailto:secsquirrel@lycos.com]
Sent: Thursday, December 18, 2003 7:59 AM
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Xmas virus on the cards ?

Hi all -

I noticed this article at http://www.vnunet.com/News/1151553 and it looks
alarming - however did not find any more details.

If I understand well an HTML file is renamed to JPG and attached to an
email. However I did not manage to reproduce this.

This is my summary of the article:

1. xmas card emails to LEAD to innocent images which are not images but have
viruses

2. Mail Filtering systems should handle images just like HTML files +
educate

3. ISS reports that this was on a hacker mailing list

4. techniques to bypass firewalls by MISLABELLING html files as JPGs

5. Steven Darrall is a senior consultant at ISS X-Force Security Assessment
Services

6. The problem is caused by Microsoft's Internet Explorer (IE) web browser
automatically opening files labelled with .jpg or .gif extensions.

7. Hackers have posted a proof-of-concept file in which the content was a
script that caused the browser to download and install a virus according to
Darrall

8. The site serving the virus has since been shut down

Is the image and attachment or is it simply a link to a .jpg file on an HTTP
server? Did anyone manage to reproduce this or can point to the original
post on the "hacker mailing list" which describes this?

- Sec-Squirrel :)

____________________________________________________________
Free Poetry Contest. Win $10,000. Submit your poem @ Poetry.com!
http://ad.doubleclick.net/clk;6750922;3807821;l?http://www.poetry.com/contes
t/contest.asp?Suite=A59101

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Anders: "Re: [Full-Disc]: [Full-Disclosure] Xmas virus on the cards ?"
• Maybe in reply to: security squirrel: "[Full-Disclosure] Xmas virus on the cards ?"
• Next in thread: Schmehl, Paul L: "RE: [Full-Disclosure] Xmas virus on the cards ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]