Security researchers say JPEG virus imminent

Trojan horse that exploits flaw in how Windows handles JPEG images may be low risk, but it's a bad omen.

Robert Lemos
Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
3 min read
A Trojan horse that exploits a recent critical flaw in Microsoft Windows' handling of JPEG images has been posted to several newsgroups, but it has no way to spread, security experts said Tuesday.

Though the code only threatens visitors to the newsgroups where the malicious programs--hidden in images--are posted, antivirus experts continue to warn that it's a short step from such code to an effective computer virus.

"We are getting closer and closer to an exploit that could be turned into a worm," said Oliver Friedrichs, senior manager with security-software maker Symantec's incident response group.

The posting of the code hidden in a JPEG graphic is the latest in a series of events that security experts have widely predicted: A serious flaw in the widespread Microsoft Windows operating system and software was found; code that showed how to take advantage of the flaw has been published; and a tool to automatically create malicious JPEG images is continually being refined, Friedrichs said.

The latest code, found Tuesday by online newsgroup access provider Easynews, actually requires the victim to download the false image and view it in Windows Explorer in order for his or her system to be infected, Friedrichs said. That should severely limit the number of computers that are compromised by the program.

Microsoft also pooh-poohed any danger represented by the program.

"Microsoft does not consider this a high risk to customers given the amount of user action required to execute the attack and is not currently aware of any significant customer impact," the software giant said in a statement. "We will continue to investigate the situation and provide customers with additional resources and guidance as necessary."

Easynews announced that a program that scans images posted to Internet newsgroups had registered several hits, finding false JPEG images embedded with malicious code.

Mike Minor, Easynews' chief technology officer, said he had been monitoring the Usenet feed for 36 hours before discovering an infected image. "We couldn't find any other trace of any other posts from that IP address," Minor said. Easynews has not spotted any infected JPEGs since the two it identified late Sunday.

The code, which Easynews called a virus, does not have any mechanism to spread, antivirus-software company F-Secure said in its Weblog.

"These JPEGs did not replicate, so this is not a virus," the company said. "Apparently they tried to use these JPEGs to download Trojan (horse programs) to vulnerable computers, but the download sites should be down by now."

The code posted to Easynews, which Symantec has dubbed Trojan.Moo, was apparently created with the automated tool released by several hackers. The tool, known as the JPEG of Death creation kit, is constantly being updated by its creators and will likely be able to generate viruses soon, said antivirus experts.

"I think because the source code for the kit was released, we will see people that take that source code and create new versions," said Craig Schmugar, virus research manager for security software maker McAfee.

Both McAfee and Symantec have generic detection in their antivirus software for images that contain malicious code.

The JPEG flaw affects various versions of at least a dozen Microsoft software applications and operating systems, including Windows XP, Windows Server 2003, Office XP, Office 2003, Internet Explorer 6 Service Pack 1, Project, Visio, Picture It and Digital Image Pro. The software giant has a full list of affected applications in the advisory on its Web site. Windows XP Service Pack 2, which is still being distributed to many customers' computers, is not vulnerable to the flaw.

CNET News.com's Declan McCullagh contributed to this report.