Asymmetrical Information

Interesting, I haven't seen spam like this. It seems like a great way to get past any spam filters. Quite clever, really. Spamfilters will be able to do nothing about it unless it's from a known IP or the subject contains easy keywords to filter.

There can be nothing destructive in an image. The worst damage that may come of seeing the JPG is that it will go to the server of the spammer to get the image to display to you. This will alert the spammers that you are a live person reading email and sentence you to many more spams in the future.

If they are truly jpg files they are harmless. However, trojans are often disguised as harmless image files.

Since the image is loaded from a remote site, this technique basically captures your IP address as live meat.

If you're on a dial-up this isn't much of an issue, but if you have a dedicated IP...

If you have the preview pane open in Lookout, the only way to prevent this is to go into the view menu and disable it before clicking on it in order to delete it. Leave the preview pane open and they've got it. Of course, you could also simply use Thunderbird and "disable remote images".

It isn't inconceivable that there are overflow bugs in specific JPEG decoders... Imagine you found one in Microsoft's--then you might be able to use a JPEG image as a trojan and insert running code into anyone who views a certain image from within Microsoft apps. However, I'd guess that the previous posters are right--its an attempt to capture live IPs.

Steganography.

http://news.com.com/2100-1001-935746.html

http://www.ebcvg.com/articles.php?id=80

Jpg could conceivably be a virus vector.

JPGs don't generally contain viruses, although it is possible that someone found a bug in a jpeg decoder. Since Windows by default doesn't show file extensions (.exe, .com, .doc) what they do(by "they" I mean the scumbag spammers and virus writers) is name a file test.jpg.exe. This appears as test.jpg, but it's really an executable file that contains a virus, worm, etc. If you double click on the file, it runs the program and infects your computer.

Moral: Never open anything that you are not expecting, make sure you have up to date and functioning antivirus software.

What Bud said. Outlook 2004 (or whatever it's called) disables remote downloads by default exactly for this reason.

And by the way, my anyi-spam software catches these things almost 100% of the time.

Most file formats have header areas including user defined areas that may contain anything you happen to write into them...Other images or executable code. Setting an instruction point is another matter.

"There can be nothing destructive in an image."

You clearly havn't read snow crash!

It isn't inconceivable that there are overflow bugs in specific JPEG decoders

There's a Windows file extension that isn't displayed even if you have Windows set to show extensions. I think it's .shs or similar. That might have changed in latter versions of windows. It's also an executable format, so something named run.jpg.shs would show up as run.jpg, but if you double-clicked it it would be run just like an executable.

Also, the JPEG Expert Group provides free JPG decoding code. While I woulnd't put it past Microsoft to have rolled their own JPG decoder, if they're using the JPEG EG's code the defects are probably well known and immediately patched.

I know it seems weird, but yes, bugs in code used by image-display systems can indeed be security risks; see http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-023.php for an example based on a bug in zlib, which is used by libpng, the standard library for manipulating images in the PNG format. There was concern about the bug allowing the execution of arbitrary code, and such code could be included in the image in the form of a custom "chunk" type.

The bottom line is that over time there will be more and more ways to get code onto your system, not fewer. At some point we're going to have to break with these outmoded designs for PC operating systems that never contemplated having multiple users or being connected to a network and start using operating systems based on some 1960s timesharing technology called "capability security" that makes whole classes of viri, worms, trojan horses and the like simply impossible.

Nah. It's just as MD says. They're avoiding text filtering by embedding everything as an image. It's certainly technically possible that's it's some buffer overflow exploit from the 9th dimension. But most likely not.

Oh, and the images don't need to be downloaded, they can be mime'd right in. I get some pretty creative stuff at work.

I recall a few years ago a virus that our MIS incompetents let into the server ate every .jpg file on it. I don't know whether it could spread via .jpg or screwing with them was just a side effect.

Anyhow, most spam isn't a virus, but a sociopathic marketing scheme. And marketers love pictures, so I think it's most likely that this crap really is advertising. Not that I'll take the time to open them...

Frankly, what the internet needs most now is a way to authenticate the point-of-origin of e-mail. And then you block non-authenticated e-mail (unless you like to snigger at badly written Nigerian scams), and block spammers as you identify them...

Jayson: It's unlikely that a jpeg/etc will allow spam to bypass filters, since messages containing only jpegs are weird. That's like trying to sneak a gun onto an airplane by putting it in the glove box of your car and driving through the terminal.

What bud says, but I would figure the spammer doesn't care so much about your IP address. They probably care more that it confirms your e-mail address is live, and could have different JPG combinations to see which ones are loaded. Just conjecture, though.

fling93 has it right. The low brow use of images is simply to get past filtering programs. The more sophisticated use can confirm your email address if the image is pulled off of the sender's server rather than embedded in the email. Multiply email confirmation by tens of thousands or a few million and the spammer has a golden commodity: a list of confirmed email addresses to better target his/her next paid spam attack.

Jane -- there's a known buffer-overflow bug in IE that can be exploited by a malicious image file. What's much more common is that "phish" files send an image of a legitimate looking document in order to mislead you into clicking a link that then takes you to a fake website of some sort.

If the JPG is loading from a remote source it could be a Download.Ject Exploit. I hope your OS is not vulnerable.

http://www.microsoft.com/security/incident/download_ject.mspx

http://securityresponse.symantec.com/avcenter/venc/data/download.ject.html

I don't know about computers but I recall hearing that msgs can be inserted into images
as a method of encryption. This has been going
on for a couple of years and the context within
which I heard it was terrorists employing this
to get around carnivore and whatever the new
program is called that is used by the NSA. I
don't think this can be detected in anyway yet.

A new update from Microsoft is for a JPEG-processing vulnerability which would allow malicious code to be inserted into the image file itself.

http://arstechnica.com/news/posts/20040914-4187.html

See also:

http://it.slashdot.org/article.pl?sid=04/09/14/2226226&tid=172&tid=128&tid=201&tid=218

on the Win XP vulnerability to images.

Comments are Closed.