Large-Scale IM Virus Attack Feared

by Ryan Naraine

The first signs of a large-scale virus attack are spotted on newsgroups regarding a Windows flaw in the way JPEG images are processed.

Security researchers are seeing the first signs of a large-scale virus attack taking advantage of a known flaw in the way JPEG images are processed in Microsoft Windows products.

Just days after warning that proof-of-concept exploits were circulating, the SANS Internet Storm Center (ISC) said it had received reports that a "GDIplus.dll" exploit embedded on porn images was making the rounds on adult newsgroups.

Microsoft has already released a patch to fix the way GDI libraries handle JPEG processing, and it released a scanning tool to help detect the presence of products that contain the GDI+ component and determine whether a security fix should be applied.

In addition to adult images on Usenet, the ISC said it was investigating reports that the profile feature in America Online's AIM instant messaging product was being used to entice users to view malicious JPEG files.

The basic method is to attach GDI exploits to profiles on AIM. The attacker then sends messages to get the user to go look at the user profile that has a .JPEG with the GDIplus.dll exploit in it," the Center said in an advisory.

The exploit only uses the AIM user profile feature to propagate itself and does not target any vulnerabilities in the AIM software.

Anti-virus firm Symantec has released advisories for two Trojan Horse programs exploiting the GDI+ library flaw described in Microsoft's MS04-028 advisory.

Symantec has updated its virus definitions to protect from Trojan Moo, which has been programmed to download an .EXE file from a Web site. Symantec rates the Trojan Moo threat as "low."

The company also warned that a backdoor Trojan exploiting the same flaw was making the rounds. Symantec said the Trojan is capable of connecting to a predefined IP address to start a command shell on an infected system. A command shell allows an attacker to download and execute harmful code from a predefined domain.

Removal instructions for the backdoor can be found here.

This article was originally published on Wednesday Sep 29th 2004