Windows users vulnerable to 'poisoned' pictures
Users warned hackers may unleash wave of viruses in photo files
Sarah Staples
CanWest News Service
Sunday, September 26, 2004
Hackers exploiting a newly discovered vulnerability in Microsoft Windows operating systems have found a way to turn innocent vacation snapshots into virus-laden "poisoned" images that can travel undetected through e-mail, infecting computers and laying bare victims' credit cards and personal information.
The threat has computer-security experts warning that the world's first photo-virus attack is inevitable and potentially imminent, after step-by-step instructions for embedding malicious code into image files were posted last week to several websites that monitor the emergence of new computer viruses.
Although there have been past attempts to masquerade viruses as images -- notably, by changing ".exe", call letters denoting a program, to ".jpg" -- and hackers are also known to hide messages inside images as a form of encryption, Microsoft confirmed this is the first time any loophole has been discovered that would allow the image itself to be transformed into a virus.
The first photo-viruses "should be arriving in your in-box this week," predicted Ryan Purita, a hacker expert with the Vancouver consulting firm Totally Connected Security Ltd., who is one of nine certified computer forensic examiners in Canada.
"All I have to be is a 12-year-old who knows a little Visual Basic (programming language)," said Purita. "Believe me, there's people out there with more malicious intentions who will figure out some pretty damaging things to do with this."
Infected images could arrive attached to spam or MSN chat messages, for example. Or, junk e-mail might contain links to websites that automatically download a virus as soon as the user clicks on the link.
Viruses could also be designed to root through family and vacation photos and embed these with malicious code.
Once in control of an infected machine, the hacker can turn it into a "zombie" from which to launch attacks on other computers, or may simply track every keystroke, watching for passwords and anything typed into supposedly "secure" internet banking or shopping sites.
"They could do anything, it's up to their imagination," Purita said. "You think you're on a secure site but it's like they're looking over your shoulder."
The problem is in the "decoder" used by Microsoft operating systems, such as XP, 2000 and NT, to render computerized code as an image. When a .jpg arrives by e-mail, Windows recognizes its "header" -- consisting of the letters "YOYO" -- as a command to display the file as a picture. To create a photo-virus, the hacker simply substitutes the header "YOYO" with malicious instructions.
John Weigelt, chief security advisor for Microsoft Canada, said there is no evidence that any photo-viruses have been released; however, he confirmed hackers began figuring out ways to create them days after Microsoft published a bulletin outlining the problem on Sept. 14.
"What we're seeing is that the malicious user waits until (Microsoft releases a security update), and they do some reverse engineering to see how we fixed a problem and how they can exploit the change," said Weigelt.
Companies and home computer users can protect against infected photos by downloading patches, such as the Service Pack 2 for Windows XP, available from the Web site www.Microsoft.com/security, Weigelt said.
According to Purita, that won't be enough to forestall large-scale attacks because .jpgs have not traditionally been among the questionable entities weeded out since "nobody thought there were any problems with them."
Users warned hackers may unleash wave of viruses in photo files
Sarah Staples
CanWest News Service
Sunday, September 26, 2004
Hackers exploiting a newly discovered vulnerability in Microsoft Windows operating systems have found a way to turn innocent vacation snapshots into virus-laden "poisoned" images that can travel undetected through e-mail, infecting computers and laying bare victims' credit cards and personal information.
The threat has computer-security experts warning that the world's first photo-virus attack is inevitable and potentially imminent, after step-by-step instructions for embedding malicious code into image files were posted last week to several websites that monitor the emergence of new computer viruses.
Although there have been past attempts to masquerade viruses as images -- notably, by changing ".exe", call letters denoting a program, to ".jpg" -- and hackers are also known to hide messages inside images as a form of encryption, Microsoft confirmed this is the first time any loophole has been discovered that would allow the image itself to be transformed into a virus.
The first photo-viruses "should be arriving in your in-box this week," predicted Ryan Purita, a hacker expert with the Vancouver consulting firm Totally Connected Security Ltd., who is one of nine certified computer forensic examiners in Canada.
"All I have to be is a 12-year-old who knows a little Visual Basic (programming language)," said Purita. "Believe me, there's people out there with more malicious intentions who will figure out some pretty damaging things to do with this."
Infected images could arrive attached to spam or MSN chat messages, for example. Or, junk e-mail might contain links to websites that automatically download a virus as soon as the user clicks on the link.
Viruses could also be designed to root through family and vacation photos and embed these with malicious code.
Once in control of an infected machine, the hacker can turn it into a "zombie" from which to launch attacks on other computers, or may simply track every keystroke, watching for passwords and anything typed into supposedly "secure" internet banking or shopping sites.
"They could do anything, it's up to their imagination," Purita said. "You think you're on a secure site but it's like they're looking over your shoulder."
The problem is in the "decoder" used by Microsoft operating systems, such as XP, 2000 and NT, to render computerized code as an image. When a .jpg arrives by e-mail, Windows recognizes its "header" -- consisting of the letters "YOYO" -- as a command to display the file as a picture. To create a photo-virus, the hacker simply substitutes the header "YOYO" with malicious instructions.
John Weigelt, chief security advisor for Microsoft Canada, said there is no evidence that any photo-viruses have been released; however, he confirmed hackers began figuring out ways to create them days after Microsoft published a bulletin outlining the problem on Sept. 14.
"What we're seeing is that the malicious user waits until (Microsoft releases a security update), and they do some reverse engineering to see how we fixed a problem and how they can exploit the change," said Weigelt.
Companies and home computer users can protect against infected photos by downloading patches, such as the Service Pack 2 for Windows XP, available from the Web site www.Microsoft.com/security, Weigelt said.
According to Purita, that won't be enough to forestall large-scale attacks because .jpgs have not traditionally been among the questionable entities weeded out since "nobody thought there were any problems with them."
Last edited:
