heads up msg - possible upcoming IRC JPEG worm

These are old archives. They are kept for historic purposes only.
Locked
Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

heads up msg - possible upcoming IRC JPEG worm

Post by Syzop » Tue Sep 28, 2004 7:57 pm

Hi,

this is just a heads up message...
a JPEG exploit was released almost a week ago which succesfully exploits the MS04-028 jpg bug [sometimes referred to as the GDI+ JPEG bug].
Now, today on Sep 28, a virus is on the move exploiting this (not on IRC).

As you might understand by now, this virus spreads via jpg files.. if an app that uses the (unpatched) GDI+ is used to view the image (such as explorer), then it will become active.

It seems to me that it's just a matter of time until some worm/virus is going to exploit this on IRC. Either via DCC, website spamming, or some other means.

If anyone sees such activity, let us know, so we can see if a spamfilter (or whatever) can deal with it. You can also mail me personally at syzop AT unrealircd dot com if you prefer that.

Thanks.

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Tue Sep 28, 2004 10:25 pm

Now, here I would probably suggest just spamfilter all .jpg URLs coming with a numeric IP host and a nonstandard port (not 80, 81, 443 (SSL), or 8080). Normally, it's impractical to place such a wide restriction, but for those that want to do it, here is the spamfilter block that I would suggest for the purpose:

Code: Select all

spamfilter {
	regex "http://([0-9]{0,3}\.){3}[0-9]{0,3}:([0-79][0-9]*|8[2-9][0-9]*|80[0-79][0-9]*|808[1-9][0-9]*|8080[0-9]+)/.+\.jpe?g"; // Yes it's ugly. Anyone wanna debug? :D
	target { private; channel; private-notice; channel-notice; part; quit; }; // DCC not applicable here.
	action block;
	reason "Due to GDI+ JPEG exploit, JPG URLs from nonstandard sites cannot be shared at this time. For more information, see http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx";
//	ban-time <time>; // Not applicable with action block
};
*edit* Oh, forgot the SSL one:

Code: Select all

spamfilter {
	regex "https://([0-9]{0,3}\.){3}[0-9]{0,3}:([0-35-9][0-9]*|4[0-35-9][0-9]*|44[0-24-9][0-9]*|443[0-9]+)/.+\.jpe?g"; // Yes it's ugly. Anyone wanna debug? :D
	target { private; channel; private-notice; channel-notice; part; quit; }; // DCC not applicable here.
	action block;
	reason "Due to GDI+ JPEG exploit, JPG URLs from nonstandard sites cannot be shared at this time. For more information, see http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx";
//	ban-time <time>; // Not applicable with action block
};
*edit 2* Adjusted to catch .jpeg URLs too.

*real edit 3*
Syzop wrote:There seems to be at least 1 typo in your http regex (see the ']]' in it?)
Fixed.
Last edited by aquanight on Wed Sep 29, 2004 1:10 am, edited 1 time in total.

Jason
Posts: 570
Joined: Mon Jun 14, 2004 5:09 pm

Post by Jason » Tue Sep 28, 2004 10:32 pm

*edit 3*

Removed SSL one, changed origional to https?://
Why the hell can't my signature be empty?
"Your message contains too few characters."

aquanight
Official supporter
Posts: 862
Joined: Tue Mar 09, 2004 10:47 pm
Location: Boise, ID

Post by aquanight » Tue Sep 28, 2004 10:33 pm

No because the ports need to be different. Only 80, 81, and 8080 are the standard HTTP ports. Only 443 is the standard HTTPS port (there might be others).

Syzop
UnrealIRCd head coder
Posts: 1955
Joined: Sat Mar 06, 2004 8:57 pm
Location: .nl
Contact:

Post by Syzop » Wed Sep 29, 2004 1:07 am

There seems to be at least 1 typo in your http regex (see the ']]' in it?)

I'm not really in favor of such draconic regexes when they aren't necessary.
Especially since they are of relative use, since the '.jpg' or '.jpeg' phrase might not even be in the url (could be just a ""webserver"" serving a jpg file instead if surf to /).
Anyway, if you(&others) keep it with these general regex suggestions mentioned above and don't make it a 2-page-thread about this, then I think it was a (probable) useful contribution :P.


** update 2004-10-06: **
First, yet another virus was found that exploits this issue and connects it's bots to a specific irc server
Second, a new version of an exploit was released that simply grabs an exe from an url and executes it... I wonder how long it will take for someone to just (hex)edit that url to grab a trojan... since that's probably all that it takes to do :p.
On a sidenote, it's taking quite some time now till a big worm is out, odd.. very odd.. scary even ;).

Locked