heads up msg - possible upcoming IRC JPEG worm

[Syzop]

Hi,

this is just a heads up message...
a JPEG exploit was released almost a week ago which succesfully exploits the MS04-028 jpg bug [sometimes referred to as the GDI+ JPEG bug].
Now, today on Sep 28, a virus is on the move exploiting this (not on IRC).

As you might understand by now, this virus spreads via jpg files.. if an app that uses the (unpatched) GDI+ is used to view the image (such as explorer), then it will become active.

It seems to me that it's just a matter of time until some worm/virus is going to exploit this on IRC. Either via DCC, website spamming, or some other means.

If anyone sees such activity, let us know, so we can see if a spamfilter (or whatever) can deal with it. You can also mail me personally at syzop AT unrealircd dot com if you prefer that.

Thanks.

[aquanight]

Now, here I would probably suggest just spamfilter all .jpg URLs coming with a numeric IP host and a nonstandard port (not 80, 81, 443 (SSL), or 8080). Normally, it's impractical to place such a wide restriction, but for those that want to do it, here is the spamfilter block that I would suggest for the purpose:

Code: Select all

spamfilter {
	regex "http://([0-9]{0,3}\.){3}[0-9]{0,3}:([0-79][0-9]*|8[2-9][0-9]*|80[0-79][0-9]*|808[1-9][0-9]*|8080[0-9]+)/.+\.jpe?g"; // Yes it's ugly. Anyone wanna debug? :D
	target { private; channel; private-notice; channel-notice; part; quit; }; // DCC not applicable here.
	action block;
	reason "Due to GDI+ JPEG exploit, JPG URLs from nonstandard sites cannot be shared at this time. For more information, see http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx";
//	ban-time <time>; // Not applicable with action block
};

*edit* Oh, forgot the SSL one:

Code: Select all

spamfilter {
	regex "https://([0-9]{0,3}\.){3}[0-9]{0,3}:([0-35-9][0-9]*|4[0-35-9][0-9]*|44[0-24-9][0-9]*|443[0-9]+)/.+\.jpe?g"; // Yes it's ugly. Anyone wanna debug? :D
	target { private; channel; private-notice; channel-notice; part; quit; }; // DCC not applicable here.
	action block;
	reason "Due to GDI+ JPEG exploit, JPG URLs from nonstandard sites cannot be shared at this time. For more information, see http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx";
//	ban-time <time>; // Not applicable with action block
};

*edit 2* Adjusted to catch .jpeg URLs too.

*real edit 3*

There seems to be at least 1 typo in your http regex (see the ']]' in it?)

Fixed.

[Jason]

*edit 3*

Removed SSL one, changed origional to https?://

[aquanight]

No because the ports need to be different. Only 80, 81, and 8080 are the standard HTTP ports. Only 443 is the standard HTTPS port (there might be others).

[Syzop]

There seems to be at least 1 typo in your http regex (see the ']]' in it?)

I'm not really in favor of such draconic regexes when they aren't necessary.
Especially since they are of relative use, since the '.jpg' or '.jpeg' phrase might not even be in the url (could be just a ""webserver"" serving a jpg file instead if surf to /).
Anyway, if you(&others) keep it with these general regex suggestions mentioned above and don't make it a 2-page-thread about this, then I think it was a (probable) useful contribution :P.


** update 2004-10-06: **
First, yet another virus was found that exploits this issue and connects it's bots to a specific irc server
Second, a new version of an exploit was released that simply grabs an exe from an url and executes it... I wonder how long it will take for someone to just (hex)edit that url to grab a trojan... since that's probably all that it takes to do :p.
On a sidenote, it's taking quite some time now till a big worm is out, odd.. very odd.. scary even ;).