Re: [Clamav-users] ERROR: JPEG.Comment
On Wed, 29 Sep 2004 [EMAIL PROTECTED] wrote:
On Wed, 29 Sep 2004, Dennis Peterson wrote:
Anyone got a plan for when encrypted zip'd jpeg files start showing up?
Either start a password greper/parser which should be able to be updated
to recognize new formats in a non-executable way (regex or something)
included in the sigs to rip \w+ out of images and html. If it's a
passworded zip we can forward what we think the password is into the
decompressor.
I was under the impression that zip passwords could easily be cracked.
If that is the case, we could just crack them all and scan the contents.
Of course, CPU time would go way up for the password cracking.
Could start to make a profile of the zips too and ship 'em in with a
signature. Remember that you can still read the CRC of the files within
the encrypted zip and the filename would probably follow a strict format
like IMG001.jpg to keep it looking innocent. Yes, I am almost talking
about bayes virus detection and I think that is where we (the antivirus
industry) will end up in the future otherwise we will never be proactive.
/me waits for a polymorphic jpeg
I was just looking into the reason for false positives with the previous
jpeg signature, and discovered it's due to detecting bytes *within* the
comment sections of the jpegs. So there goes our simple rule for
detecting all possible jpeg malware... now we have to write rules for
each case (and accept the associated risk of FPs). A polymorphic jpeg
would kill us right now. And the rules:
Exploit.JPEG.Comment.1:5:0:ffd8ffe0{-2048}fffe00(00|01){-4096}ffd9
Exploit.JPEG.Comment.2:5:0:ffd8fffe{-8192}fffe00(00|01){-10240}ffd9
imply that two polymorphic jpegs (one that is around 4k, another that is
around 10k) already exist. Both of those rules have some chance of a
false positive. Only the third rule:
Exploit.JPEG.Comment.3:5:0:ffd8fffe00(00|01)
is 100% safe. (Note that I work for the Imaging Technology Group, so a
false positive on a jpeg would be a Very Bad Thing. And even a 0.01%
failure rate is bad when you have 1765217 jpegs.)
Of course, one option would be to handle a .jpg in the same way as a
.zip, .tar, etc and actually look at it with an understanding of the
file format. That means not scanning the comments themselves, only the
data headers. Of course, that means writing an entire scanning module
just for .jpg files. This does NOT scale well.
... It's interesting that viruses are finally starting to implement what
we were joking about in 1995 at high school...
I'm impressed with how far we've come. Less than a year ago, I could
most email viruses with simple procmail scripts. Now even antivirus
products are having difficulty keeping up with the threats.
Damian Menscher
--
-=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
-=#| The above opinions are not necessarily those of my employers. |#=-
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ERROR: JPEG.Comment
On Thu, 2004-09-30 at 08:26, Damian Menscher wrote: false positive. Only the third rule: Exploit.JPEG.Comment.3:5:0:ffd8fffe00(00|01) is 100% safe. (Note that I work for the Imaging Technology Group, so a false positive on a jpeg would be a Very Bad Thing. And even a 0.01% failure rate is bad when you have 1765217 jpegs.) Of course, one option would be to handle a .jpg in the same way as a .zip, .tar, etc and actually look at it with an understanding of the file format. That means not scanning the comments themselves, only the data headers. Of course, that means writing an entire scanning module just for .jpg files. This does NOT scale well. CVS contains some code to parse JPEG files *only* when they match against a Exploit.JPEG.Comment signature. This should remove false positives, and hopefully still not miss any real samples. -trog signature.asc Description: This is a digitally signed message part ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ERROR: JPEG.Comment
On Sep 30, 2004, at 3:26 AM, Damian Menscher wrote: On Wed, 29 Sep 2004 [EMAIL PROTECTED] wrote: ... It's interesting that viruses are finally starting to implement what we were joking about in 1995 at high school... I'm impressed with how far we've come. Less than a year ago, I could most email viruses with simple procmail scripts. Now even antivirus products are having difficulty keeping up with the threats. But for the jpeg threat, as I understand it, patching systems *should* fix this so even if a virus does get loose on your system (jpeg virus), it shouldn't have an effect. The problem is with the way it's interpreted by some libraries in Windows. Slightly different than running an executable (who would have thought a few years ago that spreading a virus would be as simple as an anonymous email with a .exe attached saying, This is neat, UsEr! Run this program!...AND THEY DO!?? AARGH!). Once all bazillion Windows machines are patched by all the users on the planet who know more about their computer than where the on/off switch is, this jpeg virus threat will be a minor footnote in computer history. /turns blue trying to keep from laughing at the sheer ridiculousness of the situation.. You do realize, of course, in several years there's a distinct possibility that this will turn into a minefield with otherwise harmless jpegs (to some platforms) winding up on web pages for viewing. Some people patch, some don't, eventually...*foom*...infected on those systems the user never patched. This will be happening five years from now. The only way to really fix it is to either A) fix the libraries with the problem or B) create a screen program that processes EVERY jpg, resaving them in a stripped form so the executable code won't exist in the new copy, and forward it or present it to the user...this would have to be done like some kind of web browser plugin or something of that nature. At least, those are two ideas I see as possible. The second one would be a real PITA, though. Both require users to update their systems or antivirus programs or spyware programs...GOOD LUCK. Here's another thing...what's with spyware and viruses mixing now? Five years ago viruses were viruses, slimy company advertising was slimy company advertising. Now, my Windows antivirus is picking up trojan adware and viruses and my spybot is searching for Bagle?!? This is getting bloody crazy. Now that virus vectors are coming through email rather than just sharing programs, and are increasingly shifting towards infection via web browsing, how long before Clam will need to be run with some sort of web proxy plugin via Squid?? But now I'm just ranting... -Bart ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
RE: [Clamav-users] ERROR: JPEG.Comment
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bart Silverstrim Sent: Thursday, September 30, 2004 7:50 AM On Sep 30, 2004, at 3:26 AM, Damian Menscher wrote: On Wed, 29 Sep 2004 [EMAIL PROTECTED] wrote: ... It's interesting that viruses are finally starting to implement what we were joking about in 1995 at high school... I'm impressed with how far we've come. Less than a year ago, I could most email viruses with simple procmail scripts. Now even antivirus products are having difficulty keeping up with the threats. But for the jpeg threat, as I understand it, patching systems *should* fix this so even if a virus does get loose on your system (jpeg virus), it shouldn't have an effect. The problem is with the way it's interpreted by some libraries in Windows. Slightly different than running an executable (who would have thought a few years ago that spreading a virus would be as simple as an anonymous email with a .exe attached saying, This is neat, UsEr! Run this program!...AND THEY DO!?? AARGH!). That's what happen to us for trying to make everythin s easy =) Once all bazillion Windows machines are patched by all the users on the planet who know more about their computer than where the on/off switch is, this jpeg virus threat will be a minor footnote in computer history. That's not going to happen. I still get Blaster attempts on my network =@ You do realize, of course, in several years there's a distinct possibility that this will turn into a minefield with otherwise harmless jpegs (to some platforms) winding up on web pages for viewing. Some people patch, some don't, eventually...*foom*...infected on those systems the user never patched. This will be happening five years from now. Not counting that this is a real virus. A piece of code that could potencially insert itself into a legitimte code/data. There could be one JPEG that infects all other JPEGs! This could be really be a threat on a unprotected WebServer. Imagine a user uploading an image, then the admin just browsing the folder (with thumbnails or something) and BLUM! All the images on the webserver are infected! The only way to really fix it is to either A) fix the libraries with the problem or B) create a screen program that processes EVERY jpg, resaving them in a stripped form so the executable code won't exist in the new copy, and forward it or present it to the user...this would have to be done like some kind of web browser plugin or something of that nature. I think that you can't assume A), so you have to do B). At least, those are two ideas I see as possible. The second one would be a real PITA, though. Both require users to update their systems or antivirus programs or spyware programs...GOOD LUCK. Here's another thing...what's with spyware and viruses mixing now? Five years ago viruses were viruses, slimy company advertising was slimy company advertising. Now, my Windows antivirus is picking up trojan adware and viruses and my spybot is searching for Bagle?!? This is getting bloody crazy. Now that virus vectors are coming through email rather than just sharing programs, and are increasingly shifting towards infection via web browsing, how long before Clam will need to be run with some sort of web proxy plugin via Squid?? But now I'm just ranting... As I remember... there IS a plugin for using Clam on Squid =P This world is not getting any easier... but if it were we would be unemployed =). Regards, -Samuel ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ERROR: JPEG.Comment
On Wed, 29 Sep 2004 [EMAIL PROTECTED] wrote: ... It's interesting that viruses are finally starting to implement what we were joking about in 1995 at high school... It's interesting we were making similar jokes in 1985 in high school. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ERROR: JPEG.Comment
On Wed, 2004-09-29 at 05:34, Brandon Knitter wrote: I have a few images that seem to be flagged as virii, when they are not. I'm taking an image that is considered fine (no virus), then when I process it through convert (ImageMagick) it thinks it's has the virus. I have over 4000 images I've processed this way, and only 232 of them clamscan thinks has the error. Version: 0.80rc3 Any advice? Where do I post something like that? Were these by any chance taken by an Olympus camera? I've seen two false positives using my own signature for this exploit - both of which were pictures from an Olympus (run strings on the file and grep for Oly). BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ERROR: JPEG.Comment
On Wed, 29 Sep 2004, Brandon Knitter wrote: I'm unsure what type of camera originally took the pictures. But the original pictures DO NOT show as having a virus. After I put it through ImageMagick's convert (I make thumbnails) it then thinks it has the virus. Now, I'm pretty sure that ImageMagick isn't injecting a virus as many of the other thumbnails I make do not with the same exact binary report no virus. Could you, and everyone else who has seen a false JPEG.Comment, please re-run the scans? I just discovered something EXTREMELY disturbing: I just upgraded to 0.80rc3 on a RH9 machine. As a test of clamav, I went into my public_html directory and did a clamscan -r. It found one of my images to contain the virus: [EMAIL PROTECTED] public_html]# clamscan -r . ./Asia_Pics/New Folder/dsc_0009.jpg: Exploit.JPEG.Comment FOUND But later scans didn't show a problem with it: [EMAIL PROTECTED] New Folder]# clamscan dsc_0009.jpg dsc_0009.jpg: OK [EMAIL PROTECTED] New Folder]# clamscan -r . ./dsc_0009.jpg: OK [EMAIL PROTECTED] public_html]# clamscan ./Asia_Pics/New Folder/dsc_0009.jpg ./Asia_Pics/New Folder/dsc_0009.jpg: OK [EMAIL PROTECTED] public_html]# clamscan -r Asia_Pics/ Asia_Pics//New Folder/dsc_0009.jpg: OK [EMAIL PROTECTED] public_html]# clamscan -r . ./Asia_Pics/New Folder/dsc_0009.jpg: OK And no, the file didn't change between scans: [EMAIL PROTECTED] public_html]# ls -l ./Asia_Pics/New Folder/dsc_0009.jpg -r-xr-xr-x1 menscher astro 347067 Jan 10 2004 ./Asia_Pics/New Folder/dsc_0009.jpg If I had to guess, I'd say clamscan has some uninitialized memory that's causing occasional false positives. If anyone can suggest an alternative explanation, or a way I could debug this further, I'd love to help. Problem is, I can't reproduce the false positive anymore. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] ERROR: JPEG.Comment
On Wed, 29 Sep 2004 10:21:10 -0700 Brandon Knitter [EMAIL PROTECTED] wrote: I'm unsure what type of camera originally took the pictures. But the original pictures DO NOT show as having a virus. After I put it through ImageMagick'sconvert (I make thumbnails) it then thinks it has the virus. Now, I'm pretty sure that ImageMagick isn't injecting a virus as many of the other thumbnails I make do not with the same exact binary report no virus. I was unaware of the submit feature. I just sent it in at the submit site as a false positive! :) Thanks. Fixed in CVS. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Sep 30 02:28:28 CEST 2004 pgpeOpPRDPfPj.pgp Description: PGP signature
Re: [Clamav-users] ERROR: JPEG.Comment
On Wed, 29 Sep 2004, Damian Menscher wrote: I just upgraded to 0.80rc3 on a RH9 machine. As a test of clamav, I went into my public_html directory and did a clamscan -r. It found one of my images to contain the virus: [EMAIL PROTECTED] public_html]# clamscan -r . ./Asia_Pics/New Folder/dsc_0009.jpg: Exploit.JPEG.Comment FOUND But later scans didn't show a problem with it: [EMAIL PROTECTED] New Folder]# clamscan dsc_0009.jpg dsc_0009.jpg: OK And no, the file didn't change between scans: [EMAIL PROTECTED] public_html]# ls -l ./Asia_Pics/New Folder/dsc_0009.jpg -r-xr-xr-x1 menscher astro 347067 Jan 10 2004 ./Asia_Pics/New Folder/dsc_0009.jpg If I had to guess, I'd say clamscan has some uninitialized memory that's causing occasional false positives. If anyone can suggest an alternative explanation, or a way I could debug this further, I'd love to help. Problem is, I can't reproduce the false positive anymore. Ok, I feel dumb. Turns out the difference was the release of daily 509, which eliminated the false positive. I swear I looked to make sure it wasn't a freshclam update that made it disappear, but checking a second time shows otherwise. Sorry for the false alarm. Damian Menscher -- -=#| Physics Grad Student SysAdmin @ U Illinois Urbana-Champaign |#=- -=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=- -=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=- -=#| [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=- -=#| The above opinions are not necessarily those of my employers. |#=- ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ERROR: JPEG.Comment
Damian Menscher said: On Wed, 29 Sep 2004, Damian Menscher wrote: If I had to guess, I'd say clamscan has some uninitialized memory that's causing occasional false positives. If anyone can suggest an alternative explanation, or a way I could debug this further, I'd love to help. Problem is, I can't reproduce the false positive anymore. Ok, I feel dumb. Turns out the difference was the release of daily 509, which eliminated the false positive. I swear I looked to make sure it wasn't a freshclam update that made it disappear, but checking a second time shows otherwise. Sorry for the false alarm. Damian Menscher I logged 32 jpeg files flagged as positive on the 27-28th. They stopped as soon as the new db showed up. I sure hope these patters are gold cuz I can't afford fp's on images. Worse, I can't afford undetected positives. Anyone got a plan for when encrypted zip'd jpeg files start showing up? dp ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] ERROR: JPEG.Comment
On Wed, 29 Sep 2004, Dennis Peterson wrote: Anyone got a plan for when encrypted zip'd jpeg files start showing up? dp ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Either start a password greper/parser which should be able to be updated to recognize new formats in a non-executable way (regex or something) included in the sigs to rip \w+ out of images and html. If it's a passworded zip we can forward what we think the password is into the decompressor. Could start to make a profile of the zips too and ship 'em in with a signature. Remember that you can still read the CRC of the files within the encrypted zip and the filename would probably follow a strict format like IMG001.jpg to keep it looking innocent. Yes, I am almost talking about bayes virus detection and I think that is where we (the antivirus industry) will end up in the future otherwise we will never be proactive. /me waits for a polymorphic jpeg ... It's interesting that viruses are finally starting to implement what we were joking about in 1995 at high school... -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
[Clamav-users] ERROR: JPEG.Comment
I have a few images that seem to be flagged as virii, when they are not. I'm taking an image that is considered fine (no virus), then when I process it through convert (ImageMagick) it thinks it's has the virus. I have over 4000 images I've processed this way, and only 232 of them clamscan thinks has the error. Version: 0.80rc3 Any advice? Where do I post something like that? -- -bk --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
