Since proof-of-concept code for the JPEG flaw in Windows has been posted online, we can surely expect at least one mass mailing exploit soon. The form will likely take the form of either:
1) A JPEG file embedded in an email message with the exploit code embedded in the embedded image. Theoretically, the exploit pattern should already be known, no matter what the encoding is, so anti-virus companies should theoretically be able to detect this already, if this method is used.
2) Because of the above, the more likely method seems to be the embedding of a URL in the message that either refers to the actual JPEG itself or refers to a webpage that loads the infected JPEG. It seems then that the only tool that could detect worms of this sort would be SURBL.
And so on to my question: if I (or anyone else for that matter) submit a domain name that hosts an infected JPEG file, how quickly will the SURBL databases be updated to reflect this infection?
Also, what if the exploit is multi-stage, and tries to infect actual http servers with infected JPEGs, and thousands of websites become infected...? Would it then be necessary to create a separate SURBL list for these infected domains, or could they be listed in, say, the phishing list?
Thanks, Matthew Wilson
On Wed, 22 Sep 2004 10:32:47 -0500, Matthew Wilson matthew@boomer.com wrote:
Since proof-of-concept code for the JPEG flaw in Windows has been posted online, we can surely expect at least one mass mailing exploit soon. The form will likely take the form of either:
<snip>
And so on to my question: if I (or anyone else for that matter) submit a domain name that hosts an infected JPEG file, how quickly will the SURBL databases be updated to reflect this infection?
As quickly as we update it :)
Also, what if the exploit is multi-stage, and tries to infect actual http servers with infected JPEGs, and thousands of websites become infected...? Would it then be necessary to create a separate SURBL list for these infected domains, or could they be listed in, say, the phishing list?
I don't quite follow your logic here, however the phishing list is designed to stop phishing attacks, not exploits. I think I would consider listing a mass mailed URL if it were only a once off but that is just not likely to be the case.
I think there is definately scope for an "xbl.spamhaus.org" styled surbl but who the heck could keep up with that volume of data? And given that the exploits are so new we really don't know how to track it in an automated manner yet.
Me thinks this may be something that a third party might pickup as was discussed over the last week or so with outher list ideas, it's a good idea though :)
On Wednesday, September 22, 2004, 10:02:56 AM, David Hooton wrote:
On Wed, 22 Sep 2004 10:32:47 -0500, Matthew Wilson matthew@boomer.com wrote:
Also, what if the exploit is multi-stage, and tries to infect actual http servers with infected JPEGs, and thousands of websites become infected...? Would it then be necessary to create a separate SURBL list for these infected domains, or could they be listed in, say, the phishing list?
I don't quite follow your logic here, however the phishing list is designed to stop phishing attacks, not exploits. I think I would consider listing a mass mailed URL if it were only a once off but that is just not likely to be the case.
Yes, I don't see it as a phishing issue either. I see it more as a Windows bug (excuse me, a "knowledge base" ;-) that needs to be fixed by Microsoft and Windows users and not really an issue for SURBLs.
Jeff C.
"Matthew Wilson" matthew@boomer.com wrote:
Also, what if the exploit is multi-stage, and tries to infect actual http servers with infected JPEGs, and thousands of websites become infected...?
Seems highly unlikely: 1) Web servers don't tend to display the JPEGs that they serve 2) Most web servers don't run Windows. 3) Those that do hopefully have been patched already - the available fix from M$ has gone out on Windowsupdate a couple of days ago.
Joe
On Thu, 23 Sep 2004, Joe Wein wrote:
Seems highly unlikely:
- Web servers don't tend to display the JPEGs that they serve
- Most web servers don't run Windows.
- Those that do hopefully have been patched already - the available fix
from M$ has gone out on Windowsupdate a couple of days ago.
Don't bet the rent on those thoughts.
An increasing number of programs/packages for Windows platforms incorporate a mini-IIS server as a data display mechanism. For example, a big-name software deployment package that we bought generates its conflict checker reports as web-pages, exported via a built-in IIS server.
So unclueful people might not even be aware that they're running web servers on their workstations.
-
David B Funk -
David Hooton -
Jeff Chan -
Joe Wein -
Matthew Wilson