[SURBL-Discuss] JPEG flaw in Windows - URLs in emails

Matthew Wilson matthew at boomer.com
Wed Sep 22 17:32:47 CEST 2004


Since proof-of-concept code for the JPEG flaw in Windows has been posted
online, we can surely expect at least one mass mailing exploit soon.
The form will likely take the form of either:

1) A JPEG file embedded in an email message with the exploit code
embedded in the embedded image.  Theoretically, the exploit pattern
should already be known, no matter what the encoding is, so anti-virus
companies should theoretically be able to detect this already, if this
method is used.

2) Because of the above, the more likely method seems to be the
embedding of a URL in the message that either refers to the actual JPEG
itself or refers to a webpage that loads the infected JPEG.  It seems
then that the only tool that could detect worms of this sort would be
SURBL.

And so on to my question: if I (or anyone else for that matter) submit a
domain name that hosts an infected JPEG file, how quickly will the SURBL
databases be updated to reflect this infection?  

Also, what if the exploit is multi-stage, and tries to infect actual
http servers with infected JPEGs, and thousands of websites become
infected...?  Would it then be necessary to create a separate SURBL list
for these infected domains, or could they be listed in, say, the
phishing list?

Thanks,
Matthew Wilson




More information about the Discuss mailing list