[SURBL-Discuss] JPEG flaw in Windows - URLs in emails

Chris Santerre csanterre at merchantsoverseas.com
Wed Sep 22 18:06:07 CEST 2004



>-----Original Message-----
>From: Matthew Wilson [mailto:matthew at boomer.com]
>Sent: Wednesday, September 22, 2004 11:33 AM
>To: SURBL Discussion list
>Subject: [SURBL-Discuss] JPEG flaw in Windows - URLs in emails
>
>
>Since proof-of-concept code for the JPEG flaw in Windows has 
>been posted
>online, we can surely expect at least one mass mailing exploit soon.
>The form will likely take the form of either:
>
>1) A JPEG file embedded in an email message with the exploit code
>embedded in the embedded image.  Theoretically, the exploit pattern
>should already be known, no matter what the encoding is, so anti-virus
>companies should theoretically be able to detect this already, if this
>method is used.
>
>2) Because of the above, the more likely method seems to be the
>embedding of a URL in the message that either refers to the actual JPEG
>itself or refers to a webpage that loads the infected JPEG.  It seems
>then that the only tool that could detect worms of this sort would be
>SURBL.
>
>And so on to my question: if I (or anyone else for that 
>matter) submit a
>domain name that hosts an infected JPEG file, how quickly will 
>the SURBL
>databases be updated to reflect this infection?  
>
>Also, what if the exploit is multi-stage, and tries to infect actual
>http servers with infected JPEGs, and thousands of websites become
>infected...?  Would it then be necessary to create a separate 
>SURBL list
>for these infected domains, or could they be listed in, say, the
>phishing list?
>
>Thanks,
>Matthew Wilson
>

Well here are some random thoughts in no order:

1) I'm not getting web submissions right now. Something is FUBAR there.
2) Perhaps we can work something out with a third party to maintain virus
type links like this? I'll email Jeff Off List as I have some other
questions there. 
3) Ehhh....I think Jeff is going to say something along the lines of "SURBL
wasn't intended to be used like that." To which I agree, yet sadly SURBL is
the tool to catch these. 

--Chris


More information about the Discuss mailing list