Any real case of picture files embedded with trojan?

[John Smith]

I wonder if anyone ever heard of a real case involving picture
files embedded with trojan? I know such an idea has been proven
workable, but is there any real case?

I did a search on the Net and found many sites that say you cannot
be infected by just viewing pictures but ....

On September 20th, Taiwan's China Times reported that police there
put into custody five people accusing them of collecting user IDs
and passwords by spreading porn pictures embedded with trojan,
apparently some kind of keylogger. According to the news, they
spread the infected pictures by e-mail or by putting them on web
sites such as yahoo or kimo and letting people download them.

Over a year, the suspects have collected more than 100,000 user
IDs and passwords. Because of the amount of the data collected,
the head of the suspects had to hire other accomplices to help
processing the data.

Although the news clearly used the term "trojan embedded in porn
pictures", I'm not convinced that's what really happened.

 

[David H. Lipman]

From: "John Smith" <[email protected]>

| I wonder if anyone ever heard of a real case involving picture
| files embedded with trojan? I know such an idea has been proven
| workable, but is there any real case?
|
| I did a search on the Net and found many sites that say you cannot
| be infected by just viewing pictures but ....
|
| On September 20th, Taiwan's China Times reported that police there
| put into custody five people accusing them of collecting user IDs
| and passwords by spreading porn pictures embedded with trojan,
| apparently some kind of keylogger. According to the news, they
| spread the infected pictures by e-mail or by putting them on web
| sites such as yahoo or kimo and letting people download them.
|
| Over a year, the suspects have collected more than 100,000 user
| IDs and passwords. Because of the amount of the data collected,
| the head of the suspects had to hire other accomplices to help
| processing the data.
|
| Although the news clearly used the term "trojan embedded in porn
| pictures", I'm not convinced that's what really happened.

There have been demonstration viruses which can code a virus in a JPEG but it requires a
"helper" program to be installed on the destination to remove the virus and run it. It just
easier to have the "helper" application be the actual infector. Albeit, maybe said
application could receive a "plug-in" to add additional functionality to the infector. I
know that there have been viruses using UseNet to obtain plug-ins to add functionality.

W32/Perrun -- http://vil.nai.com/vil/content/v_99522.htm

"This appending virus is the first reported JPEG infector. It is multi-component in nature,
requiring an extractor file to extract (and execute) the virus body from infected JPEG
files.

Infected JPEGs are unable to replicate on non-infected machines - ie. machines without the
extractor component installed (hooked in the Registry)."

The other problem is that a specially crafted JPEG, GIF or other image file may cause a
buffer overflow condition in the Microsoft GDI+ rendering engine and thus could be
exploited.
http://vil.nai.com/vil/content/v_128356.htm

Microsoft Security Bulletin MS04-028
Buffer Overrun in JPEG Processing Could Allow Code Execution (833987)
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

I haven't heard anything contributed to moving graphic file formats; AVI, MOV, MPEG, etc.

 

[Roger Wilco]

I wonder if anyone ever heard of a real case involving picture
files embedded with trojan? I know such an idea has been proven
workable, but is there any real case?

I did a search on the Net and found many sites that say you cannot
be infected by just viewing pictures but ....

On September 20th, Taiwan's China Times reported that police there
put into custody five people accusing them of collecting user IDs
and passwords by spreading porn pictures embedded with trojan,
apparently some kind of keylogger. According to the news, they
spread the infected pictures by e-mail or by putting them on web
sites such as yahoo or kimo and letting people download them.

Over a year, the suspects have collected more than 100,000 user
IDs and passwords. Because of the amount of the data collected,
the head of the suspects had to hire other accomplices to help
processing the data.

Although the news clearly used the term "trojan embedded in porn
pictures", I'm not convinced that's what really happened.

Someone posted this a while ago, and luckily also posted the actual
article which stated that the trojans executables were "disguised" as
picture files (which is an entirely different thing). While it is true
that data filetypes can be crafted to exploit broken software (viewer
application or OS) I strongly suspect that the article you refer to is
authored by someone who doesn't know the difference or considers the
difference between "being a picture file" and "being disguised as a
picture file" as a matter of semantics.

Just saw news about a levee breach in New Orleans and the newscaster
indicated her belief that the different terms "breach", "overflow", and
"broken" or "failed" were all equivalent and a matter of semantics.
<sigh> She was using all those terms interchangably even while the
'ticker' along the bottom clearly stated the engineers' claim that the
affected levee was still structurally intact - in fact it was expected
to behave in this manner, though not so soon.

Even in here people like to dismiss arguments as a matter of semantics
when in fact there are reasons that different words have different
meanings within certain contexts especially when the those words are
used technically.