JPG-SCAN

  • Thread starter Thread starter Art
  • Start date Start date
A

Art

I've designed a scanner to find certain types of Trojanized
JPG files that have malicious code embedded as a appendage.
It's freeware available from my web site. You may find some
of your JPGs are flagged as suspicious. That means, for some
reason or another, they are improperly formatted. You can
"clean" them using IrfanView by simply re-saving them. But
be careful of using 100% quality since the file sizes are likely
to increase far more than necessary.

Art
http://home.epix.net/~artnpeg
 
I've designed a scanner to find certain types of Trojanized
JPG files that have malicious code embedded as a appendage.
It's freeware available from my web site. You may find some
of your JPGs are flagged as suspicious. That means, for some
reason or another, they are improperly formatted. You can
"clean" them using IrfanView by simply re-saving them. But
be careful of using 100% quality since the file sizes are likely
to increase far more than necessary.

The nature of the detection of the subject program has been
narrowed from flagging broadly suspicious JPGs to only flagging
those having specific characteristics identical to samples of
Trojanized files. Deletion of the files detected as Trojanized is
left up to the user.

Art
http://home.epix.net/~artnpeg
 
Updated again Sunday afternoon to accomodate additional
Trojanized samples I found. It's quite unlikely that the scanner
will false alarm on non-Trojanized JPGs, so if the picture image
is of little value the file(s) detected should be deleted. If anyone
finds apparent FPs, please send sample(s) of the file(s) to
artsown at epix dot net.

As of this afternoon here in cental Pa., I see Ewido added as the
fourth to to the very short list of av/anti-malware vendors alerting
on the Trojanized files.

Art
http://home.epix.net/~artnpeg
 
Once Upon A Time (specifically - Sun, 02 Jul 2006 20:15:01 GMT), in
by way of Message-id said:
Updated again Sunday afternoon to accomodate additional
Trojanized samples I found. It's quite unlikely that the scanner
will false alarm on non-Trojanized JPGs, so if the picture image
is of little value the file(s) detected should be deleted. If anyone
finds apparent FPs, please send sample(s) of the file(s) to
artsown at epix dot net.

As of this afternoon here in cental Pa., I see Ewido added as the
fourth to to the very short list of av/anti-malware vendors alerting
on the Trojanized files.

Art
http://home.epix.net/~artnpeg

Thanx for the app : )
 
Updated again Sunday afternoon to accomodate additional
Trojanized samples I found. It's quite unlikely that the scanner
will false alarm on non-Trojanized JPGs, so if the picture image
is of little value the file(s) detected should be deleted. If anyone
finds apparent FPs, please send sample(s) of the file(s) to
artsown at epix dot net.

As of this afternoon here in cental Pa., I see Ewido added as the
fourth to to the very short list of av/anti-malware vendors alerting
on the Trojanized files.

Art
http://home.epix.net/~artnpeg

Art, just to be clear, is your program designed to deal with the
deliberate JPEG buffer overflow problem:

http://www.kb.cert.org/vuls/id/965206
 
Art, just to be clear, is your program designed to deal with the
deliberate JPEG buffer overflow problem:

http://www.kb.cert.org/vuls/id/965206

No, this has nothing to do with IE vulnerabilites. What's been
happening recently is that a organized mob of hackers have
been creating and spreading malware (downloader Trojans)
embedded in JPG files. It requires a companion malware to
to extract, decode and run the embedded malware. The av
vendors are focused on detecting the companions, and in
spite of our submissions of samples few are following up on
alerting on the JPGs themselves.

My personal opinion is that it's not a good idea to allow the
JPGs to go undetected because at any time new and "unkown"
companions may well be unleashed ... and for awhile the av
products won't be detecting them. So the JPGs represent a
continuing threat that should be removed.

All the samples I have are images of a little cartoon frog :)
The embedded code is appended to the end of the file.
It's safe to Open the froggie image in a viewer. In fact,
if you use IrfanView to Save the JPG, the embedded code
gets removed. But it's better to just delete them.

Art
http://home.epix.net/~artnpeg
 
I've designed a scanner to find certain types of Trojanized
JPG files that have malicious code embedded as a appendage.
It's freeware available from my web site. You may find some
of your JPGs are flagged as suspicious. That means, for some
reason or another, they are improperly formatted. You can
"clean" them using IrfanView by simply re-saving them. But
be careful of using 100% quality since the file sizes are likely
to increase far more than necessary.

Art
http://home.epix.net/~artnpeg

Yes, thanks for the app!
3804 folders scanned, 2257 jpgs scanned, 0 Trojans detected, 732 seconds.
 
Art said:
I've designed a scanner to find certain types of Trojanized
JPG files that have malicious code embedded as a appendage.
It's freeware available from my web site. You may find some
of your JPGs are flagged as suspicious. That means, for some
reason or another, they are improperly formatted. You can
"clean" them using IrfanView by simply re-saving them. But
be careful of using 100% quality since the file sizes are likely
to increase far more than necessary.

Art,
Just downloaded and ran the program. Here are the results:

scan time = 365 seconds
errors = 0
frog trojans detected = 0
*.jpg files scanned = 1886
folders searched = 3145

The reason there are so many .jpg files on my drive is that I'm
currently doing the last phase of my family photo scanning project.

Thanks!

--
Regards from John Corliss
I don't reply to trolls like Andy Mabbett or Doc (who uses sock puppets)
for instance. No adware, cdware, commercial software, crippleware,
demoware, nagware, PROmotionware, shareware, spyware, time-limited
software, trialware, viruses or warez for me, please.
 
Art,
Just downloaded and ran the program. Here are the results:

scan time = 365 seconds
errors = 0
frog trojans detected = 0
*.jpg files scanned = 1886
folders searched = 3145

The reason there are so many .jpg files on my drive is that I'm
currently doing the last phase of my family photo scanning project.

Thanks to you and the others who have responded. The good news is that
you and David haven't seen any false alerts. There really shouldn't be
any in the latest versions. Whle detection is generic, it's only broad
enough to catch the variations in the samples I have on hand right
now.

The machines I have here have far less folders and JPGs on them, and
I'm seeing total scan times ranging from 24 to 72 seconds. I guess
for folks like you and David I'll modify the scan time reporting to
display minutes:seconds :)

Art
http://home.epix.net/~artnpeg
 
Yes, thanks for the app!
3804 folders scanned, 2257 jpgs scanned, 0 Trojans detected, 732 seconds.

You're welcome. As I mentioned to John, I'll be modifying the scan
time reporting to minutes:seconds for users like you :) On my machines
with far fewer folders and JPGs I'm seeing scan times ranging from 24
to 72 seconds. I might be able to speed up scanning, but I've not
seriously addressed that issue until now since I had thought my
machines are typical of Windows users in that regard. But who knows?

Art
 
Minor changes have been made in the area of the final report
screen, including the discussed Minutes:Seconds format for
the scan time. But also, I fixed up the # of folders scanned
to take into account premature abortion of the scan by the
user.

Next step will be to see if I can speed up scanning.

Art
http://home.epix.net/~artnpeg
 
Minor changes have been made in the area of the final report
screen, including the discussed Minutes:Seconds format for
the scan time. But also, I fixed up the # of folders scanned
to take into account premature abortion of the scan by the
user.

Next step will be to see if I can speed up scanning.

I did manage to speed up scanning considerably. John and
David .... please let me know your scan times with the
version now up at my web site.

Art
http://home.epix.net/~artnpeg
 
I found the new one 37secs faster over 14717 .jpg

Wow, that's a lot of JPGs :) The biggest speedup improvement
will show up in situations where users have a large # of folders.
It's the traversal time from one folder to the next that's been
greatly reduced, and the cumulative time of traversing all folders
used to be quite significant regardless of how many JPGs were
scanned.

Art
http://home.epix.net/~artnpeg
 
Wow, that's a lot of JPGs :) The biggest speedup improvement
will show up in situations where users have a large # of folders.
It's the traversal time from one folder to the next that's been
greatly reduced, and the cumulative time of traversing all folders
used to be quite significant regardless of how many JPGs were
scanned.

Art
http://home.epix.net/~artnpeg

Scanned 4,570 jpgs on D drive, thanks for making that choice available.
Scanned 2,044 jpgs on C drive. C scan took 28 sec since there are 2800
folders.

No Trojans.

BoB
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Back
Top