Is our hero, rockHEAD finished? Will the problematic Perrun plague our prominent picture protagonist? Stay tuned... New Virus Can Infect Picture Files By D. Ian Hopper AP Technology Writer Thursday, June 13, 2002; 12:17 PM WASHINGTON –– A new computer virus is the first ever to infect picture files, an anti-virus firm reported Thursday, making sharing family photos on the Internet a potentially dangerous activity. The virus, dubbed Perrun, is not currently infecting computers but worries anti-virus experts because it is the first to cross from program infection into data files, long considered safe from malicious data. "Our concern is more for what might be coming," said Vincent Gullotto, head anti-virus researcher at McAfee Security. "Potentially, no file type could be safe." Until now, viruses infected program files – files that can be run on their own. Data files, like movies, music, text and pictures, were safe from infection. While earlier viruses deleted or modified data files, Perrun is the first to infect them. Perrun still needs some tweaking to become dangerous. The virus arrives via e-mail or a floppy disk as an executable file. Security experts always warn against opening programs sent as e-mail attachments. Once run, the file drops an "extractor" component onto the victim's hard drive. When a computer user clicks on a picture file with the extension .JPG – a common picture file found on the Web – it is infected before it appears. Because the picture displays normally, Gullotto said, the victim may not know there's anything wrong. In its current form, an infected JPG file sent to a friend or placed on a Web site isn't dangerous without the extractor file. But Gullotto said there's no reason a virus writer couldn't stuff the entire virus code into the JPG, making the picture file a virus itself. That evolution should make computer users think twice about sending pictures – or any other media – over the Internet, Gullotto said. "I think there's a possibility that this could change the playing field," he said. "Going forward, we may have to rethink about distributing JPGs." McAfee researchers received the virus from its creator. Gullotto declined to identify the author, and McAfee anti-virus software can detect and remove Perrun. Perrun is known as a proof-of-concept virus, and does not cause damage. Gullotto said he fears that virus writers may use Perrun as a template to create a more destructive version.
This looks like some major, alarmist misinformation. A virus infecting a file is not the same as an infected file becoming a virus. The virus is the "extractor file" that loads itself on your machine. Without it having already infecting your machine, you are safe. And I don't buy anyone saying that JPGs could execute code by themselves, no matter if the JPG was "infected" or not. The "extractor" appears to infect your machine through standard email means that we all know about, then becomes the JPG viewer for IE, so that it can pull code out of a JPG from a malicious web site, and pass that code to IE to run. Is anyone else reading this differently?
Any virus information should include the word "Windows" with it. After all, we Mac users have very little to worry about. Muwahhahahahaha!!!
heypee, In this 'proof of concept', the JPEG holds the payload, and needs an external executable in order to run and/or distribute itself. I'm kind of at a loss myself understanding how a picture could execute the code without one. I'm not a programmer, so I'm trusting that this guy Gullotto, (being the senior director for McAfee AVERT) knows more than I do about this... What's troublesome to me is that even as a two (or more) part virus with a TXT, JPEG, GIF, etc as a payload would be much harder to detect, since without the executor, a potential payload could be or appear harmless. (This kind of reminds me of the Joker's chemical terrorism in Batman) I also wonder if the amount of work that virus scanners have to do (especially in corporate environments) will increase now that previously benign files like pictures, movies, and music files might have to be scanned.
x34, I just don't see it. Reads to me that McAfee is worried about people being infected by EXEs and passing around popular images. What is the "proof of concept?" The fact you can get infected by an EXE that will become your JPEG viewer then you get hit by payloads when people propagate infected JPGs...OK. I agree. That's something to worry about. Doesn't sound revolutionizing though. The McAfee guy was never quoted as saying there could be a self-executing JPGs. Reads like the journalist asked him, and he said, "I'm not going to say it could never happen," then the journalist said "he wouldn't deny it." you know?! They are using a traditional extractor method, no? What difference does it make if the EXE that infected you has its payload with it, or waits for it view people viewing infected JPGs. When you get infected, you are vulnerable to anything. I just don't buy a JPG ever self loading
hey no fair! you changed what you wrote before i could respond I think we've got pretty much the same take on this one. This one in and of itself is harmless and pretty primitive. If it seems a little sensationalist, you might be right; I should have attached a story from a more technical site (C|Net, Infoworld), but I was already at the Post doing some other reading... The idea behind a multi-part virus/worm, though, is what's interesting to me. Kind of like guerilla warfare... This virus puts its payload into a JPEG file, but at the same time, causes the file to become corrupted, so what's the point? Why would someone distribute a picture that won't open? Another way of doing it would be to encode the data into the picture itself by way of digital watermarking, so that the picture appears and opens normally (this is different from the way viruses currently append data on to files). Potentially, even the primary executing code could be encoded into the picture. Perhaps a second or third piece, containing a scanner/extractor or partial executatble could complete the code necessary to activate it... Another scenario would be distributing partial code (which itself might pass AV scanning) via a popular, or funny picture, as a way of setting up an installed user base before deploying the final piece. Infections could potentially be higher and more swift, since the code (or part of it) is already present and the "missing piece" is also benign. Perhaps the executor virus could appear to distribute only a simple worm in a somewhat obvious manner, while quietly activating other code?... I don't know...these are the things that come to mind. I meant proof-of-concept, because that's all it really is...its not in the wild; it was only sent to the major AV companies. In order to prevent new types of infections, its first necessary to understand new distribution methods and vehicles that may be used in the future. I didn't mean to freak anyone out...Don't worry, if anyone's PC ever falls prey to something, Jeff will be more than happy to let you come to his place...
I'm with heypee on this one. I don't get it. If you embed viral code into a JPEG and need an exe to trigger it, why not write the code into the exe? You have to execute the exe anyway, right? This seems more like a cute trojan than a virus. Or maybe I'm just not understanding this. The fact that you can embed something into JPEGs or other files is nothing new. This is the whole premise of steganography. If you remember, this is what everybody was talking about when it was suggested that terrorists were communicating by embedding and encrypting messages into JPEGs. I've used Steganos' encryption suite for years now based on this technology. Anyway, if anyone finds any info on exactly how this thing could potentially allow a JPEG to execute let's say through a browser loading it, please fill me in...
