Phishing scams may provide platform for JPEG virus attack
Computer Associates senior security analyst, Daniel Zatz, today said he feared script-kiddies would mimic techniques used by online banking scam operators to expose e-mail users to Web sites containing infected JPEG images.
"I think that's the most likely outcome of this particular threat," said Zatz.
Typically, phishing scam operators clone an online banking Web site then send spam masquerading as advice from the bank designed to con recipients into visiting the site and hand over their personal banking details.
Zatz said that miscreants could use the same social engineering method to compel unsuspecting e-mail users to visit mock-ups of popular Web locations containing infected images.
Security specialists have warned infected images could begin circulating on the Internet en-masse since Microsoft published details of the virus two-and-a-half weeks ago.
Samples of infected images began turning up on Usenet newsgroups last weekend shortly after exploit code for the flaw was released earlier that week.
However, it is understood that virus writers are yet to invent a means to make the Trojan self-replicate. Zatz said that such a method was "only a few lines of code away".
And according to another security consultant that ZDNet Australia spoke to, if such an infected image file turned up on a major portal, that's when things could get nasty.
"Nobody would ever be able to figure out where the infections began because we all focus on viruses arriving in e-mail, but clients would keep getting infected even if you turned off incoming e-mail. It'd be pretty nasty," he said.
Zatz played down the threat, pointing out that most reputable Web sites use GIF images rather than the JPEG images that are concealing the code.
However, the security analyst we spoke to and the Usenet providers that discovered the infected JPEGs newsgroups over the weekend, Easynews, have raised the possibility that hackers might easily get around such a restriction.
According to notes on the discovery released by Easynews, a malicious hacker might be able to disguise a JPEG as a GIF simply by changing its file extension to .GIF.
The security consultant that we spoke to agreed that the flawed Windows GDI that Outlook and Internet Explorer use to display images would still recognise and launch such a file as a JPEG.
"Windows seems to use the extension only to identify which application to launch ... I reckon GDI+ will handle it as a JPEG regardless of extension".