Gossamer Forum
Home : General : Internet Technologies :

Virus - "GDIplus.dll" exploit

Quote Reply
Virus - "GDIplus.dll" exploit
http://www.internetnews.com/.../article.php/3414631

------------------------------------------
Quote Reply
Re: [DogTags] Virus - "GDIplus.dll" exploit In reply to
Yup, pretty scary stuff. Here's some tech details on it:

http://easynews.com/virus.html

Can't even view images safely any more.

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] Virus - "GDIplus.dll" exploit In reply to
Hi.

Does this gets handled by clamav?

http://sourceforge.net/forum/forum.php?forum_id=410146
They had this up on 28th September 2004.

HyTC
Quote Reply
Re: [HyperTherm] Virus - "GDIplus.dll" exploit In reply to
It looks like it. From the Project News @ http://www.clamav.net/:

Quote:
ClamAV JPEG Exploit (MS04-028) Detection
nervoso - 2004-09-28 06:30 - Clam AntiVirus
ClamAV 0.80rc3 successfuly detects JPEG files with modified comment section that allows attackers to remotely execute arbitrary code on unpatched Windows machines.

~Charlie
Quote Reply
Re: [Chaz] Virus - "GDIplus.dll" exploit In reply to
Oh Good.
We updated our servers the very hour (Sept 28th 2004) 0.80rc3 was released, though it's a Non Witchcraft OS (ie not windows).
Pretty much uptodate with updates and security fixes. BTW, clamav also offers a Windows Version Free

Smile

HyTC

Last edited by:

HyperTherm: Oct 2, 2004, 10:49 AM
Quote Reply
Re: [HyperTherm] Virus - "GDIplus.dll" exploit In reply to
Hi,

Not sure how effective it is though, as you'd have to grab every remote image on an html page! To do that on a large scale would just be an incredible amount of bandwidth. Also, you'd need a pretty good html engine inside the virus scanner for this, as imagine the number of ways a browser can download an image.

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] Virus - "GDIplus.dll" exploit In reply to
Hi.

Infected Messages Rejected At SMTP level.
Do not deploy the traditional Mailscanner Route To Allow The Messages In And Then Scan As Find That Useless and a definite waste of resource ...
Messages being propagated by worms are blocked At HELO/EHLO stage as most of them push dubious HELO/EHLO... I have seen about 80%+ reduction in messages reaching that level where Virus Scan starts Post implementation of Message Rejection With dubious HELO/EHLO as per two weeks live runs. Would disable that for a week and see if Virus Message Rejected Count Pushes Up again to original levels...

Sharing my thoughts ...
Could be wrong ...

Smile

Thanks
HyTC
Quote Reply
Re: [HyperTherm] Virus - "GDIplus.dll" exploit In reply to
Hi,

Sure, there are a lot of ways to try and stop spam/viruses from getting in before you even get to the virus scanner: helo checks, valid rcpt checks, valid envelopes, tarpitting, force slow connections, reject mail that is bursted, etc.

All I was saying, is that this particular virus is very hard to detect, as you can have a piece of virus-free html mail that links to an image on a remote site, so the payload is not even in the message! It's very nasty..

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] Virus - "GDIplus.dll" exploit In reply to
Hi.

force slow connections --- naah , i would never include a

delay xx s
for slowing down attacks ... Dictionary Attack for example. That could be telling on a busy server. Just drop connection after 4 failures and just working on how to add a repeating IP to iptables and block it temporarily at least...

HyTC
Quote Reply
Re: [Chaz] Virus - "GDIplus.dll" exploit In reply to
V0.80rc4 released.
Notes:
0.80rc4
-------

Improvements in this release include better JPEG exploit verification,
faster base64 decoding, support for GNU tar files, updated on-access scanner,
and others.
HyTC