PDA

View Full Version : Trojan horse in the camera



aostling
02-22-2009, 08:48 PM
I got an email from a friend today, asking an unusual question:


Have you ever heard of Trojan horse virus infecting a digital camera? I think mine has it. My computer's Norton has to continuously block it when plugged in. Guess I'll return it to see if they will make good on the warranty.

I replied that this seemed bizarre, since I knew he had not downloaded any firmware for the camera, which is a budget model Kodak Easyshare. He said


I think the camera must have picked it up from an SD card that had been in someone else's computer. I am going to see if Norton can clean the camera. Then I'll do the google search. You are right about the Mac switch. I plan to do that soon. I'll let you know what Norton does to it.

Does this conjecture hold water?

Doc Nickel
02-22-2009, 08:58 PM
Can't say for sure, but there definitely were issues with "digital photo frames" (LCD screens that hang on the wall) coming from the factory with malware and keystroke loggers already built in.

The malware would infect the memory card, and then transfer to your computer, or would infect the computer directly if you used the USB cable.

So it's very much possible. Though I'm not entirely sure the card can infect the camera.

Doc.

Dawai
02-22-2009, 09:15 PM
Yes.. I hooked big brothers camera up here and had to disinfect everything.

My Lil Polaroid camcorder I carry on the handlebars of the bike will not work on the wife's computer.. it sees the camera as a disc drive, sees the directories but will not open them.. HUH... It has a cheapie SD card.

Evan
02-22-2009, 11:05 PM
I think the camera must have picked it up from an SD card that had been in someone else's computer. I am going to see if Norton can clean the camera. Then I'll do the google search. You are right about the Mac switch. I plan to do that soon. I'll let you know what Norton does to it.



Does this conjecture hold water?

Given the above statement, yes it does. The camera is not and cannot be infected by the card. The files on the card may be infected but not by the camera. The infected file would have to be transferred from the computer to the card. The computer need not be infected, just the file in question. The virus is known as the "JPEG of DEATH". This is an old problem but is still an issue. The problem is especially severe because it doesn't just affect Windows. It affects any and all Microsoft software that deals with jpeg files and each application such as MS Office must be updated individually. It isn't sufficient to update Windows alone through Windows Update.



Hackers use porn to target Microsoft JPEG hole
First evidence seen of public attacks using the critical flaw


By Paul Roberts, IDG News Service
September 28, 2004



Malicious hackers are seeding Internet news groups that traffic in pornography with JPEG images that take advantage of a recently disclosed security hole in Microsoft Corp.'s software, according to warnings from antivirus software companies and Internet security groups.


The reports are the first evidence of public attacks using the critical flaw, which Microsoft identified and patched on Sept. 14. Users who unwittingly download the poison images could have remote control software installed on their computers that gives remote attackers total control over the machine, experts warned.

The images were posted in a variety of Internet news groups where visitors post and share pornographic images or "binaries." The altered JPEG images were posted to groups such as "alt.binaries.erotica.breasts" on Monday by someone using the e-mail address "Power-Poster@power-post.org," according to information published on the online security discussion group Bugtraq and on Easynews.com, a Web portal for Usenet, the global network of news servers.

The corrupted JPEG images are indistinguishable from other images posted in the group, but contain a slightly modified version of recently released exploit code for the JPEG vulnerability called the "JPEG of Death" exploit, which appeared over the weekend, according to Johannes Ullrich, chief technology officer of The SANS Institute's Internet Storm Center (ISC).

Like other exploits for the vulnerability that have appeared in the weeks since Microsoft released its patch, the JPEG of Death uses a JPEG file formatted to trigger an overflow in a common Windows component called the GDI+ JPEG decoder, which is used by Windows, Internet Explorer, Outlook and many other Windows applications, Ullrich said.
When opened by users, the infected JPEGs try to install a copy of Radmin, a legitimate software application that allows users to remotely control their computers. In this case, however, the program is being used by the remote attacker as a Trojan horse program. Infected Windows machines are also programmed to report back to an IRC (Internet relay chat) channel, Ullrich said.

The images only work on Windows XP machines and some of the attack features do not appear to work on all XP machines, Ullrich said.

ISC and antivirus companies cautioned that the newly posted attack images cannot spread and are not, technically, a "virus." However, the exploit code could easily be modified to download a virus engine with e-mail capability that would spread when images are opened, Ullrich said.

As with Sasser and other recent worms that target common Windows components, security experts worry that the JPEG vulnerability in GDI+ could spawn another major worm outbreak. The vulnerability is remotely exploitable and can be accessed through a long list of popular Windows applications, including Internet Explorer, the Outlook e-mail program and Microsoft's Office applications.

In addition to GDI+ being a standard component of Windows, different Windows applications frequently distribute their own versions of GDI+. Those versions might reside in folders used by the applications and be out of reach of the Windows patch, or could be installed after the Microsoft patch was applied, undoing that patch, Ullrich said.
Currently, most major antivirus software programs can spot corrupted JPEG images. Antivirus software, in combination with the Windows patch, is currently the only known protection from attacks that use the GDI+ vulnerability, he said.'

Liger Zero
02-23-2009, 11:21 AM
Yes.. I hooked big brothers camera up here and had to disinfect everything.

My Lil Polaroid camcorder I carry on the handlebars of the bike will not work on the wife's computer.. it sees the camera as a disc drive, sees the directories but will not open them.. HUH... It has a cheapie SD card.

Ok, DUMB QUESTION time: Are you opening the RIGHT folders? And sometimes the pictures are buried under several layers of folders.

Cameras, cellphones and MP3 players can harbor virus, worm, and other forms of attacks. Files can be encoded with these things and unwittingly downloaded onto a different computer.

There have also been cases of knock-off MP3 players coming over here with keylogger and transmit software on the "Install CDs." Most of the cheapo MP3 players look like a disc-drive when you look at them with Explorer and you can drag-and-drop files to them without drivers or software.

What was happening was someone at the distuibution company was opening the boxes, slipping the CD inside and retaping the boxes.

I want to say Craig brand was the one but I'm really not sure. I'll ask my friend Dave as he was the one that alerted me to this.

Dawai
02-23-2009, 11:31 AM
No Offense taken.. I use it normally on my XP Pro machine updated by MS.. I use the normal file system instead of the software that came with camera. It's different on her machine, you can see the last directory, attempt to open it, but the files never display. We are running a couple of AV programs on there That might be blocking.

Her machine acts strange anyways. It was SP2 running my old CNC.. now it's her "cupon" computer and she gets more crap on there than you would walking around a pig lot barefoot.

I miss the old DOS machines.. but alas.. you could do very little with them. I run Linux on everything that will.. except her new computer with the new KODAK printer.. No linux drivers available.. and this dual core machine is still too new to run it..

Seems we are under a daily attack by forces unseen to corrupt and infect our computers. That really never made sense to me, I don't understand why people key-cars out of jealousy either.. Cowards..

Liger Zero
02-23-2009, 11:51 AM
No Offense taken..

I use it normally on my XP Pro machine updated by MS.. I use the normal file system instead of the software that came with camera.

Can you clarify this? By file system you mean windows explorer? "file system" also refers to the formatting of the disc/stick... such as FAT, FAT32 and so on.

I had a problem where I did my laptop in NTFS and my Desktop as FAT32. The laptop reformatted my camera card in NTFS. The camera didn't care one whit, but the desktop refused to read it.

Do you know how to check this? It's a bit obscure, buried under a couple of menus.

Dawai
02-23-2009, 12:28 PM
They are all ntfs here.. including some linux machines.

I had a problem recently with DOS and the old file formatting.. each time I'd insert a 3 1/2 into a XP machine I could then break it and throw it away. DOS would not read NTFS format. AND it corrupts the old format with just a simple insertion and read-write.. to think BILL promised it would all be downward compatible..

Yep.. I got turbocnc on my cnc and no way to talk to it. So far recently it has worked out.. no intense programs. gotta be fixed soon thou. Linux EMC works, but the homing is kinda screwed up.. It'd take half a page to describe the wierdo fashion it works..

Liger Zero
02-23-2009, 12:44 PM
Ah cool, you are running a Linux CNC then? Once the wife is home and stabilized I'm going to throw myself into the Home CNC fray. I don't want to get into a situation where I'm stuck for support... but on the other hand I love Linux as an operating system.

pcarpenter
02-23-2009, 01:15 PM
The problem may be in the rather unclear reference to "my computer's Norton". Current versions of Symantec's "virus protection" are actually called Symantec Endpoint Protection and it potentially does far more than looking for specific virus signatures. It would be nice to have more details other than "My computer's Norton has to continually block it".

I has some other components that include "network threat protection", anti-spyware protection etc. We have seen all sorts of legitimate stuff hosed up by it and in several instances had to remove all but the virus detection. Some of the stuff amounts to "intent analysis" where it sees certain behaviors or actions as possibly indicating a threat and stops them. It is at least occasionally wrong.

Paul

Evan
02-23-2009, 05:21 PM
There have also been cases of knock-off MP3 players coming over here with keylogger and transmit software on the "Install CDs." Most of the cheapo MP3 players look like a disc-drive when you look at them with Explorer and you can drag-and-drop files to them without drivers or software.

It happens to companies here too. HP once distributed a virus with some of their printer drivers.



HP Printer Drivers Hit Again With Funlove Virus - CIO.com ...Hewlett-Packard (HP) on Thursday pulled a printer driver from its website after security vendor BitDefender reported that the software was ...
www.cio.com/article/21694/HP_Printer_Drivers_Hit_Again_With_Funlove_Virus - 123k -

So did Microsoft, again

Microsoft accidentally distributes virus - CNET News19 Feb 2009 ... The software giant's Korean-language version of Visual Studio .Net carries the virulent Nimda computer virus to Asia.
news.cnet.com/2100-1001-935994.html - 69k - Cached - Similar pages


and again:




ISN 2002/06: [ISN] Microsoft accidentally distributes virus[ISN] Microsoft accidentally distributes virus. From: InfoSec News (isn@c4i.org) Date: Mon Jun 17 2002 - 02:09:07 PDT. Next message: InfoSec News: "[ISN] ...
lists.jammed.com/ISN/2002/06/0076.html - 7k - Cached - Similar pages

And again



The Risks Digest Volume 18: Issue 53Microsoft AGAIN distributes Macro Virus: Klaus Brunnstein ... On ORBIT, a Swiss IT exhibition (held in Basel last week), Microsoft distributed a CD-ROM with ...
catless.ncl.ac.uk/risks/18.53.html - Similar pages


And again


Microsoft security fixes infected with FunLove virus The RegisterA virus infection of security fix files on Microsoft's partner and premier ... unwittingly distributed printer drivers corrupted by the FunLove virus. ...
www.theregister.co.uk/2001/04/25/microsoft_security_fixes_infected/ - 22k - Cached - Similar pages


I had a problem where I did my laptop in NTFS and my Desktop as FAT32. The laptop reformatted my camera card in NTFS. The camera didn't care one whit, but the desktop refused to read it.


Are you sure????

NTFS is proprietary and Microsoft will not licence it. I have never seen a camera that will read NTFS nor will XP offer to format a card in NTFS. Most cameras run some form of DOS, usually RomDOS as their operating system including high end cameras such as the Canon 300 series. DOS can't do NTFS.

Liger Zero
02-23-2009, 05:44 PM
NTFS is proprietary and Microsoft will not licence it. I have never seen a camera that will read NTFS nor will XP offer to format a card in NTFS. Most cameras run some form of DOS, usually RomDOS as their operating system including high end cameras such as the Canon 300 series. DOS can't do NTFS.

Good catch, I remembered wrong about the formats. I do remember it was a formatting issue between the computers though.

Dawai
02-23-2009, 06:12 PM
I just removed TROJAN_VMkiller off this machine, a camera oriented virus. Linking on the web to a file called cameraFix.exe??

The information I looked up for it was all in chinese.

I installed one crappy chinese 4:1bus camera input board.. I suspect.. on with the drivers, but don't know for sure.

aostling
02-23-2009, 06:42 PM
The problem may be in the rather unclear reference to "my computer's Norton". Current versions of Symantec's "virus protection" are actually called Symantec Endpoint Protection and it potentially does far more than looking for specific virus signatures. It would be nice to have more details other than "My computer's Norton has to continually block it".

Paul

I asked my friend, but he is at work at was unsure what version of Norton he was running at home. The latest update, he thought.

He said the message from Norton (something like "Trojan blocked") occurs only when he transfers files from an SD card via a card reader. If he hooks his camera up to the computer directly he does not get this message. That's puzzling.

He gets the Norton warning every time he opens one of the infected files, from its storage location in My Photos. Other than the Norton message, nothing operational seems amiss.

Liger Zero
02-23-2009, 06:44 PM
I just removed TROJAN_VMkiller off this machine, a camera oriented virus. Linking on the web to a file called cameraFix.exe??

The information I looked up for it was all in chinese.

I installed one crappy chinese 4:1bus camera input board.. I suspect.. on with the drivers, but don't know for sure.

Can I get the link please?? I know a bit of Chinese and a fair amount of Japanese too. And I have someone on speed-dial who knows More Than I do.

Evan
02-23-2009, 07:45 PM
He said the message from Norton (something like "Trojan blocked") occurs only when he transfers files from an SD card via a card reader. If he hooks his camera up to the computer directly he does not get this message. That's puzzling.



No puzzle at all. When the card is in a card reader it is treated as a removable drive. When the camera is connected XP knows it is a camera and treats it differently. Also, there are two possible modes for the camera to communicate when it is connected. It can act as a mass storage device like a card reader or it can use a proprietary connection mode such as "PTP" with Canon cameras. In the proprietary mode the antivirus software is out of the loop as the special camera software is running the show.