Endpoint Protection

 View Only
  • 1.  JPG or TIF files - virus probability in image files

    Posted Nov 29, 2010 02:50 PM

    Are there any articles that talk about the probability of viruses in JPG or TIF files?

    Thank you.



  • 2.  RE: JPG or TIF files - virus probability in image files



  • 3.  RE: JPG or TIF files - virus probability in image files

    Posted Nov 29, 2010 04:41 PM
    Attackers could use image files to infect compuetrs, oftenly called as steganography. one such example is- http://www.symantec.com/security_response/writeup.jsp?docid=2002-030110-3845-99&tabid=2


  • 4.  RE: JPG or TIF files - virus probability in image files

    Posted Apr 26, 2011 10:30 AM

    An old thread but a valid and interesting question. This question sometimes arises at sites using scanning and OCR solutions. Some solutions use TIF internally, like Kofax Capture, previously Ascent Capture, from Kofax. Having a vira scan of each TIF being produced at a scanning pc using a high performance document scanner may be regarded as an unwanted bottle neck by some.

    With respect, I think that the comments made here are not really fully answering the question made.

    The question is - as I read it - specifically about "JPG or TIF files" and about "viruses in" these type of files.

    The question does say " of viruses in JPG or TIF files".

    I think the answer "Attackers could use image files to infect compuetrs, oftenly called as steganography." is incorrect and misleading in this case. Again, the question was about JPG and TIF files.

    The term steganography isn't technicaly correct for this either in my opinion.

    The link given in the other comment is about an exploit of Microsoft Internet Explorer support of the Windows Metafile (WMF) image format. As I see it, this is slightly off the target, even if a WMF indeed was renamed or part of a double file requirement it is not really a question of having a virus in an actual TIF file.

    You need a flaw in the OS or an application with a specific flaw, like Internet Explorer in the mentioned link, to trigger anything and many people are likely to open TIF files with existing rather specific TIF-viewers (Internet Explorer still lacks a native support for TIF. At least up to version 8 of IE).

    You will most probably get an error trying to open a re-named TIF in a viewer not supporting the file format. If the viewer doesn’t automatically tries for other formats capabilities it seems highly unlikely the viewer would trigger any exploit based on these other formats.

    Considering where TIF are mostly likely to be found due to its age, history and characteristics, the question "of viruses in TIF files" would make good to be answered pretty specifically and not in general terms.

     I can’t tell on JPG but as for TIF I say “No” until proven otherwise. A guess for JPG would be the same as for TIF, but I haven’t looked into the specs for it so I can't say. JPG isn't in my book.

    I am saying a TIF file (TIF/TIFF, standard up to the latest commonly known addition to base line version 6) technically cannot work as a virus. A two part approach with an intentionally AND a specifically compromised TIF interpreter together with a specifically tailored TIF would be another matter altogether and shouldn’t be mixed up with vira discussions.

    Basically, IF one could already switch or insert any hostile machine instructions in location A (source) and location B (target), why bother triggering any viral capabilities by viewing a hostile data file at location B? Rather cumbersome and farfetched logical bomb. More so, not really a virus at all.

    If you have compromised and replaced the instructions (code) in location B you could very well look for anything else at the target instead of some bytes inside a TIF file. The question was not if it was possible to get Trojans in a JPG- or TIF-viewer, but if the data files (images) themselves could have viruses/be viruses.

    TIF has been around for ages, but I think there isn’t a single verified case of a TIF file actually being a virus.

    The well known ability to hide information or even hidden instructions in a valid image (think steganography) is pointless and potentially misleading to discuss in terms of virus in actual tif files.



  • 5.  RE: JPG or TIF files - virus probability in image files

    Posted Apr 26, 2011 12:58 PM

    Interesting. Just a few hours before I got to clarify about a similar stand on MP3 after a two hour controversial argument with my friend.

    Thomas_m had been kind enough to explain me regarding the same: https://www-secure.symantec.com/connect/forums/mp3-files-immune-viruses



  • 6.  RE: JPG or TIF files - virus probability in image files

    Posted Apr 28, 2011 07:30 AM

    Let’s put it in this way.

    Any file can be corrupted intentionally or unintentionally, by impact from virus or no virus. 

    An anti vira scanner may detect and remove a virus but may not be relevant to use on already corrupted files from the impact of a virus payload (additional, specific, tools may then be needed if some kind of file repair is possible).

    A damaged file may very well have no real trace of the virus causing the damage. Basically, the virus is not there.

    I think that make good sense.

     

     

     



  • 7.  RE: JPG or TIF files - virus probability in image files

    Posted Apr 28, 2011 07:38 AM

    I checked out that reply also now and made a comment on it  :D

    Below is a copy.

    _____________________

    This doesn't really say what exactly "infected" means. Having an impact on is necessarily not same thing as transferring into a virus.

    Also, does "immune to viruses" mean "immune to the impact of a virus or hostile code" or "immune of becoming a virus"? This may be two completely different things!

     

    It is so simple to link to articles, but the answer may not directly relate to the question made.

    I am sorry to say that I also think the article from Symantec isn’t very clear on details. Still, the mentioning of mp3, jpg etc is at the "Payload" section, not at the “Characteriscs of infection” section. That could be a clue I guess.

    In the Characteriscs of infection” section, only the initial vbs file - the attachments send in the attack - is mentioned.