[PLUG] First JPEG virus is out there

Russell Senior seniorr at aracnet.com
Tue Sep 28 11:31:01 PDT 2004


>>>>> "Bill" == Bill Thoen <bthoen at gisnet.com> writes:

Russell> Image files are parsed and "executed" by various rendering
Russell> libraries.  If those libraries don't do proper bounds
Russell> checking, regardless of whether the host OS is Windows or
Russell> Linux, a buffer overflow could occur.

Bill> So what do the bad guys actually do with a "buffer overflow"?
Bill> How does that run a virus installer instead of just crashing?

Essentially, they poke a different return address onto the stack that
points at whatever they want the program to do next, like fork a shell
or, in this case, launch whatever infection/replication program they
want.

I am sure there are plenty of better explanations available online.

-- 
Russell Senior         ``I have nine fingers; you have ten.''
seniorr at aracnet.com




More information about the PLUG mailing list