My account was hacked through a Second Life texture?

[Jose Squeegee]

Hello.

My account was hacked yesterday. Someone changed my password and I was able to reset it through the password revovery system. I downloaded some security software and it found a Trojan Horse called Imuler 2.0a located in my SecondLife cache folder as a .texture file. I have isolated the Trojan Horse but I don't know if I am safe now? What should I do? How could this happen?

[Innula Zenovka]

What viewer were you using when this happened?   The offical viewer or a tpv?

[Jose Squeegee]

I was using Exodus v.12.08.14.1.

[Innula Zenovka]

I'd certainly open both a SEC jira about it and ask the Exodus team.     I don't know a great deal about malware but I'd have thought the viewer was a more likely vector of contamination than an actual texture you'd seen in SL.   Obviously I'm not saying that Exodus put it there, but I'm wondering if it's not something they should be looking into.

[Dilbert Dilweg]

Quite an interesting virus for MAC Pc's

It disguises it self as a jpeg image but contains code for full remote access to your pc. Nasty one that is. Spread thru images

[161488303349]

thats pretty nasty

[Sidnella Riler]

Do not accept things from people you don't know, buy the textures in marketplace if needed

people will hide virus like that disguise as images, for example, they would tell you, Would you like to see my picture? and you accept it, and puff it is a trojan hidden in a fake jpg, so be careful

[Cerise Sorbet]

The files in the SL cache folder can occasionally trigger false positives with virus software. Even if a byte sequence really was a full match for some piece of malware, these files are not in a format that would allow them to actually infect your system.

A real copy of the imuler back door would have been inserted into your library folder, where it could have an actual effect.

It's a 99.99999% chance that this was only coincidence. The password change probably happened through a different route.

 

[Innula Zenovka]

It's probably worth noting that LL scrambled a lot of passwords yesterday, in response to a security threat, thus forcing people to reset their passwords, but you should have received an email if that was the case.

[Ciaran Laval]

As Innula says, there has been a security issue related to a website out of Linden Lab's control but that is related to Second Life.

[Miserlie]

This sounds scary, once its on your computer though how would you get rid of it ?

[Perrie Juran]

I'm trying to wrap my head around this one.

I understand that an executable can be 'embedded' into an image. 

But when I upload an image to SL it gets converted by SL to another file format.

My brain is telling me that the conversion would or should destroy that executable.

I used to have some photos I took hanging on the wall of my SL home.  Before I uploaded them to SL, I did not remove the meta data.  SL converted the image to a different format.  When some one sees that image in SL, in other words up loads it to their computer, the meta data is no longer there. 

I'm just thinking out loud here, trying to make sense of it.  I am having a hard time seeing how a virus could be transmitted through SL via an image.

 

[leon Bowler]

You would need a program on the PC that looked innocent, it could create a field of data, then XOR it over the bytes of a texture, you can hide patterns of bits in a picture that can not be seen any other way than to XOR it with an image or data field, the program that looks innocent can then transfer this new bit pattern into the code areas and run it, that way you can bypass every virus hunter on the market, well that's how I would do it with textures, not that I would.

[Ted McGregor]

---

Perrie Juran wrote:

I am having a hard time seeing how a virus could be transmitted through SL via an image.

 

---

Think steganography, but those are not really viruses.

 

To make it executable the recipient should be tricked to open the image with a malicious application to execute the code from within.

 

[Perrie Juran]

---

TDD123 wrote:

---

Perrie Juran wrote:

I am having a hard time seeing how a virus could be transmitted through SL via an image.

 

---

Think

steganography

, but those are not really viruses.

 

To make it executable the recipient should be tricked to open the image with a malicious application to execute the code from within.

 

---

can you rephrase this.  no bad intended here, but the grammar is confusing me.

[Perrie Juran]

---

leon Bowler wrote:

You would need a program on the PC that looked innocent, it could create a field of data, then XOR it over the bytes of a texture, you can hide patterns of bits in a picture that can not be seen any other way than to XOR it with an image or data field, the program that looks innocent can then transfer this new bit pattern into the code areas and run it, that way you can bypass every virus hunter on the market, well that's how I would do it with textures, not that I would.

---

huh?  i'm confused by your grammar / run on sentence.

Little bytes please.

[Ted McGregor]

ok

 

Steganography is putting the code into the picture.

 

But the code within the picture needs to be triggered by an executable ( program, engine ) specifically written to execute the code. Has to be done client-side.

 

ETA : What the OP is referring to is technically feasible. The claim that SL is 'infected' seems rather unlikely to me. A false positive by the virusscanner is all the more.

 

This better perhaps ?

 

An' wuzzat 'bout mah granma ?

[leon Bowler]

I am saying that is how would do it, could hide any code or data in an image not poss to scan them because an image pattern is only related to humans and not to logic, there is no algorithm that I can think of that could see any form of code pattern in a image, what do you relate a picture to, a program can only relate a bit pattern to another pattern and with virus hunters it relates to instructions executed, an image would give those patterns at random with no order to compute so must be seen as random data and ignored, but just XOR a repeating string over that image and like magic a line of code appears that does relate to every action in the machine but the virus scanner has gone thinking it all random, any clearer?

[161488303349]

---

leon Bowler wrote:

I am saying that is how would do it, could hide any code or data in an image not poss to scan them because an image pattern is only related to humans and not to logic, there is no algorithm that I can think of that could see any form of code pattern in a image, what do you relate a picture to, a program can only relate a bit pattern to another pattern and with virus hunters it relates to instructions executed, an image would give those patterns at random with no order to compute so must be seen as random data and ignored, but just XOR a repeating string over that image and like magic a line of code appears that does relate to every action in the machine but the virus scanner has gone thinking it all random, any clearer?

---

yes and no. mostly no

the downside with stenography as a way to hide stuff is that the hidden data in the image data typically has no relationship to the image itself. when decode the image into binary (which you have to do to render the image) then can pretty easy spot the rogue bytes algorithmically. enough rogue bytes to set off a warning

stenography is mostly used to fool the human eye. it not fool any reasonable decent sec algo

for the fool to work then need lots and lots and lots of different images. so that the trojan spread over a wide area. like only a handful of bytes in each. so that the rogue bytes appear to be an artifact of the original image encoding

 

[161488303349]

ps

for example

say you wanted to hide in the bottom bit of grey $7F then

$7F $7E $7E $7F $7E $7F $7F$7E

looks gray to the human eye. but can see what appears to be a "random" pattern in the string where none should exist. or appears to have no meaning in the context of the image. or in the context of how images are encoded by open standards. like jpeg, bmp, png etc 

 

[leon Bowler]

so yes then.

[Madelaine McMasters]

---

leon Bowler wrote:

I am saying that is how would do it, could hide any code or data in an image not poss to scan them because an image pattern is only related to humans and not to logic, there is no algorithm that I can think of that could see any form of code pattern in a image, what do you relate a picture to, a program can only relate a bit pattern to another pattern and with virus hunters it relates to instructions executed, an image would give those patterns at random with no order to compute so must be seen as random data and ignored, but just XOR a repeating string over that image and like magic a line of code appears that does relate to every action in the machine but the virus scanner has gone thinking it all random, any clearer?

---

No clearer to me, but let me take a shot at rephrasing.

It do not believe it is possible to transmit a self contained nefarious program from SL to a PC via an image. SL textures begin their life as image files on a creation PC in any of several SL compatible upload formats (TIFF, PNG, TGA, JPG, etc). Upon upload, SL's servers decode/decompress/recompress the texture in JPEG2000 format. This process would destroy any malicious code that was not itself "hidden" in some fashion that could survive the image compression process. The technique of hiding information "in plain sight" inside carrier images is called steganography.

Steganographic encoding algorithms abound, but they require matching decoding algorithms in whatever receives the carrier images. The information density of steganographic techniques is fairly low if the carrier image is intended to pass even cursory tampering inspection by humans. The more information you attempt to hide in a carrier image, the more noticeable the image degradation becomes. I can imagine hiding a few hundred bytes of code in a large texture, but no more.

Since reception of malware via carrier images requires an already existing malicious decoder on the receiving end, the use of images to carry additional malware hardly makes sense. The existing malware would have far more efficient means of aquiring more trouble.

There are file formats (like MS Office documents and e-mail attachments) that allow embedded algorithms. Those infection vectors have been exploited for years and various methods have been deployed to block them. I don't believe SL uses any such file formats, as that would require the receiving computer to contain a means of executing the attached algorithms, regardless of the receiving computer OS (Win/Mac/Linux). Java is the only mechanism I could reasonably expect to perform such a function. SL does not require Java.

Occam's razor suggests to me that, as others have said, the malware scanning software inadvertently identified an SL texture as malware when it is not. It's been more than a decade since I used malware scanning tools. I stopped because I found those tools to be more malicious than anything they never found.

 

[leon Bowler]

If you assume the code is in the image, the image can just be a key, like a picture of Big Ben, it is a static image that is repeated, like a work of art then that could be the key, any image can be the key, the code is in the innocent program as data looking random but when XORed with a certain image could produce code.

So any computer would looked fine and virus free until a certain image was shown on it or on a texture and a segment of code would be made and executed.

[Perrie Juran]

---

leon Bowler wrote:

If you assume the code is in the image, the image can just be a key, like a picture of Big Ben, it is a static image that is repeated, like a work of art then that could be the key, any image can be the key, the code is in the innocent program as data looking random but when XORed with a certain image could produce code.

So any computer would looked fine and virus free until a certain image was shown on it or on a texture and a segment of code would be made and executed.

---

So in other words it would take one stretch of the imagination to get both the code and the key onto someones computer via SL.

[Innula Zenovka]

Cerise, who knows more than most people about technical matters, did say eariler in the thread that

---

A real copy of the imuler back door would have been inserted into your library folder, where it could have an actual effect.

It's a 99.99999% chance that this was only coincidence. The password change probably happened through a different route.

---