[linux] Best linux toos for removal of windoze exploit files on pic CDRs ??

Evan Martin martine at danga.com
Sun Aug 20 18:33:45 PDT 2006 

Since (AFAIK) there are no exploits for jpegs (anyway, an exploit
would target a particular jpeg decoder, not jpegs themselves), I'd
copy all the images off the CD on a Linux machine, then burn those to
a new CD.

On 8/21/06, db <dbota at att.net> wrote:
> I only placed jpg picture files on the CDR's but amongst other methods I
> understand exploits on contaminated machines can also place themselves
> in the CDR's boot block during the burn...
>
> The 3rd world internet cafe computers (china)  I often had to use for
> this purpose were obviously heavily used by transients and owned  and
> managed by novices.   Often they were hard to use because of all the pop
> ups etc.  Sometimes virus alerts were even popping up.  (china is one of
> the world's hotbeds of exploits...).
>
> When you are in a 3rd world  country and your SD picture  cards are full
> with great pics and it is a once in a lifetime trip and the choice is
> between throwing away existing pics, not taking any new pics or using
> the lousy computers to transfer your jpg files and worry about
> straightening  things out later... the decision is a no brainer.  So
> here I am!
>
> I see absolutely no reason to think they are false positives and every
> reason to believe the scanned exploits exist and are a real problem.
>
> My experience is that no one scanning detection app. will find all
> possible exploits so depending on one TSR like my Windoze machine's
> McAfee Viruscan to absolutely remove everything that is on these disks
> during a transfer from CDR to hard disk seems pretty foolhardy.
>
> In fact, when I disable the autoplay for the drives and scan them with
> various scanners, I get varying results with varying scan/detect apps.
> (McAfee, F-Prot, Stinger, etc.).  One of the buggers that is identified
> is W32/VB.KL (the Win32/Traxg.B worm also known as
> Win32/Traxg.57344!Worm, Win32.Traxg.B, W32/Traxg.B (WildList),
> W32.Traxg at mm (Symantec), W32/Traxg-B (Sophos), WORM_VB.F
> (Trend),W32VB.KL (F-Secure), Email-Worm.Win32.Rays (Kaspersky).  It
> spreads by email or during writes to external disks.
>
> I'm thinking the Linux computer will not be targeted by the exploits and
> I can use the Linux FC4 platform as a safe spot from which to delouse
> the CDs.
>
> Seems to me this is a tricky problem, probably a common one and I am
> surprised I see no reference to methods for getting valuable files off
> of contaminated read only CDs.   The fact that everyone burns CDs for
> backup and transfer buy no-one know how to do this... suggest why
> exploits are so widespread...
>
> ?
>
> db
>
>
>
> Chris DeVoney wrote:
> >> -----Original Message-----
> >> From: linux-bounces at mailman1.u.washington.edu
> >> [mailto:linux-bounces at mailman1.u.washington.edu] On Behalf Of db
> >> Sent: Sunday, August 20, 2006 4:46 PM
> >>
> >> I have some travel picture CDs that were burned on Windoze
> >> internet cafe computers and a scan shows that they have some
> >> exploits on them.
> >>
> >> I want to transfer the files from the contaminated CDR's to a
> >> Linux FC4 machine, delouse them there and then re-burn them
> >> to uncontaminated CDR's for future use on windoze machines.
> >>
> >
> > Which brings up another question, what scan made the determination that
> > files are contaminated? Only a handful of image file exploits, the most
> > famous of which are the GDI+ and WMF exploits, are known, are not viruses
> > (i.e., not self-replicating) but do allow other code to be launched, and
> > have been patched by MS. I'm curious if you are getting false positives?
> >
> > May I ask if you are interested in the data (image/catalog) files only or
> > all files? I suspect the image and other data files use some ubiquitous
> > format and the rest of the files could be left behind.
> >
> > To my knowledge, AV scanners like McAfee can remove most exploits from the
> > file, if the program is set for such actions. Any remaining action depends
> > on other files you wish to salvage.
> >
> > cdv
> >
> > Chris DeVoney
> > Division of Metabolism, Endocrinology, and Nutrition
> > UW School of Medicine
> >
> >
> >
>

More information about the Linux mailing list