Author Topic: iframe appended jpegs/some open anyway  (Read 3631 times)

davidnix71

  • Member
  • **
  • Posts: 760
  • Kudos: 501
iframe appended jpegs/some open anyway
« on: 13 April 2009, 07:52 »
I stumbled across a reference to a trojan jpeg on a website. If I went directly to the url in FF2 and FF3, the image displays correctly in my broswer with no warning (it's a 44kb pic of a stack of folded newspapers. A drop/drag desktop copy won't open in Preview. I use a PPC Mac, so if the "virus" worked correctly it would bounce me off to the site appended to the picture. The address in the jpeg is corrupt, apparently, if I try to go there directly, I get a 404.

The drop/drag saved pic came back "infected malware" from Jotti's online scan. A Google search of the embedded site said the file had somehow become corrupt or the virus writer didn't do it correctly. The drop/drag saved pic will still open in FF.

Why is the display behavior inconsistent?  I have a copy of the jpeg with the iframe appended that WILL open in Preview. The copy has correct headers because I used the top menu in FF to "save as" instead of drop/drag. The drop/drag doesn't have the usual jfif or photoshop header. Both files are 44kb and both look the same.

A jpeg with an appended url shouldn't open in Preview or Firefox at all, assuming the repsective program writers did their job. A screen cap of the browser pic it removes the appended url and the size jumps to about double the original.

The appended url is plainly readable in HexEdit and TextEdit.