Can Images Contain Malware?

I'm not talking a file that seems like an image, but is actually an .exe file, but a picture, that when double-clicked to view, etc. activates malware embedded within the image?

 

Theoretically, yes. I don't recall any ITW examples, but there have been vulnerabilities in image libraries where a modified image file could execute arbitrary code.

 

This oldie that might help explain the issues around malware masquerading or embedding as image etc files https://www.wilderssecurity.com/showthread.php?t=251875 with some links to other related threads.

Cheers

 

It was a Linux security article I read some time ago that advised disabling thumbnail preview on picture files, because of the possibility of malware. I thought I had it saved somewhere but can't find it atm

 

a golden rule for me is that any file that comes from the internet whether if be videos or images or what ever I always open and run them inside sandboxie.

 

In the past, certain flaws in GDI32.dll as in the past WMF bugs or any other image parsing vulnerabilities in a browser for eg, make that a possibility.

http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability

http://www.iss.net/security_center/reference/vuln/Image_WMF_HeaderFileSize_Underflow.htm

 

Yes it is possible, but I'm not sure if there are too many "in the wild" cases. Embedding malware in an image would require to exploit a certain image viewer, so you must be reasonably sure that the target will view the image using the vulnerable viewer.

 

Aside from viewing through a vulnerable viewer, just browsing a folder containing malware embedded image/s through window's explorer as thumbnail preview get's rendered by an unpatched gdi32.dll, one can be infected. That's during the time of the so called WMF bugs. I can confirm that as fellow Wilders member, StevieO, shared me some samples back then. https://www.wilderssecurity.com/showthread.php?t=251946


First worm using the new WMF vulnerability has been found
http://www.f-secure.com/weblog/archives/archive-122005.html

The Windows MetaFile (WMF) Vulnerability
http://www.grc.com/sn/sn-021.htm

The Windows MetaFile Backdoor?
http://www.grc.com/sn/sn-022.htm

 

trismegistos, I know about WMF vulnerability, but as far as I know, it's an old issue. When I was referring to "in the wild" exploitation, I was considering more recent issues.

 

Sorry. I was just making some additions not actually directed to you but for everybody in reference to this portion of your statement...

"Embedding malware in an image would require to exploit a certain image viewer, so you must be reasonably sure that the target will view the image using the vulnerable viewer."

Image viewers' vulnerabilities are already patched also, so they can be considered as past issues as well. Whether it is more recent or old is relative. I was just highlighting the fact, that windows explorer and even browsers could be affected as well together with image viewers not just in the past but for possible zero days or yet to be discovered vulnerabilites in the future.

As I have said, vulnerabilities on image viewers or on Gdi32.dll (in windows explorer, browsers or any process which used that dll) may be past issues but what is the assurance such problems will not rise again.

Same similar problems (wmf or gdi32.dll) do rise fairly recently and definitely newer than that of the older 2006 wmf flaw but though patched already like...

2011(OLE, WMF, critical-remote code execution):
http://technet.microsoft.com/en-us/security/bulletin/ms11-038

and

2009(GDI, images, critical-remote code execution):
http://technet.microsoft.com/en-us/security/bulletin/MS09-062

And not to forget, many PC users are still using unpatched windows or using vulnerable image viewers. I know some Wilders members still refused to update (though they practice defense in depth). You can count me in to those clinging to old apps or to those who never update their windows regularly. Me and others are bad examples.

Many Exploit kits still use the old but reliable vulnerabilities and yet the recipients of such continue to cash in with those. And yes, we just don't know the statistics.

 

I agree, there are other possible vectors of attack besides insecure image viewers when it comes to image containing malware (like the gdi32.dll vulnerability).

 

Another security breach has been done where an image is sent with each email message and the image contains tracking software in order to alert the email sender when the email was opened and viewed. This is usually done by sending a Ping to a server and then the "customer" is notified when the recipient opens their email message. EmailOracle and Pigspy are just two (of several) such services which do this that come to mind.

Remember - an image can be as small as a few pixels - not enough to notice often. Of course if one has images blocked from their email then the ping cannot trigger or run.

Something to keep in mind.

 

In my text email program, images will display as a file and not do anything if I don't open them:



(Note to self: do not click...do not click...)

----
rich

 

Here is one from 7 years ago, still included in some Kits:

The Rise of the "Blackhole" Exploit Kit: The Importance of Keeping All Software Up To Date
http://blogs.technet.com/b/security...tance-of-keeping-all-software-up-to-date.aspx

One writer has this wry comment about this exploit:

Blackhole exploit kit
http://community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx

If you poke around a bit, you can find some statistics, by Exploit; Browser; Operating System.

Here are a couple of sites:

BlackHole Exploit Kit
http://dvlabs.tippingpoint.com/blog/2011/04/26/blackhole-exploit-kit


Blackhole exploit kit
http://community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx


----
rich

 

Thanks as always, rich! Oldies are indeed still goodies. btw, do we have statistics of infections by exploit kits in particular utilising malwares embedded on image files as in the context of the thread topic?

I remember you have a presentation wherein previewing or clicking WMF image file or rather viewing it through a browser will spawn a shellcode to download and execute malware, I think? Since, it is more likely that the exploit's shellcode is embedded on image file rather than embedding the actual malware itself to that image. Not that it is not possible like in a Duqu trojan wherein the dropper and malware are both encrypted on an innocous looking MS word document together with the exploit. It's so easier for malware authors to just embedd the plain download and execute shellcode, which will download and then execute the actual malware than embedding the actual malware together with the exploit on one image file.

 

Not that I'm aware of. Those exploits were rather specialized, and I'm not sure that they were ever widespread within Exploit kits. But I've not investigated. (good project for someone bored with nothing to do!)

That is correct. Here is a good analysis, specifically what is referred to as "file parsing," with reference to the old .ANI and .WMF file exploits:

Shellcode analysis - download n' exec
http://blog.threatfire.com/2007/12/shellcode-analysis-download-n-exec.html

That was almost six years ago! And that last statement still is applicable today. Think of that! Have we learned nothing?

Following using .ANI and .WMF files, cybercriminals moved to .PDF and .SWF files files. They all do the same thing: carry embedded code which executes when the (vulnerable unpatched) application that runs that file is allowed to start. In fact, those same win32 api calls referred to in the above analysis were present in PDF exploits.

Here is a screenshot of such code from a PDF file:



Compare with the first screenshot in the analysis I cited. The Hex Code hasn't been converted to ASCII text, but you can see the similarities.

If you click to download a .EXE file from a web site, your browser will prompt. But shellcode that uses URLDownloadToFileA can download a binary executable directly to disk with no burp from the browser.

Same techniques, just different modes (files) of delivery. It seems that nothing much has changed in these types of exploits.

By the way, because the WMF exploit utilized that DLL you referred to, other image file extensions would also call the default viewer for that extension, and if the viewer used that DLL, the exploit would run. For example, a booby-trapped JPG file started Photoshop, the default JPG viewer on my computer. Photoshop does not use that DLL and so, returned an error because it was not a legitimate JPG file:



Java exploits also utilize code that downloads and executes. From one of the Microsoft encyclopedia entries:

Exploit:Java/CVE-2012-5076
http://www.microsoft.com/security/p...ia/entry.aspx?Name=Exploit:Java/CVE-2012-5076

A Microsoft Protection Center Analysis describes one way to bypass alerts:

A technical analysis on new Java vulnerability (CVE-2012-5076)
http://blogs.technet.com/b/mmpc/arc...-on-new-java-vulnerability-cve-2012-5076.aspx

As you point out, While it's theoretically possible to embed malware, it's just much easier to let a booby-trapped file find a vulnerable (unpatched) application to do the dirty work!

That's probably why cybercriminals haven't bothered with attempting to embed malware in an image file for their exploits.

----
rich

 

See Web bug or trans pixel gifs.

 

Hi,

Do you know of any exploits that use malware embedded in a web bug or similar image?

Thanks,

rich