Can Images Contain Malware?

Discussion in 'malware problems & news' started by Brandonn2010, Feb 9, 2013.

Thread Status:
Not open for further replies.
  1. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    I'm not talking a file that seems like an image, but is actually an .exe file, but a picture, that when double-clicked to view, etc. activates malware embedded within the image?
     
  2. Theoretically, yes. I don't recall any ITW examples, but there have been vulnerabilities in image libraries where a modified image file could execute arbitrary code.
     
  3. chris1341

    chris1341 Guest

  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    It was a Linux security article I read some time ago that advised disabling thumbnail preview on picture files, because of the possibility of malware. I thought I had it saved somewhere but can't find it atm :(
     
    Last edited: Feb 9, 2013
  5. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    a golden rule for me is that any file that comes from the internet whether if be videos or images or what ever I always open and run them inside sandboxie.
     
  6. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
  7. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    Yes it is possible, but I'm not sure if there are too many "in the wild" cases. Embedding malware in an image would require to exploit a certain image viewer, so you must be reasonably sure that the target will view the image using the vulnerable viewer.
     
  8. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Aside from viewing through a vulnerable viewer, just browsing a folder containing malware embedded image/s through window's explorer as thumbnail preview get's rendered by an unpatched gdi32.dll, one can be infected. That's during the time of the so called WMF bugs. I can confirm that as fellow Wilders member, StevieO, shared me some samples back then. https://www.wilderssecurity.com/showthread.php?t=251946


    First worm using the new WMF vulnerability has been found
    http://www.f-secure.com/weblog/archives/archive-122005.html

    The Windows MetaFile (WMF) Vulnerability
    http://www.grc.com/sn/sn-021.htm

    The Windows MetaFile Backdoor?
    http://www.grc.com/sn/sn-022.htm
     
  9. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    trismegistos, I know about WMF vulnerability, but as far as I know, it's an old issue. When I was referring to "in the wild" exploitation, I was considering more recent issues.
     
  10. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Sorry. I was just making some additions not actually directed to you but for everybody in reference to this portion of your statement...

    "Embedding malware in an image would require to exploit a certain image viewer, so you must be reasonably sure that the target will view the image using the vulnerable viewer."

    Image viewers' vulnerabilities are already patched also, so they can be considered as past issues as well. Whether it is more recent or old is relative. I was just highlighting the fact, that windows explorer and even browsers could be affected as well together with image viewers not just in the past but for possible zero days or yet to be discovered vulnerabilites in the future.

    As I have said, vulnerabilities on image viewers or on Gdi32.dll (in windows explorer, browsers or any process which used that dll) may be past issues but what is the assurance such problems will not rise again.

    Same similar problems (wmf or gdi32.dll) do rise fairly recently and definitely newer than that of the older 2006 wmf flaw but though patched already like...

    2011(OLE, WMF, critical-remote code execution):
    http://technet.microsoft.com/en-us/security/bulletin/ms11-038

    and

    2009(GDI, images, critical-remote code execution):
    http://technet.microsoft.com/en-us/security/bulletin/MS09-062

    And not to forget, many PC users are still using unpatched windows or using vulnerable image viewers. I know some Wilders members still refused to update (though they practice defense in depth). You can count me in to those clinging to old apps or to those who never update their windows regularly. Me and others are bad examples. :)

    Many Exploit kits still use the old but reliable vulnerabilities and yet the recipients of such continue to cash in with those. And yes, we just don't know the statistics.
     
    Last edited: Feb 11, 2013
  11. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I agree, there are other possible vectors of attack besides insecure image viewers when it comes to image containing malware (like the gdi32.dll vulnerability).
     
  12. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    Another security breach has been done where an image is sent with each email message and the image contains tracking software in order to alert the email sender when the email was opened and viewed. This is usually done by sending a Ping to a server and then the "customer" is notified when the recipient opens their email message. EmailOracle and Pigspy are just two (of several) such services which do this that come to mind.

    Remember - an image can be as small as a few pixels - not enough to notice often. Of course if one has images blocked from their email then the ping cannot trigger or run.

    Something to keep in mind.
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    In my text email program, images will display as a file and not do anything if I don't open them:

    agent_image-display.jpg

    (Note to self: do not click...do not click...)

    ----
    rich
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Here is one from 7 years ago, still included in some Kits:

    The Rise of the "Blackhole" Exploit Kit: The Importance of Keeping All Software Up To Date
    http://blogs.technet.com/b/security...tance-of-keeping-all-software-up-to-date.aspx
    One writer has this wry comment about this exploit:

    Blackhole exploit kit
    http://community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx
    If you poke around a bit, you can find some statistics, by Exploit; Browser; Operating System.

    Here are a couple of sites:

    BlackHole Exploit Kit
    http://dvlabs.tippingpoint.com/blog/2011/04/26/blackhole-exploit-kit


    Blackhole exploit kit
    http://community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx


    ----
    rich
     
  15. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Thanks as always, rich! Oldies are indeed still goodies. btw, do we have statistics of infections by exploit kits in particular utilising malwares embedded on image files as in the context of the thread topic?

    I remember you have a presentation wherein previewing or clicking WMF image file or rather viewing it through a browser will spawn a shellcode to download and execute malware, I think? Since, it is more likely that the exploit's shellcode is embedded on image file rather than embedding the actual malware itself to that image. Not that it is not possible like in a Duqu trojan wherein the dropper and malware are both encrypted on an innocous looking MS word document together with the exploit. It's so easier for malware authors to just embedd the plain download and execute shellcode, which will download and then execute the actual malware than embedding the actual malware together with the exploit on one image file.
     
    Last edited: Feb 12, 2013
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Not that I'm aware of. Those exploits were rather specialized, and I'm not sure that they were ever widespread within Exploit kits. But I've not investigated. (good project for someone bored with nothing to do!)

    That is correct. Here is a good analysis, specifically what is referred to as "file parsing," with reference to the old .ANI and .WMF file exploits:

    Shellcode analysis - download n' exec
    http://blog.threatfire.com/2007/12/shellcode-analysis-download-n-exec.html
    That was almost six years ago! And that last statement still is applicable today. Think of that! Have we learned nothing?

    Following using .ANI and .WMF files, cybercriminals moved to .PDF and .SWF files files. They all do the same thing: carry embedded code which executes when the (vulnerable unpatched) application that runs that file is allowed to start. In fact, those same win32 api calls referred to in the above analysis were present in PDF exploits.

    Here is a screenshot of such code from a PDF file:

    wepawet_api.jpg

    Compare with the first screenshot in the analysis I cited. The Hex Code hasn't been converted to ASCII text, but you can see the similarities.

    If you click to download a .EXE file from a web site, your browser will prompt. But shellcode that uses URLDownloadToFileA can download a binary executable directly to disk with no burp from the browser.

    Same techniques, just different modes (files) of delivery. It seems that nothing much has changed in these types of exploits.

    By the way, because the WMF exploit utilized that DLL you referred to, other image file extensions would also call the default viewer for that extension, and if the viewer used that DLL, the exploit would run. For example, a booby-trapped JPG file started Photoshop, the default JPG viewer on my computer. Photoshop does not use that DLL and so, returned an error because it was not a legitimate JPG file:

    wmf-notepad-jpgPhotoshop.gif

    Java exploits also utilize code that downloads and executes. From one of the Microsoft encyclopedia entries:

    Exploit:Java/CVE-2012-5076
    http://www.microsoft.com/security/p...ia/entry.aspx?Name=Exploit:Java/CVE-2012-5076
    A Microsoft Protection Center Analysis describes one way to bypass alerts:

    A technical analysis on new Java vulnerability (CVE-2012-5076)
    http://blogs.technet.com/b/mmpc/arc...-on-new-java-vulnerability-cve-2012-5076.aspx

    As you point out, While it's theoretically possible to embed malware, it's just much easier to let a booby-trapped file find a vulnerable (unpatched) application to do the dirty work!

    That's probably why cybercriminals haven't bothered with attempting to embed malware in an image file for their exploits.

    ----
    rich
     
    Last edited: Feb 13, 2013
  17. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    See Web bug or trans pixel gifs.
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi,

    Do you know of any exploits that use malware embedded in a web bug or similar image?

    Thanks,

    rich
     
Loading...
Thread Status:
Not open for further replies.