kenpic Loc: Edmonds, WA

This was shared by a techie friend and I thought it might be of interest to my forum fellows.

Image meta data, like jpegs, could contain malware:
https://umbrella.cisco.com/blog/picture-perfect-how-jpg-exif-data-hides-malware

Ken

Longshadow Loc: Audubon, PA, United States

WOW. They go to any extent.

Any info on how the code in the EXIF gets executed?

JD750 Loc: SoCal

Yep it’s true. Images can contain information, including code. This is not a new invention, it is cloak and dagger stuff. However I’m not really sure if the code can be executed unintentionally, by opening a JPEG for example. My guess, and it is a guess, is that it’s not possible because, do you hear of it happening? If it was possible people would be getting infecting left and right and I haven’t heard of anyone being infected by an image.

Longshadow Loc: Audubon, PA, United States

I wonder if the code in the image is a 'data' and another program that may get downloaded looks for a particular image that may have been saved to get the code?

JD750 Loc: SoCal

That's possible.

Quixdraw Loc: x

I believe I read that some of these Trojan Horse photos can execute when opened. This is some years back so I can't recall the details, just a recollection. I don't open photos from Folks I don't know.

JD750 Loc: SoCal

What makes me suspicious of that is you don't hear about it. With the literally millions of scammers on-line, if it was that easy, it would be happening a lot. However I am not a coding expert so I will defer to someone who is an expert on image formats and execution options.

JD750 Loc: SoCal

Yes, but…

From Quora:

"Yes, a specially crafted image can contain executable code. But, it usually has to be targeted to one specific vulnerability in one specific program that contains a programming flaw that allows information in the picture to overwrite information in the program displaying it in a predictable way.

Booby-trapping a picture file is a targeted attack. If the picture is displayed using something other than the program you’re targeting, the payload won’t be executed."
Source: https://www.quora.com/Can-picture-files-contain-viruses

JD750 Loc: SoCal

So what about QR codes then?

johngault007 Loc: Florida Panhandle

I had to look this up because it is not very common but a very neat trick. The tradecraft I found indicated that it could happen, but the software handling the data (exif) would have to be known. So if the code was written it would need to target a specific software and version where a discovered/known bug existed. So there isn't a one-size fits all method to exploit end users. Exif data is typically read by some sort of software that lacks the ability to make calls to dll files or other system files, which is fortunately a great safety feature that was not intended, but necessary.


The good news is that most (hopefully all by now) antivirus software picks up the php string that could potentially be malicious and stops the call back before it even happens. Additionally, any site that strips metadata and applies compression pretty much nulls out this type of attack instantly.

Also, any respectable and security conscious website provider has patched this vulnerability and does not allow executable files to be uploaded (e.g. picture.php.jpg).

I'll keep playing around with this, because I may include this in some of my training if I can find a more common and foolproof way to launch exploits using it.

Longshadow Loc: Audubon, PA, United States

Longshadow Loc: Audubon, PA, United States

Quixdraw Loc: x

Thanks!

kenpic Loc: Edmonds, WA

That will take you down a bunch of rabbit holes.
Here is one:

https://blog.reversinglabs.com/blog/malware-in-images

Longshadow Loc: Audubon, PA, United States

But I didn't see where it states how the code in an image gets executed.
What causes the code to run?