Images can contain malware
Nov 24, 2021 09:03:32 #
Longshadow wrote:
But I didn't see where it states how the code in an image gets executed.
What causes the code to run?
What causes the code to run?
LS,
That is the magic of this exploit. The jpg exif strings do not contain any executable code, but relies on a compromised web server where the "image" is hosted. That php string (obfuscated or not) will then utilize the infrastructure the attacker has been on the compromised host to initiate a remote connection.
Nov 24, 2021 09:10:16 #
johngault007 wrote:
LS,
That is the magic of this exploit. The jpg exif strings do not contain any executable code, but relies on a compromised web server where the "image" is hosted. That php string (obfuscated or not) will then utilize the infrastructure the attacker has been on the compromised host to initiate a remote connection.
That is the magic of this exploit. The jpg exif strings do not contain any executable code, but relies on a compromised web server where the "image" is hosted. That php string (obfuscated or not) will then utilize the infrastructure the attacker has been on the compromised host to initiate a remote connection.
Thanks.
(Some nasty people out there...)
Nov 24, 2021 09:51:20 #
johngault007 wrote:
LS,
That is the magic of this exploit. The jpg exif strings do not contain any executable code, but relies on a compromised web server where the "image" is hosted. That php string (obfuscated or not) will then utilize the infrastructure the attacker has been on the compromised host to initiate a remote connection.
That is the magic of this exploit. The jpg exif strings do not contain any executable code, but relies on a compromised web server where the "image" is hosted. That php string (obfuscated or not) will then utilize the infrastructure the attacker has been on the compromised host to initiate a remote connection.
What is meant by “compromised” ?
Nov 24, 2021 09:59:05 #
JD750 wrote:
What is meant by “compromised” ?
Any computer or resource that has been negatively impacted either intentionally or unintentionally by an untrusted source.
It can impact one or all of the CIA triad (confidentiality, integrity, availability).
Nov 24, 2021 11:19:01 #
Nov 24, 2021 12:15:38 #
Longshadow wrote:
But I didn't see where it states how the code in an image gets executed.
What causes the code to run?
What causes the code to run?
The only way I can imagine this to happen is if the computer already has malware which continuously looks for that specific jpeg file on the hard drive and when found, then triggers it to execute.
Nov 24, 2021 12:29:59 #
rook2c4 wrote:
The only way I can imagine this to happen is if the computer already has malware which continuously looks for that specific jpeg file on the hard drive and when found, then triggers it to execute.
If there is already malware on the computer, why does it need another file to trigger more malware?
It was described above, someone posted a link.
Nov 24, 2021 16:31:15 #
johngault007 wrote:
If there is already malware on the computer, why does it need another file to trigger more malware?
So that both the malware file already on the computer as well as the modified image file are less likely to be recognized by anti-virus/malware protection software as a threat. Malware today is far more sophisticated than say, 20 years ago - specifically written to outsmart protection software by appearing as harmless individual files. Such as a normal jpeg file, or a file that looks for other files. Both types which are plentiful on any computer.
Nov 24, 2021 16:43:12 #
rook2c4 wrote:
So that both the malware file already on the computer as well as the modified image file are less likely to be recognized by anti-virus/malware protection software as a threat. Malware today is far more sophisticated than say, 20 years ago - specifically written to outsmart protection software by appearing as harmless individual files. Such as a normal jpeg file, or a file that looks for other files. Both types which are plentiful on any computer.
But if malware is already on the host, there is no need to "double down" and add more. That is just twice the likelihood of being detected. In this instance the jpg does not "contain" malware, just a set of instructions to start a process to either initiate a remote session or deliver a payload the malware on the targeted host. The JPG is never in fact needed to download, since it is viewed in a browser and executed server side.
Yes, malware is very sophisticated. One of the most recent malware/ransomware out there uses a word macro which is enabled by a user when they open an email attachment. That macro downloads a dll file which is side-loaded using a signed executable that is loaded on the system by default. There is no need to download additional malware to do anything, because the ransomware is already running and the system is compromised.
If you want to reply, then register here. Registration is free and your account is created instantly, so you can post right away.