Malware in Images, a Social Engineering Example
It used to be that image filetypes were widely considered to be "safe", that it should not be possible for an image to cause arbitrary code to run on a system. As various holes were found in system level image handling code, it became apparent that images could carry a malicious payload either in their headers, or in the actual image. Some systems would struggle when confronted with a file purporting to be an image, but carrying an executable payload that the system would attempt to execute. Internet forums and message boards became favoured places to cause havoc with malicious images. Microsoft's Malware Protection Center (MMPC) has uncovered an interesting variation of a malicious image.
As uncovered by the MMPC, the malicious image starts out as a fairly innocuous .png file, with instructions to open it in MS Paint and then resave it as a .hta file of image type Bitmap. The lower section of the initial .png appears to be random noise, but as the file is resaved, as per the directions, the noise decompresses to a JavaScript payload that executes when the subsequent .hta file is opened. As the .hta extension denotes an HTML Application, the system will ignore the leading bitmap image information and execute the following HTML / Javacript information, allowing the payload to run.
It is a fairly involved, but interesting, attack. It requires several active steps from the victim in order for the desired payload to be activated. With such involved steps required, it is unlikely that such a method would ever be used in a widespread attack, but it does highlight some of the possibilities for hiding information and data in otherwise innocent formats.
12 August 2010
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.