Image-Borne Malware: How Viewing an Image Can Infect a Device


There's nothing dangerous about viewing pictures in a browser, right? Most users with some level of technical knowledge are familiar with typical malware concealment methods, such as document-borne malware. But there's more than one way to introduce malware. Image malware — malware that's concealed within in-browser images — has become a potential threat vector as well.

Users typically don't think of common image files (such as .jpg, .png, .bmp, and .gif pictures) as risky or insecure. But Saumil Shah, CEO of Net-Square and security researcher, explained how it's possible to conceal malicious code in an image during his presentation at the 2015 Amsterdam hacking conference, Hack In The Box. He then demonstrated how to get the browser to execute the code, resulting in a successful malware attack.

In other words, a device can be compromised, in theory, after simply opening a picture in a browser.

Referencing the ancient method of message concealment called steganography, Shah dubbed this kind of malware exploit "Stegosploit." (Steganography refers to hiding data in an image, message, or file.)

The Stegosploit technique hides malicious code within the pixels in a digital image. Shah referred to the malicious code used in the image as "IMAJS," and it's a combination of JavaScript and image code. The malware leverages the HTML 5 <canvas> tag, which is supported by commonly used browsers such as Internet Explorer and Firefox, to get the browser to read the pixel data as JavaScript.

When the picture is loaded by a browser, the hidden malware is automatically decoded. And the malicious code is executed. In one example, Shah demonstrated how to use the IMAJS code to hack into a PC and send the machine's data to the attacker.

This kind of attack is especially pernicious because opening an image isn't typically considered dangerous. The user doesn't have to enable scripts or download the image or indeed, take any action at all aside from opening the image, for the malware to infect the device.

The majority of images are safe, but it's impossible to know for sure without analyzing an image file — or rather, every image file accessed by an end user — on a granular level.

OPSWAT's Solution

Content Disarm and Reconstruction (CDR), or Data Sanitization, is one way to effectively block image-borne malware by removing embedded malicious codes, including those written in JavaScript. In Content Disarm and Reconstruction, the potentially insecure aspects of a file, such as scripts or macros, are stripped. The file is broken down and rebuilt without these elements, exactly the same as it was before and with all original functionality intact. Visit this page to learn more about CDR.

Content Disarm and Reconstruction

File Type Conversion is another way to ensure an image is made secure. By converting file types such as .jpg and .png into PDFs, users can avoid opening the file in an application that would read and execute the code. Thus the malicious codes are not executed. Learn more about File Type Conversion.

Attackers are always looking for new threat vectors, which is why OPSWAT is dedicated to protecting organizations from the latest threats.

h/t The Hacker News

Sign up for Blog updates

Get information and insight from the leaders in advanced threat prevention.