Using File Type Conversions to Eliminate Malware

There have been several stories in the news recently (here and here) about the variant of the Zeus/Zbot Trojan that was found to be using images to hide malicious code.

Malicious Image

As these articles go into in more detail, this new variant of Zeus (ZeusVM) uses steganography to hide malicious code within image files that appear innocuous. Many users are unaware that it is possible to hide malicious code within an image and still have that image display correctly. When this is the case, the end user may not be aware that their endpoint has been affected by the image because everything looked fine when the image was opened and there were no suspicious executables that had been run.

Attacks like this can be missed by antivirus engines that are using signature-based detection to identify malware. Since malicious code can be added to the end of any image file, it is relatively easy to generate a new file whose hash will not be listed in any malware database. To completely eliminate threats like this that are not detected by any antivirus engine, it's recommended to supplement antivirus scanning by converting the file to a safer file type.

For example, a user could convert a JPEG to Bitmap to remove potential threats embedded within the file. In threats like these, malicious code is hidden in the non-visible part of the JPEG file, such as the header or the footer. The reason that file type conversion works to remove this malicious code is because it will only convert the image part of the JPEG; leaving the malicious code behind when it moves the image to the Bitmap format. If desired, the image can then be converted back to the original JPEG format.

It is still valuable to check files against antivirus engines because known threats can be filtered out without having to go through the relatively costly file type conversion process. The combination of scanning with antivirus engines first, followed by converting potentially risky types of files into different types to remove embedded threats greatly decreases the risk of being infected with this type of threat.

OPSWAT's MetaDefender allows you to define data security workflows that incorporate both multi-scanning as well as file type conversions. To find out more about MetaDefender, please visit the product page.

For more information, please contact one of our critical infrastructure cybersecurity experts.

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.