BREAKING NEWS!

In last week’s advisory, dated 25 May, we talked about JPEG files being used as a vehicle to spread malware.

Now you can get hacked by just clicking on a photo.  That photo of a pretty woman that you just received, or a photo of a cute animal that someone has sent you, may hold more than you expect.

Such a picture as above could hack your computer.

A security researcher, Saumil Shah from India has discovered a technique where hackers can hide malicious code inside the pixels (see Definition) of an image to infect unsuspecting victims.  The technique has been dubbed “Stegosploit.”

At a hacking conference that was held last Thursday in Amsterdam, Saumil Shah demonstrated the technique of hiding the malicious code directly into a photo.  This does away with the typical delivery mechanism of malicious exploits that utilizes email attachments, PDFs or other types of files for purpose of infection.

The security expert used a technique called Steganography (see Definition).  With this technique a malicious attacker can hide messages and contents within a digital graphic image, thus making messages impossible to spot with the naked eye.

Up until today, Steganography is used to communicate secretly by disguising a message in a way that anyone intercepting it will not know of the hidden secret.  It is also used by terrorist organizations to communicate securely with each other by sending messages via images and video files.  It is for this reason that the National Security agency (NSA) officials are ‘forced’ to watch a lot of porn, as some of the messages are hidden in such movie files.

In this case, instead of hidden messages, hackers can encode malicious code or exploits inside the image’s pixel.

As Shah said,”I don’t need to host a blog. I don’t need to host a website at all.  I don’t even need to register a domain.  I can take an image, upload it somewhere and if I just point you toward that image, and you load this image in a browser, it will detonate.”

The malicious code is a combination of both image code and JavaScript that is hidden into a JPG or PNG file.

In the Stegosploit technique the exploit will only work when the unsuspecting victim opens the image in his or her web browser and clicks the image.

A point to note is that once the image is clicked, the system’s CPU usage increases to 100 percent, which is an indication that the exploit is working.  Data from the victim’s machine is then sent back to the attacker and in the process a text file is created on that machine that says, “You are hacked!”

To further prove the versatility of this technique, the security expert has programmed the malicious image to do more – downloading and installing spyware on the victim’s machine and also stealing sensitive data from that machine.

This technique, however, has not been tested on popular image sharing websites like Dropbox.

Recommendation

1. Never presume that image files are ‘clean’.
2. Always be sure before you click on an image. If in doubt, don’t.

Definition

1. Pixels – derived from the words “picture element”. It is a single point in a graphic image. An image is made up of thousands or millions of pixels arranged in rows and columns. They are so close to each other, they seem connected.
2. Steganography – from the Greek words of steganos (covered) and graphie (writing). It’s the concealing of secret messages or information within an ordinary message.

Source

1. The Hacker News.
2. Zimbio (image on pg 1).