Perrun, the ancient god of malicious thunder
The Anti-virus Times issue about malicious code being embedded in image files aroused our readers' interest. Sadly but understandably, most users still believe that only executable files can be dangerous. Meanwhile, malicious images already have a long history of their own.
The first malware species to infect JPEG images was discovered. Dubbed W32/Perrun, it was sent to the McAfee laboratory by its author as proof of concept.
It should be noted that the malware didn't infect files the way other viruses did. Images are not processed according to their location on a disk; instead metadata, such as file headers, are used. As a result, should a piece of code be appended to an image file, it won't interfere with the way the image is displayed on the screen. Image editors and viewers will merely leave it unprocessed. And the appended code doesn't always have to be malicious. It can be a signature verifying the file's origin. But let's get back to the first graphical malware program.
According to the anti-virus researchers who first dissected Perrun, the virus was an 18-kilobyte Windows application.
Interestingly, this review of Perrun envisions the use of more sophisticated data-concealing techniques for images.
Perrun will likely be just a forerunner because the hype around it will only encourage (has encouraged) virus makers to "work" in this direction. And their new malicious programs won't just append code to the end of files but will use sophisticated steganographic routines. According to my sources, this kind of malware is already being developed. I used the gathered information to create a "portrait" of the scourge we are likely to face.
So how does Perrun work?
In Windows, filename extensions can be associated with a set of operations that will be performed with the corresponding files. File association information is stored in the Windows Registry.
If a default application for JPG files is replaced with another program (a decoder) that was deployed by an attacker beforehand, double-clicking on any JPG file will make the program open the file and extract any malicious payload present. Furthermore, the decoder will save the extracted code in this very directory as the executable file x.exe and run it. Once x.exe has been launched, the decoder can also do something positive, for example, start a legitimate image viewer.
Here, “infection” merely means code has been appended to the end of a jpg file.
Let's put it in simpler terms. Malicious code is inserted into a graphics file for the purpose of hiding it. Few people remember that the first anti-viruses gave users the choice to scan all files or only executable ones. Naturally, the second option resulted in a quicker scan. Experienced users took advantage of that as did criminals.
We already mentioned that in Windows, file type can be associated with an application that will be opened whenever a user clicks on a file of the specified type. Perrun would change the file association and launch itself automatically whenever an image file was opened. When launched, the malware would extract the malicious code from the image file and initialise the code's execution.
Of course, the malware couldn't appear on a PC out of nowhere. Just like now, it had to get into the system via an email, or downloaded or copied from removable media.
In other words, to run malicious code that has been concealed in a JPG file, a machine must be infected with the corresponding decoder application.
Strictly speaking, the system gets infected when the Perrun executable is launched. When launched, it will perform two principal tasks. First: it extracts the decoder program into a system directory. Second: it modifies the Windows Registry to change the default application used to open image files.
Now, once the decoder has been deployed in the infected system and registered as a default JPG viewer, ail JPEG files will pass through its "hands", i.e., they will be opened with the help of this malicious decoder. From now on, the deployed decoder will simultaneously be "showing" users JPG images and extracting and executing any malicious payload present within them.
This is a complex story and attackers have learnt a great deal from it. In a few decades they have mastered many intrusion and concealment techniques. Users still believe that some of their tricks don't exist. But they do, and the anti-virus is aware of them.
PS. I apologise to our readers, but this quotation is painfully relevant:
the entire world wide web is laughing but I repeat that viruses don’t exist for linux and android and it was you yourself who paid money for some subscription you need to read carefully and understand what you’re doing some people divulge their bank card numbers to strangers over the phone and then cry that their money got stolen how silly
And who will be laughing in the end?