Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (70)
  • add to favourites
    Add to Bookmarks

Code under the left elbow

Read: 1102 Comments: 2 Rating: 10

Wednesday, April 11, 2018

Some Anti-virus Times issues have been devoted to bogus images. Naturally, our readers have wondered how malicious code is injected into an image and whether anti-viruses can detect the code.


Can you see the binary code? It's right under her left elbow! :)

Appending a short piece of malicious code to an image is not difficult. How the code can be used later is more important. In our example, the attackers opted for the simplest method:

The image (art-981754.png) with the malicious payload was downloaded easily using the wget command. Then the dd (data duplicator) command was used to extract an executable from the photo. Then the file x4060014400 was granted all the necessary permissions (chmod 777) Launching the executable was the final step.


Here the wget instruction is used to download and save the image file. The dd utility uses the specified offset to extract a portion of the file and write it into another file. Then the image is deleted (cover the tracks!), and the resulting malicious file is launched.

These commands can be run from a Linux terminal, but in this example, they were executed using the SELECT statement.

Of course, once the job was done, the attackers needed to cover their tracks.


The file was deleted after it was launched. Note that under Linux deleting a file that is currently being used doesn't remove the corresponding data. In our example the launched file would become invisible in the file system but remain operational nonetheless. To destroy the file, one would have to find and stop the process that was using it.

And what would the anti-virus say?


Dr.Web detects the code extracted from the image as a rogue miner. So if the anti-virus is protecting the system, the code won't be executed.

#malware #Linux #technologies #Dr.Web_settings #security

The Anti-virus Times recommends

  1. Malware for Linux does exist.
  2. The rogue miner found in the image was classified as a utility belonging to the Tool category. Instruct your anti-virus to delete potentially dangerous programs by setting Move to quarantine as the default action for programs of this kind.


    See the error? If your anti-virus is configured in this way, a rogue mining application will be able to sneak into your computer.


Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.