Other issues in this category (70)
Code under the left elbow
Wednesday, April 11, 2018
Some Anti-virus Times issues have been devoted to bogus images. Naturally, our readers have wondered how malicious code is injected into an image and whether anti-viruses can detect the code.
Can you see the binary code? It's right under her left elbow! :)
Appending a short piece of malicious code to an image is not difficult. How the code can be used later is more important. In our example, the attackers opted for the simplest method:
The image (art-981754.png) with the malicious payload was downloaded easily using the wget command. Then the dd (data duplicator) command was used to extract an executable from the photo. Then the file x4060014400 was granted all the necessary permissions (chmod 777) Launching the executable was the final step.
Here the wget instruction is used to download and save the image file. The dd utility uses the specified offset to extract a portion of the file and write it into another file. Then the image is deleted (cover the tracks!), and the resulting malicious file is launched.
These commands can be run from a Linux terminal, but in this example, they were executed using the SELECT statement.
The file was deleted after it was launched. Note that under Linux deleting a file that is currently being used doesn't remove the corresponding data. In our example the launched file would become invisible in the file system but remain operational nonetheless. To destroy the file, one would have to find and stop the process that was using it.
And what would the anti-virus say?
Dr.Web detects the code extracted from the image as a rogue miner. So if the anti-virus is protecting the system, the code won't be executed.
The Anti-virus Times recommends
- Malware for Linux does exist.
- The rogue miner found in the image was classified as a utility belonging to the Tool category. Instruct your anti-virus to delete potentially dangerous programs by setting Move to quarantine as the default action for programs of this kind.
See the error? If your anti-virus is configured in this way, a rogue mining application will be able to sneak into your computer.