Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (55)
  • add to favourites
    Add to Bookmarks

Living pictures

Read: 174 Comments: 2 Rating: 5

Many people are already aware of the fact that malicious code can be concealed in an image. However, in such cases, the image simply serves as safe storage, and another application is needed to extract the code. Or rather, that's how things worked until recently.

Polyglot exploits rely on files that can be JavaScript code and an image simultaneously, and no additional scripts are required to extract the payload. Once the image is loaded by a browser, it turns into an encrypted message. To understand its meaning, one has to run a decoder script whose code is also concealed in the image file.

Source

Here you can learn in detail how an attacker can trick a computer into interpreting file data in two ways.

Let's open a BMP file.

#drweb

The first two bytes (the red square) are the hexadecimal representation of the characters BM for a BMP image. The next 4 bytes (8A C0 A8 00) are the size of the image file. This is followed by 4 null bytes (00 00 00 00) and the data offsets (8A 00 00 00). This gives the computer most of the information it needs to know how to execute this file correctly.

Now here is a header for a Polyglot BMP image file:

#drweb

They look about the same. It still starts with BM. The size and data offsets are all still there. The clever trick here is that an attacker can control the size of the image, and the hexadecimal characters can be manipulated so that they are interpreted by the computer as something else. The attacker here has changed the size of the image bytes so that they happen to also be the character codes for /**. This combination of characters creates a JavaScript comment. JavaScript comments are used to make the JavaScript Interpreter ignore everything in between these characters. i.e., /* ignore me */.

Let's look at the part of the exploit that comes at the end of the file.

#drweb

As expected, the JavaScript comment is terminated with */. The attacker then adds the characters = and `. What the attacker has done here is turned the file type BM into a JavaScript variable and set it to another heavily obfuscated payload.

The file can now be run in the browser two different ways:

  • <img src = "polyglot.jpg" /> will show the user an image and ignore the JavaScript;
  • <script src = "polyglot.jpg"> </ script> will execute valid JavaScript and ignore the image data.

Try locating script code in the file below!

#drweb

#cryptography #JavaScript #exploit

Dr.Web recommends

Malicious code can lurk even in image files, and you will never guess that a seemingly harmless picture may have been the cause of your system infection.

Attackers are constantly perfecting technologies that help disguise and conceal malicious code. However, security technologies are constantly evolving too, and, apart from an anti-virus, there is no way to protect a system from these types of threats. Install Dr.Web: Thanks to the synergy that exists between its behavioural analyser and its non-signature heuristic and preventive protection technologies, it protects systems against all known and unknown threats.

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments