Image-Borne Malware: How Viewing an Image Can Infect a Device
December 12, 2016 | published by Chris Qiao
There's nothing dangerous about viewing pictures in a browser, right? Most users with some level of technical knowledge are familiar with typical malware concealment methods, such as document-borne malware. But there's more than one way to introduce malware. Image malware — malware that's concealed within in-browser images — has become a potential threat vector as well.
Users typically don't think of common image files (such as .jpg, .png, .bmp, and .gif pictures) as risky or insecure. But Saumil Shah, CEO of Net-Square and security researcher, explained how it's possible to conceal malicious code in an image during his presentation at the 2015 Amsterdam hacking conference, Hack In The Box. He then demonstrated how to get the browser to execute the code, resulting in a successful malware attack.
In other words, a device can be compromised, in theory, after simply opening a picture in a browser.
Referencing the ancient method of message concealment called steganography, Shah dubbed this kind of malware exploit "Stegosploit." (Steganography refers to hiding data in an image, message, or file.)
The Stegosploit technique hides malicious code within the pixels in a digital image. Shah referred to the malicious code used in the image as "IMAJS," and it's a combination of JavaScript and image code. The malware leverages the HTML 5 <canvastag, which is supported by commonly used browsers such as Internet Explorer and Firefox, to get the browser to read the pixel data as JavaScript.
When the picture is loaded by a browser, the hidden malware is automatically decoded. And the malicious code is executed. In one example, Shah demonstrated how to use the IMAJS code to hack into a PC and send the machine's data to the attacker.
https://www.opswat.com/blog/image-borne-malware-how-viewing-image-can-infect-device