How are viruses attached to files?

Question

How do viruses attach to files? How does it infect applications? I'm talking about down to the binary level, how does code get added to a file to make it infected?

Obviously, if we hash check the original, it will have a different hash from the infected file. Does that mean it has extra data added to the file? How does that work?

Forgive me if my question is not very clear, I find it difficult to portray my meaning. Just to ensure my point is made, this is how I view it right now:

< IMAGE BINARY > + < virus > = < IMAGE BINARY < virus > >

Answer 1

Depends on the virus, and on the type of file. Also, bear in mind that a "virus" technically describes a self-replicating form of malware - there are other forms of malware which can be concealed within files using similar techniques. So:

• Executables: Most executable files are relatively sparse - there are big gaps between the legitimate code and data for various reasons. Can be for performance reasons, or to take advantage of compiler optimisations, or just because various compiler flags weren't set to squeeze the output size to the minimum. Some viruses take advantage of this, and insert their instructions in these gaps, which changes the resulting hash of the file (note that a different hash means the contents are different, not just that the file size has changed). By hijacking the program entry point to execute the virus code before or instead of the legitimate code, a virus can be executed when the application is started.

  Note that in this case, executable files include things like DLL files - they are essentially Windows executables which expose functions, rather than being self contained applications. There are some technical differences, but in terms of infection, they are pretty much identical - just hijack a call and make it point to your code rather than the original.

  Linux executables are very similar, in having empty space, but the file system may also attempt to enforce rules as to whether specific files are treated as "executables" or "data", which can slightly complicated the issue.

• Data files: Some data files, especially media files (images, sounds, videos), use a block structure, where a number of distinct types of data are stored in distinct blocks. For example, a PNG file is comprised of, at minimum, three "chunks": a header, the image data, and an end of file marker. In these files, it's often possible to add extra blocks using the correct form, and add arbitrary data: in a PNG file, this could be adding an "iTXt" chunk, which is just a block of Unicode text.

  However, data files generally can't execute themselves, so there will normally be either a modified executable file as well, or a targeted flaw in a processing application. For example, if there was a command line image processing tool which took a folder of images and processed them in some way, it might be that a flaw could be found that meant by providing a specific input file it added data to all files in the folder processed after the "evil" file making them behave in the same way. This could be classified as virus-like behaviour, but wouldn't meet some definitions of a computer virus.

  For some file types, it's valid to add data after the legitimate file content too. For example, JPEG files can still work if you simply append text files to them - exactly as your mental image. This could be used by a virus, but due to the the lack of executability, is unlikely to be the only part of a virus.

Other forms of malware make use of similar techniques: there are whole families of malware which are inserted into PHP files and then execute when someone accesses the related page. Ransomware is often distributed by hijacking Javascript files and adding malicious code to them. In these cases, though, the code isn't usually self-replicating, so doesn't meet all the technical details of being a virus.