2

A GIFAR file is a polyglot file with a fancy name. It can be "opened" both as a valid GIF file and a valid JAR file thus leading to security issues under certain circumstances.

Definition of a GIFAR file :

Graphics Interchange Format Java Archives (GIFAR) is malware that allows an attacker to piggyback off the victim’s HTTP cookies. A GIFAR is a photo that can "borrow" a victim's online credentials, possibly taking over the web user's session.

GIFAR is a Graphics Interchange Format (GIF) image file combined with a JAR file. Altered GIF files can be uploaded to Web sites that allow image hosting, and run code that works inside that site.

Beside "GIFAR" are there any other known polyglot files?

I did try to answer myself and I couldn't find anything else. So I guess the answer might be no.

ForguesR
  • 487
  • 3
  • 11
  • It seems to be a way of implementing all the bad design features in Microsoft Office file formats into something else. (and yes, there are lots more file formats which aggregate multiple data streams with scripting/programs - all Microsoft's OLE based formats, Adobe PDF, OASIS, HTML....) – symcbean Mar 08 '16 at 14:09
  • 9
    @symcbean: GIF file has a header; JAR file has a footer, neither cares about padding. Therefore, a file created by `cat foo.gif bar.jar > baz.gifar` will be a valid GIF *and/or* a valid JAR - depending on whom you ask, and even on the order of magic byte checks ;) Same trick can be done with any combination of such header/footer formats - e.g. EXE/ZIP (I believe some self-extracting archives use this trick - don't want to run the executable? Just rename it and voila, it's the ZIP archive!) – Piskvor left the building Mar 08 '16 at 14:50
  • 1
    Interesting name. Makes it sound like the geeky younger brother of the villain from Aladdin... – Mason Wheeler Mar 08 '16 at 16:09
  • @Piskvor It feels weird that your comment that was almost a complete answer got incorporated to the **question** body. Your opinion on it? – Mindwin Mar 08 '16 at 16:56
  • I've done a rollback. Instead of rerollbacking (unrollbacking?) please come discuss in The DMZ to avoid edit wars :) – Ohnana Mar 08 '16 at 17:02
  • 2
    @Piskvor Technically, a JAR is just a renamed ZIP with a manifest inside. And appending ZIPs to images is rather well known. – Bob Mar 08 '16 at 17:29
  • @Mindwin: Doesn't make much sense to me. Moreover, I don't think that my comment actually answered the question (as it stood then), it's more of a technical aside. Two files glued back-to-back are not really a "polyglot", IMNSHO; something like this fits the description better: https://www.blackhat.com/docs/eu-14/materials/eu-14-Apvrille-Hide-Android-Applications-In-Images-wp.pdf – Piskvor left the building Mar 09 '16 at 08:24

2 Answers2

8

There are lots of examples for such polyglots, i.e. documents which are several file formats at the same time.

Some examples apart from GIFAR are combining GIF and Javascript or Flash and JavaScript but there are lots and even more variants. A very good source for such stuff is Corcami and also the PoC||GTFO documents are known to be multiple kinds of documents at the same time, i.e. ZIP, PDF etc.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
2

Yes. If you define "combined files" as a valid non-malware file (in your case an image) containing a payload (the jar file) then there are many combined file malware examples. The most common form that I know of is Microsoft Office (Word, Excel, PPT Ect.) files that contain Macros or ActiveX scripting that can deploy malware.

AstroDan
  • 2,226
  • 13
  • 24