39

I was reading up on FireEye and came across this NYTimes article detailing a Skype chat where an image was sent laden with malware:

Quote:

To gain access to information on the devices..., hackers posed as women on Skype, identified the types of devices the targets were using and sent photos laden with malware.

The second photo was a particularly potent piece of malware that copied files from the targets computer

I know exif data and IPTC headers exist in images and am pretty sure you could stuff some extra info in an image file using FileMagic mimetype header info, but how is it possible to embed executable code in an image?

The image file format was pif so unless the computer had an app that opened the file and showed a picture while secretly exectuing code, I dont see how its possible.

Community
  • 1
Jeremy Thompson
  • 443
  • 1
  • 4
  • 11
  • 2
    Here is a link to a picture of a cute kitten that contains executable PHP code: http://nullcandy.com/php-image-upload-security-how-not-to-do-it/ (It is safe to open the page, at least as far as I can tell.) – Bob Brown Feb 15 '15 at 22:08
  • 1
    Does the images' code execute on the server? Or if I download it client-side and open it in Photoshop/mspaint/etc will it do anything? – Jeremy Thompson Feb 15 '15 at 22:11
  • 1
    It's an example of how a server can be compromised by an image upload, and so not a direct answer to your question. (That's why I made it a comment.) The code is harmless, a proof of concept and not malicious code. If you want to explore, capture the kitten image and open it with Textpad or similar. – Bob Brown Feb 15 '15 at 22:13
  • Cool that's what I thought and its why I implement security protection like this: http://stackoverflow.com/a/15595571 - will investigate this image further on the side. Thanks very much for sharing – Jeremy Thompson Feb 15 '15 at 22:16
  • Check out the corkami project, not exactly what you are after, but he does research on file formats, and how to embend one in the other. https://code.google.com/p/corkami/ – Dominik Antal Feb 18 '15 at 14:28
  • @BobBrown not sure if that is really accurate the source says `` just opens to a different page altogether – B''H Bi'ezras -- Boruch Hashem Feb 03 '21 at 19:35
  • @bluejayke Yes. It appears to have changed in the last five years. – Bob Brown Feb 03 '21 at 23:20
  • @BobBrown brutal i wwonder y – B''H Bi'ezras -- Boruch Hashem Feb 04 '21 at 06:25

7 Answers7

69

The answer is simple. That was not a photo. And .pif is not an image format. Count on NYTimes to provide correct technical info.

As the log on NYTimes's article says, and as FireEye's actual report confirms, the file used was a .pif file. It's one of the less known of Windows's executable file extensions.

.pif is legacy from MS-DOS, like .com. It's intended to be a "program information file" (hence the name), storing a shortcut to a (DOS) program along with various info to the system on how to treat it. Even today, Windows gives .pif files a shortcut-type icon.

The funny thing is that, today, Windows doesn't really care if the .pif is really just a program information file. Try it: rename any .exe file into a .pif and run it. There might be some difference like the icon not displaying, but that's all. That's what uniform treatment of files of different formats gets you. Thanks, Microsoft!

Why does this happen? Short answer: Because Windows. Longer answer: Windows runs a .pif through ShellExecute, which technically should find a suitable program to open a file and then use it to open it. With .pif files, it first checks if it is really a file that points to an MS-DOS executable. If it doesn't conform to the .pif file format, ShellExecute checks if it contains executable code. If it does, it gets run as if it was a .exe. Why? Because Windows!

What did the suuper-scary genius hackers do? These guys didn't bother doing anything complicated: they made a self-extracting-and-executing SFXRAR archive out of a virus installer and a program (probably just a .bat) opening an image of a girl that they found on the internet, renamed that devilish contraption into a .pif file and sent it to the hapless freedom fighter.

Why did they use .pif? For two reasons, obviously:

  1. Few people know that it can run as an executable file (thanks, Microsoft!)

  2. It obviously sounds like .gif or .tiff or .pdf or something very image-y. Even you didn't doubt from its name that it was an image format, didn't you, OP? ;)

Concerning your actual question ("how is it possible to embed executable code in an image"). Yes, it is possible to execute code via a specially crafted image provided it is opened in a vulnerable program. This can be done by exploiting an attack like a buffer overflow. But these specific hackers were most probably not clever enough for this.

Edit

Interesting note: these guys actually used DarkComet, which has the ability to generate compressed executables with different extensions, .pif being in their list. I'm not sure about displaying an image, but this could be a functionality added in a newer version.

Another edit

I see you're asking on how to protect against this specific "vulnerability". The answer is simple.

First, make sure Windows shows you file extensions. Windows mostly hides them by default (thanks, Microsoft!)

Then learn this by heart: .exe .com .cmd .bat .pif .vb .vba .vbs .msi .reg .ws .wsc .wsf .cpl .lnk. These are the best known file types that can easily execute potentially malicious code or otherwise harm your computer if opened, whether you have vulnerable applications installed or not. If someone sends you such a file saying it's an image of a pretty girl, you can be sure it's another low-profile hacker like these syrian guys.

Another option is simply being pro-active and checking and double-checking any downloaded file with an unfamiliar file format. It could be malware, you know.

As for real images with exploits... you could probably try keeping your software up to date.

Mints97
  • 1,241
  • 9
  • 8
  • 16
    We dont see much comedy (or creativity) on Stackexchange sites and your answer made me laugh. Thanks for this great answer. Not sure if you saw this in my chat with Bob, but I [use Binary Analysis to detect the REAL file format](http://stackoverflow.com/a/15595571) and establish mime-types and dont rely on file extensions. – Jeremy Thompson Feb 19 '15 at 10:36
  • 1
    @JeremyThompson: that's a stellar security measure, if it can identify all the file formats properly. Also, thanks for the compliment! ;) – Mints97 Feb 19 '15 at 11:24
  • 4
    Easily the best answer OP is going to get. Thorough, correct, and hilarious. :) – haze Feb 20 '15 at 17:38
  • Are `.vb` and `.vba` executable file extensions? Don't they have to undergo some sort of compilation first? – Zev Spitz Jan 02 '17 at 12:32
  • You forgot `.scr`. The screensaver file format is basically just a `.exe` but with a different extension. – forest Dec 13 '17 at 12:02
12

Nothing is perfect, and a common kind of bug is a buffer overflow, where in short data gets copied where it shouldn't be, and in some cases this can lead to arbitrary code being executed.

For example here is a bug in old Microsoft versions in which if you viewed a certain image with IE than arbitrary code could be executed.

Note that this is very implementation-specific, so opening the same image in firefox or chrome would simply result in a broken image, but no code execution.

Buffer overflow in layman's terms

Buffer overflow technical details

Shelvacu
  • 2,333
  • 4
  • 16
  • 29
  • Ok, this is what I am looking for - I probably should have factored in exploiting bugs. If no one else comes up with a better answer in the coming weeks I will accept this. Thanks – Jeremy Thompson Feb 15 '15 at 08:42
7

Mints97's answer is great, but I think there may be more to it than that. An especially wonderful (read: terrible) problem with Windows is that it supports complete Unicode character set in filenames, including (and this is the worst), U-202E.

While I am sure it has some good innocuous uses, but it can allow people to maliciously change the filename in a way that is difficult for the average user to notice. This is excellently documented in this howtogeek.com article.

Essentially the hacker can put U-202E in a filename and change filename by gnp.tab to filename by bat.png. The character reverses the order of all of the name after itself. All the attacker needs to do is choose the correct file type that executes, and Windows will associate it with the executable name.

This is harder to guard against than you think. The best defense would be to scan the names of files for this. The CMD command dir seems to report a ? for this Unicode character. Python, and I am sure other languages, can get the Unicode name, so a script or program of some sort could prevent this problem.

By far the simplest solution is to also look at the four letters before a file extension and make sure the reverse isn't an executable name. (I think there are some four letter executable names, but I am not sure).

Be wary!

EDIT: I made a python script download here that reads the file names in a directory for U-202E. It tells you if a) the actual name and b) the extension. It should support working with multiple files and multiple U-202Es in one name.

IronManMark20
  • 171
  • 4
  • Yet another reason to [use Binary Analysis to detect the REAL file format and establish mime-types and not rely on file extensions](http://stackoverflow.com/questions/15300567/alternative-to-findmimefromdata-method-in-urlmon-dll-one-which-has-more-mime-typ) - this SHOULD be documented somewhere, this is a REALLY bad security vunrability! Thank you for sharing!! – Jeremy Thompson Feb 24 '15 at 03:24
  • Actually here is another technique in my toolkit I can use to detect this.. If you look at the properties of the renamed file it will tell you which `Type` Windows will use to open the file. Here is [code to detect all the properties of a File](http://stackoverflow.com/a/11660616/495455). – Jeremy Thompson Feb 24 '15 at 03:46
  • This is indeed a fun trick. It's not unique to Windows, btw. Many Linux file managers display the reversed text as well, though `ls` and other command line representations are not affected. – forest Dec 23 '17 at 12:18
4

You wrote, "The image file format was pif", but the article states "FireEye researchers found a collection of chats and documents while researching malware hidden in PDF documents." The program information file format was used on Microsoft Windows systems, though files in that format are rarer now than they once were. There were vulnerabilities associated with PIF files, e.g., see Microsoft Windows automatically executes code specified in shortcut files, but the New York Times article mentions PDF documents.

Images can be stored within PDF documents and someone opening a PDF document can make himself vulnerable to exploits using PDF files. In that case the issue is unlikely created by the image, but rather by the container, i.e., the PDF file, in which it was transmitted. For some PDF vulnerabilities, see pdf current threats and The rise in the exploitation of old PDF vulnerabilities. E.g., the latter reference mentions a vulnerability associated with JavaScript within a PDF file noting "The embedded JavaScript may contain malicious instructions, such as commands to download and install other malware."

MoonPoint
  • 169
  • 4
  • See the ny times link, the chat convo extract, that's where I got pif from.. Sending a pic as a PDF would be a bit weird but thx's for this answer – Jeremy Thompson Feb 15 '15 at 21:33
  • 2
    Likely the recipient was so excited to get a picture from a pretty girl that he didn't even consider the format in which it arrived. – MoonPoint Feb 15 '15 at 21:41
  • Just the other day I was coding an Action Wizard in Distiller (for the first time, using what seemed like Javascript). Hmmm, it did seem like a weakness in that it was executing client-side *javascript* in a file - not a WebBrowser and was ripe to be exploited!!). With the research you have done I am leaning toward this answer. Going to wait a little longer to see if anyone else has any thoughts. Can you provide info on how a PIF launches a MS Dos app (like a dos cmd prompt, for future visitors)? – Jeremy Thompson Feb 16 '15 at 13:01
  • Though perhaps you're on the money and it was all to do with PDFs and the trick was via social hacking. A pretty girl saying I dont know what I am doing I think its some adobe file (ie **change the pif extension to pdf**). – Jeremy Thompson Feb 16 '15 at 13:03
2

There was a widely publicized exploit a few years ago, which used a bug in a particular, widely distributed jpeg library. The net effect of this exploit was to allow executing arbitrary code on the victims machine, when nominally all they were doing was trying to view an image.

Also, for example, there was an exploit for rich text files (rtf format) which didn't require a bug, only only using a little known feature of the rtf format to execute code on the users' machine.

Another example is embedding macros in word documents. Macros are an incredibly powerful and useful feature, but when you can give someone a document that contains macros of your choosing, it can also be a powerful hacking tool.

In general, it's really tempting to embed features in complex file formats which give them turing-equivalent capabilities. Also not a good idea.

ddyer
  • 1,974
  • 1
  • 12
  • 20
  • "widely distributed jpeg library"? Could you please elaborate, so only people with the jpeg library installed? Anyone who opens a jpeg saved with this library? Without references or links its hard to quantify this answer and these days you have to enable Macros to run them in office applications. – Jeremy Thompson Feb 22 '15 at 00:24
  • It was years ago and I don't have the details at hand. There was a rush to replace one particular windows dll. – ddyer Feb 22 '15 at 07:38
  • Most likely good old libjpeg. It's pretty much the only JPEG decoder out there. – forest Dec 23 '17 at 12:20
1

Well you start up with analyzing the file format. And then take a while guess on how different software will react.

For example JPEG - http://en.wikipedia.org/wiki/JPEG - uses special markers to delimit the start and end of image. Now one would bet that software that deals with JPEG will only look for the start and end of image markers and plot everything in between. If either marker is not found, then the jpeg is invalid, right? Now what if we, after the end of image marker we add an End of File mark, and after that we add our executable payload. Well, I'm betting that most jpeg plotters out there will just ignore the payload and work as assumed. Success at this point we have attached a payload in the image. Now to make it execute, well, this is a tad harder. We could have our "software" look for stuff after the End of image markup and if present ingest it, or we could try to inject ELF/EXE/COM header with an offset for the code before the start of image markup and hope that plotting software will ignore it, but OS won't.

The problem is that initially system and networks were built with the preformed misconception that people are honest and behave like machines and will not break patterns and use the software outside the intended cases. And because of this, lots of assumptions were made. Yeah, the user will type at most 200 characters, yeah the user will always type readable format and so on. When you think of use cases, as a programmer you get in to the habit of thinking that the cases are absolute and not guard for exceptions. Guess what happens when someone who's thinking out of the box comes along..

user283885
  • 226
  • 1
  • 4
1

I remember back in the good old days when viewing or loading a .ico file with the api's that shipped with windows used to allow for direct code execution if crafted maliciously enough.

And the entire concept behind the wmf file format was calling graphics routines directly . ( hence the creation of the device independent bitmap format, aka .bmp files )

So yes it is possible, and has been done in the past. albeit unlikely these days. I wouldn't completely rule it out, but inwould say it would require a extremely skilled attacker to pull it off.

Damian Nikodem
  • 769
  • 4
  • 8