2

Assuming that I have an infected image containing a self-executing malicious code that targets my image viewer and executes when I open the file. Supposing also that my computer is completely clean and not infected by another malware that can read the hidden code in the image, this code could not have been encrypted. Thus it must be unencrypted in order to execute, which means it is somehow visible.

What methods can I use to detect it ?

pgmank
  • 415
  • 6
  • 13

2 Answers2

2

This is the easy case for anti-virus software.

However, do not suppose that a malware has to be unencrypted to be executable. Polymorphic code brings self-decryption to malwares, it can be helped by Metamorphism to ensure that even the very start of the decryption routine, since there must be indeed a unencrypted starting point, does not present any recognizable constant pattern.

It is trying to fight such kind of methods which make anti-virus software to be complex programs.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • In my case, I haven't opened the file yet, so the decryptor cannot be altered using Metamorphism techniques. So opening it with a HEX editor, it will not trigger the decryptor, and therefore I can somehow see its code, can't I ? – pgmank Apr 30 '15 at 10:52
  • @pgmank: With metamorphic code, yes, the decryptor is in unencrypted code. However, a sophisticated metamorph could be written such that an antivirus couldn't reliably determine whether a file is clean or not due to [halting problem](http://en.m.wikipedia.org/wiki/Halting_problem). – Lie Ryan Apr 30 '15 at 12:03
  • I agree with you @LieRyan, but because of the fact that the code is not part of the image, knowing the JPEG's structure, one can somehow detect that this piece of information is not related to the image. And that piece of info is the malicious code. The only thing I am not aware of is how to detect this info. – pgmank Apr 30 '15 at 12:23
  • Manually with an hex editor you will probably not be able to detect anything. You need to use a dedicated software (I do not know if any already exists, I found [someone else](https://groups.google.com/forum/#!topic/sybase.public.powerbuilder.powerscript/2OfrdV78FHE) looking for one but with no answer) which will validate if the provided data is compliant with the standards defining the format of a JPEG file, a bit like application firewall check if the incoming requests are structurally and syntactically correct in respect to the corresponding protocol. – WhiteWinterWolf Apr 30 '15 at 12:52
  • @pgmank: knowing JPEG's structure, one can detect if the image contains superfluous information. However, there are many legitimate uses of embedding superfluous information, and if the antivirus flags all such files, it'll reduce its effectiveness as people will be ignoring its warnings. The antivirus would have to actually understand what the superfluous information is to reliably distinguish legitimate and illegitimate superfluous information, and that is a halting problem. – Lie Ryan Apr 30 '15 at 15:28
1

Such code would of necessity exploit a buffer overflow or other data-to-code jump trick. As such, it will only be effective against a limited range of hardware. So you can run a JPEG lint checker written for, say, ARM in a virtualized device. The exploit will be uneffective against the emulated CPU, which will then be able to report on the JPEG structure.... whether it contains illegal image blocks or, much likelier, corrupt APP tags. Even if the virtualized code is vulnerable, because the exploit targets a library which was ported to the emulated architecture - say, libexif - the exploit payload will be in the outer CPU machine language, and thus be ineffective. On some VMs you will be able to check what addresses contained the corrupted data.

LSerni
  • 22,521
  • 4
  • 51
  • 60