1
I downloaded a torrent which had some gifs with pirate logos on it. There was a gif with the text 'we are watching you'. I clicked on one of them and it opened my internet explorer browser. I turned it off quickly after, but it was loaded for a short time.
What are the potential risks of opening a gif, and in this situation what are the possible incurred dangers?
Vass
Posted 2011-06-14T12:32:59.953
Reputation: 1 389
9
This is by design and by default, Windows 7 opens .gif images in Internet Explorer because the basic picture viewer application does not support the animation features of the gif file format while Internet Explorer does.
If you are really worried just make sure your computer has up to date security patches and decent antivirus, as far as I know you cannot get a virus from opening a gif image.
Can a virus "hide" in a GIF or JPEG file? Answer - No
This appears to show a virus payload in a gif file, but the user has to go through a big hoop to actually activate the payload. It cannot be simply run by viewing the image.
Mokubai
Posted 2011-06-14T12:32:59.953
Reputation: 64 434
If I remember rightly there was some problems a few years ago with either the emf or wmf file formats, but an up to date and patched OS is immune. – Mokubai – 2011-06-14T13:12:54.167
Re "Windows 7 opens .gif images in Internet Explorer because the basic picture viewer application does not support the animation features of the gif file format" -- is it true? The basic picture viewer application displayed animated GIFs in Windows XP just fine... – user1686 – 2011-06-14T19:05:19.057
On my machine "Windows Photo Viewer" and "Windows Live Photo Gallery" will both view but not animate gif images... this is just my experience and YMMV... :) – Mokubai – 2011-06-14T19:13:58.003
Meh, I was just curious. It's not the first time Windows loses a feature anyway. – user1686 – 2011-06-14T19:18:18.510
3
There have been image exploits before, I remember a libjpeg exploit on Windows long since patched (I couldn't find it easily).
The way programs work, there is an area called the stack (and less so, a place called the heap) where data and code are somewhat mixed. If I can give you data in a different format and/or size than what you are prepared to take, maybe I can really mix my data into your code and make it code. Meaning, I con you to run me instead of your program. Now, instead of running Internet Explorer (or whatever) you're running me, scary.
Technically this wouldn't be a virus - it spread as a trojan. But it doesn't matter much how it got on your system, you're running it.
There are some limits. There has to be a bug in the reading code. Its non-trivial to get the code to run. You need to know assembler and how to call Windows code from it. Windows and other OS's have made efforts to make actually using these bugs harder and harder (though very smart people still can).
Keep your system updated. Much of the damage is from bugs, they can be patched.
What was in the torrent package? A video? An executable? An executable doesn't even need to 'hack' your system, you just ran it, gave it permission. Videos are much more complicated than a gif. Much more likely to have bugs in code that lead to exploits. A gif is a simple file format, code has been around before the web existed, fewer holes for bugs. New video codecs come out all the time. Windows WMV files used to/still can (not sure) call out to web pages for ads or codecs. Many of these webpages have IE exploits and you just pwned your computer. I'd be much more worried about what else was in the torrent than the gifs.
Rich Homolka
Posted 2011-06-14T12:32:59.953
Reputation: 27 121
2
Upload it to VirusTotal to be sure.
Exploits are possible (example), although if your computer is up-to-date you shouldn't worry.
Tamara Wijsman
Posted 2011-06-14T12:32:59.953
Reputation: 54 163
That was the one I was thinking of, though it only affects WMF images as the format specifically allows certain types of post-processing to occur. From the vulnerability section: "A remote code execution vulnerability exists in the Graphics Rendering Engine because of the way that it handles Windows Metafile (WMF) images." So it does not apply to GIF images – Mokubai – 2011-06-14T18:00:18.857
But as always it is best to err on the side of caution. – Mokubai – 2011-06-14T18:07:09.537
:O I didn't know about that one. I wonder what other image formats are potential sources of infection... – Mokubai – 2011-06-14T19:55:27.390
@Mokubai any format really. But these vulnerabilities are from coding bugs, and the more complex the format (TIF probably the worst) the more likely to have an issue. – Rich Homolka – 2011-07-11T19:10:42.957
1
It's always good to have proper anti-virus/malware/firewall etc. There were some virus which can embed itself into gif files and spread:
http://www.pctrojan.com/content/109-streamviewers-gif-images-embedded-encrypted-malware
In your case, you're most likely not infected, but better to double check.
ukanth
Posted 2011-06-14T12:32:59.953
Reputation: 9 930
Isn't that page you linked about an already infected machine using the gif format to hide a supplemental payload? I can't see anything to suggest that the gif format is the direct infection vector. – Mokubai – 2011-06-14T13:05:55.190
4The way you describe it, it sounds quite normal IF the file type GIF is associated with IE. – pavium – 2011-06-14T12:39:58.707
2Which it is by default in Windows 7 at least... – Mokubai – 2011-06-14T12:52:39.730
Apologies but this made laugh out actually loud. – vemv – 2011-06-14T13:24:57.460
This begs the question, why would you click on something so suspicious in the first place?? – KCotreau – 2011-06-14T14:04:49.153
1Question should be "what are the potential risks of opening anything I download using bittorrent?" – Moab – 2011-06-14T14:29:23.330