Hacking With Pictures; New Stegosploit Tool Hides Malware Inside Internet Images For Instant Drive-by Pwning

hacking images stegosploit saumil shah embedded executable code browse images

Go online for five minutes. Visit a few webpages. How many pictures do you see?

With the media rich nature of the web, chances are your answer is in the hundreds. It is in this space the future of malicious cyber attacks could be embedded. In a presentation at Hack In The Box in Amsterdam, Net Square security researcher Saumil Shah demonstrated an updated method of his digital steganography project, Stegosploit, which involves embedding executable JavaScript code within an image to trigger a drive by download.

In plain speak, this means virtually any picture you view on the web, even without clicking on it or downloading it, could potentially contain malware. Upon viewing the image, the hidden program would automatically load on your computer or mobile device without your consent. That malicious software could then do a variety of nasty things from taking control of your device to stealing data, photos, login credentials, sensitive personal and financial information and more. The best part of all, antivirus and malware detection scanners are not, at this time, equipped to detect these kinds of attacks, rendering your safety net completely useless.

While using steganography to convey hidden messages is nothing new, the attack method Shah has developed is, and in his opinion, could be the future of online attacks.

What is Steganography?

Steganography is a hidden messages technique where the message itself appears to be part of something else, like an image, article, shopping lists, or other cover text. A simple example might be a hidden message written in invisible ink between the visible lines of a friendly letter.

Many times throughout history, stenography has been employed along with cryptography to convey secret messages to the “right” people. The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny.

As Shah explains it, steganography is all about “hiding things in plain sight.” With his technique and “Stegosploit” tool Shah takes the stenographic approach to a new level where exploits are delivered not only in plain sight, but also “with style.”

Hiding In Plain Sight

Shah’s steganographic adventure in hacking with pictures began five years ago when the avid photographer decided to see just what could be done when he combined his two passions into one.

“I really love photography and I had been looking into jpeg files and image files just because I could,” Shah told iDigitalTimes. “It was then that I began to wonder if non-image data could be encoded inside an image itself. Of course, Steganography in images has been around a long time and a lot of research has been done with encoding text on pictures, but with classic steganography you are just adding text into an image and both the text and the image are passive. What I wanted to do was encode active code into the image pixels so that when it was decoded, it isn’t viewed as an image, but rather, executes.”

Over the last several years, Shah has worked on his technique and discovered executable code can in fact be embedded within an image and executed in a web browser, evading detection of even the most scrupulous malware scanners.

Packaged into a tool called Stegosploit, Shah takes known exploits in Chrome, Safari, Explorer and other browsers supporting HTML 5 Canvas and codes them into the bit layers of an image's pixels. These kind of files which Shah dubbed Imajs (image + JavaScript) load as JavaScript in a browser, rendering both as images and executables -- two different kinds of content embedded in one file.

hacking images stegosploit saumil shah embedded executable code browse images
Executable javascript code hidden within the image coding delivers an on-load browser drive-by. Photo: iDigitalTimes

When the exploit is encoded, depending on the layer where the JavaScript is embedded, the image may appear completely unaltered. Because the technique spreads the executable code around inside of the image file, it is basically undetectable by current antivirus programs. Detecting the hidden code would require scanning every single byte in an image, which would mean a huge compromise in load speed.

Shah first demonstrated his method at SyScan in March. At the time, the technique required using two images – one to contain the executable code, and the other one to decode it. But since that time Shah has managed to embed both the executable code and the decoder within the same image. This technique is possible with both PNG and JPEG images.

The combining of both the executable code, and the decoder make this new technique a ripe playground for unethical hackers. As long as the file remains the same size, it could be added to any webpage – for example, Instagram, Twitter, Imgur, dating profiles and more. Unsuspecting victims who view the photo online would find themselves instantly compromised without ever clicking or downloading the photo at all.

While there are no yet known cases of this technique being used in the wild, Shah is confident, they are coming. 

“I can’t be the only guy that thought this up,” said Shah.  “When I think of something I want to bring it out into the light and say ‘here’s a technique that’s very difficult to do but have at it. Use your creative thinking and find out some defenses against, because this thing is coming.”

For more about Shah's Stegosploit tool see the full presentation slides, here.


Cammy Harbison - Tech Writer/Reporter For iDigitalTimesFor More OSX, iOS, Jailbreak And Infosec NewsFollow Cammy on Facebook, Twitter, or Google Plus Send tips to c.harbison@idigitaltimes.comGPG Key ID: 56E784D9


Join the Discussion
Top Stories