Reading Time: 4 minutes

Images in browsers may be the next big thing in online attacks, according to Hack In The Box presenter Saumil Shah. The researcher presented an updated version of his image embedded malware at HITB 2015 AMS Thursday.

Go online for five minutes. Visit a few webpages. How many pictures do you see?

With the media rich nature of the web, chances are your answer is in the hundreds. It is in this space the future of malicious cyber attacks could be embedded. In a presentation at Hack In The Box in Amsterdam, Net Square security researcher Saumil Shah demonstrated an updated method of his digital steganography project, Stegosploit, which involves embedding executable JavaScript code within an image to trigger a drive by download.

In plain speak, this means virtually any picture you view on the web, even without clicking on it or downloading it, could potentially contain malware. Upon viewing the image, the hidden program would automatically load on your computer or mobile device without your consent. That malicious software could then do a variety of nasty things from taking control of your device to stealing data, photos, login credentials, sensitive personal and financial information and more. The best part of all, antivirus and malware detection scanners are not, at this time, equipped to detect these kinds of attacks, rendering your safety net completely useless.

While using steganography to convey hidden messages is nothing new, the attack method Shah has developed is, and in his opinion, could be the future of online attacks.

What is Steganography?

Steganography is a hidden messages technique where the message itself appears to be part of something else, like an image, article, shopping lists, or other cover text. A simple example might be a hidden message written in invisible ink between the visible lines of a friendly letter.

Many times throughout history, stenography has been employed along with cryptography to convey secret messages to the “right” people. The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny.

As Shah explains it, steganography is all about “hiding things in plain sight.” With his technique and “Stegosploit” tool Shah takes the stenographic approach to a new level where exploits are delivered not only in plain sight, but also “with style.”

Hiding In Plain Sight

Shah’s steganographic adventure in hacking with pictures began five years ago when the avid photographer decided to see just what could be done when he combined his two passions into one.

“I really love photography and I had been looking into jpeg files and image files just because I could,” Shah told iDigitalTimes. “It was then that I began to wonder if non-image data could be encoded inside an image itself. Of course, Steganography in images has been around a long time and a lot of research has been done with encoding text on pictures, but with classic steganography you are just adding text into an image and both the text and the image are passive. What I wanted to do was encode active code into the image pixels so that when it was decoded, it isn’t viewed as an image, but rather, executes.”

Over the last several years, Shah has worked on his technique and discovered executable code can in fact be embedded within an image and executed in a web browser, evading detection of even the most scrupulous malware scanners.

Packaged into a tool called Stegosploit, Shah takes known exploits Chrome, Safari, Explorer and other browsers supporting HTML 5 Canvas, and codes them into the but layers of an images’ pixels. These kind of files which Shah dubbed Imajs (image + JavaScript) load as JavaScript in a browser that render as images but also execute – two different kinds of content all embedded in one file.

When the exploit is encoded, depending on the layer where the JavaScript is embedded, the image may appear completely unaltered. Because the technique spreads the executable code around inside of the image file, it is basically undetectable by current antivirus programs. Detecting the hidden code would require scanning every single byte in an image, which would mean a huge compromise in load speed.

Shah first demonstrated his method at SyScan in March. At the time, the technique required using two images – one to contain the executable code, and the other one to decode it. But since that time Shah has managed to embed both the executable code and the decoder within the same image. This technique is possible with both PNG and JPEG images.

The combining of both the executable code, and the decoder make this new technique a ripe playground for unethical hackers. As long as the file remains the same size, it could be added to any webpage – for example, Instagram, Twitter, Imgur, dating profiles and more. Unsuspecting victims who view the photo online would find themselves instantly compromised without ever clicking or downloading the photo at all.

While there are no yet known cases of this technique being used in the wild, Shah is confident, they are coming.

“I can’t be the only guy that thought this up,” said Shah.  “When I think of something I want to bring it out into the light and say ‘here’s a technique that’s very difficult to do but have at it. Use your creative thinking and find out some defenses against, because this thing is coming.”

For more about Shah’s Stegosploit tool see the full presentation slides, here.