Images in browsers may be the next big thing in online attacks, according to Hack In The Box presenter Saumil Shah. The researcher presented an updated version of his image embedded malware at HITB 2015 AMS Thursday.
Go online for five minutes. Visit a few webpages. How many pictures do you see?
In plain speak, this means virtually any picture you view on the web, even without clicking on it or downloading it, could potentially contain malware. Upon viewing the image, the hidden program would automatically load on your computer or mobile device without your consent. That malicious software could then do a variety of nasty things from taking control of your device to stealing data, photos, login credentials, sensitive personal and financial information and more. The best part of all, antivirus and malware detection scanners are not, at this time, equipped to detect these kinds of attacks, rendering your safety net completely useless.
While using steganography to convey hidden messages is nothing new, the attack method Shah has developed is, and in his opinion, could be the future of online attacks.
What is Steganography?
Steganography is a hidden messages technique where the message itself appears to be part of something else, like an image, article, shopping lists, or other cover text. A simple example might be a hidden message written in invisible ink between the visible lines of a friendly letter.
Many times throughout history, stenography has been employed along with cryptography to convey secret messages to the “right” people. The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny.
As Shah explains it, steganography is all about “hiding things in plain sight.” With his technique and “Stegosploit” tool Shah takes the stenographic approach to a new level where exploits are delivered not only in plain sight, but also “with style.”
Hiding In Plain Sight
Shah’s steganographic adventure in hacking with pictures began five years ago when the avid photographer decided to see just what could be done when he combined his two passions into one.
“I really love photography and I had been looking into jpeg files and image files just because I could,” Shah told iDigitalTimes. “It was then that I began to wonder if non-image data could be encoded inside an image itself. Of course, Steganography in images has been around a long time and a lot of research has been done with encoding text on pictures, but with classic steganography you are just adding text into an image and both the text and the image are passive. What I wanted to do was encode active code into the image pixels so that when it was decoded, it isn’t viewed as an image, but rather, executes.”
Over the last several years, Shah has worked on his technique and discovered executable code can in fact be embedded within an image and executed in a web browser, evading detection of even the most scrupulous malware scanners.
Shah first demonstrated his method at SyScan in March. At the time, the technique required using two images – one to contain the executable code, and the other one to decode it. But since that time Shah has managed to embed both the executable code and the decoder within the same image. This technique is possible with both PNG and JPEG images.
The combining of both the executable code, and the decoder make this new technique a ripe playground for unethical hackers. As long as the file remains the same size, it could be added to any webpage – for example, Instagram, Twitter, Imgur, dating profiles and more. Unsuspecting victims who view the photo online would find themselves instantly compromised without ever clicking or downloading the photo at all.
While there are no yet known cases of this technique being used in the wild, Shah is confident, they are coming.
“I can’t be the only guy that thought this up,” said Shah. “When I think of something I want to bring it out into the light and say ‘here’s a technique that’s very difficult to do but have at it. Use your creative thinking and find out some defenses against, because this thing is coming.”