Author

Topic: Malware Hidden Inside JPG EXIF Headers (Read 1637 times)

global moderator
Activity: 3794
Merit: 2612
In a world of peaches, don't ask for apple sauce
July 21, 2013, 06:46:30 AM
#12
This all sounds like a non event to me.

You mean a file can contain code? Wow. Never knew!

You mean a program can be written to execute code? Wow. Never knew!
People knew, it simply didn't pop into our heads until someone brought up a specific example.
hero member
Activity: 812
Merit: 1000
July 20, 2013, 12:08:31 PM
#11
This all sounds like a non event to me.

You mean a file can contain code? Wow. Never knew!

You mean a program can be written to execute code? Wow. Never knew!
legendary
Activity: 1022
Merit: 1001
I'd fight Gandhi.
July 20, 2013, 10:10:33 AM
#10
Wow, interesting read.
global moderator
Activity: 3794
Merit: 2612
In a world of peaches, don't ask for apple sauce
July 20, 2013, 10:03:48 AM
#9
Soon .txt files won't be safe to use. Sad
They aren't safe to use if you're dumb enough to write a program in such a way that it treats every text file it reads as a list of commands to be executed. This exploit would never have happened if the author of the PHP code wasn't a complete idiot. You don't pass arbitrary text read from external files into a function that can execute that text as code. That's the number one thing that non-morons don't do.
So I guess if there is someone to harm us, he will find a way to bypass any security and make sure you get hit from the direction you least expected. If this is happening then it's a matter of time when malware might cause actual damage to humans, not just to their devices.
sr. member
Activity: 392
Merit: 250
♫ A wave came crashing like a fist to the jaw ♫
July 20, 2013, 07:59:46 AM
#8
Sounds scary. Soon .txt files won't be safe to use. Sad

well, you can hide just about anything inside its alt stream, how to execute it is another story though.
sr. member
Activity: 448
Merit: 254
July 19, 2013, 11:55:59 PM
#7
the EXIF tags were (stupidly) fed to this function despite it being well-known that such functions should never be allowed to operate on external data without safeguards for exactly this reason.

It looks like that wasn't actually the attack vector, just the way they hid their backdoor.  I think they infected some other way, then buried the preg_replace/exif stuff deep in the code hoping nobody would notice it.  It would look relatively harmless (though perhaps strange to someone who knew the code), as it's not obvious it is eval'ing a string, and the actual string is hidden out of the source in the image file, so it doesn't stand out.  Pretty clever.  Not so clever of whoever thought mixing eval into a regular expression function was a passable idea.
legendary
Activity: 4542
Merit: 3393
Vile Vixen and Miss Bitcointalk 2021-2023
July 19, 2013, 11:42:07 PM
#6
Soon .txt files won't be safe to use. Sad
They aren't safe to use if you're dumb enough to write a program in such a way that it treats every text file it reads as a list of commands to be executed. This exploit would never have happened if the author of the PHP code wasn't a complete idiot. You don't pass arbitrary text read from external files into a function that can execute that text as code. That's the number one thing that non-morons don't do.
global moderator
Activity: 3794
Merit: 2612
In a world of peaches, don't ask for apple sauce
July 19, 2013, 04:25:54 PM
#5
Sounds scary. Soon .txt files won't be safe to use. Sad
legendary
Activity: 4542
Merit: 3393
Vile Vixen and Miss Bitcointalk 2021-2023
July 18, 2013, 09:17:26 PM
#4
I have the impression that this a rather new development. I'm not sure of the scale of the threat, or how well anti-virus software is prepared to cope with it.
It's not a new development at all. Basically how it works is, the EXIF tags (which can contain any text the author of the image wants) of an image on the web server contain PHP code. Normally, this wouldn't be a problem, since the PHP server should never treat EXIF tags (or any other arbitrary text read from an external file) as code to be executed by the server. But the PHP code on the server contains a function which can indeed treat arbitrary text as code to be executed, and the EXIF tags were (stupidly) fed to this function despite it being well-known that such functions should never be allowed to operate on external data without safeguards for exactly this reason. This allows whoever created the image to execute whatever code they want on the web server and basically take full control over it.

Anti-virus software won't help, since it's not a virus - it's just ordinary text in a location where ordinary text normally exists. The real threat comes from poorly-written PHP code treating this text as though it were code. Anti-virus software can't protect against stupidity.
newbie
Activity: 24
Merit: 0
July 18, 2013, 03:27:49 AM
#3
I have the impression that this a rather new development. I'm not sure of the scale of the threat, or how well anti-virus software is prepared to cope with it.
legendary
Activity: 4542
Merit: 3393
Vile Vixen and Miss Bitcointalk 2021-2023
July 17, 2013, 06:56:09 AM
#2
Looks like Bobby Tables decided to pursue a career in photography. Grin
sr. member
Activity: 392
Merit: 250
♫ A wave came crashing like a fist to the jaw ♫
Jump to: