Viruses in pictures?

[Xedafen]

Large antivirus software like Norton and reliable sites for reporting malicious files such as kapersky have been warning people of new viruses and backdoors in bmp. Now, I can make a virus LOOK like a bmp, but is it just me or does this just sound like bullsh!t? bmp, jpg, gif, etc. are NOT executables, so by my understanding, this is impossible, because when ran it will not run as an executable but be run as a picture file. I know there can be secret text and hidden pictures and links inside pictures, but a virus? I dont think its possible. What are your thoughts on this and do you think its possible? Mabye some examples?

[Architect]

Anybody remember the days when you could embed batch code into JPEGS and archives into PNGs? Oh wait. You still can..

[Xedafen]

Anybody remember the days when you could embed batch code into JPEGS and archives into PNGs? Oh wait. You still can..

How? That information would be greatly apprecieated

[Architect]

How? That information would be greatly apprecieated

Code: [Select]

copy /b Image.png + Compressed.rar Secretimage.png then just Google how to make it self extracting. Same thing works with any files. Just copy the virus and an .ini for auto run and put it into a meme image. Then spread it.

[Xedafen]

Code: [Select]

copy /b Image.png + Compressed.rar Secretimage.png then just Google how to make it self extracting. Same thing works with any files. Just copy the virus and an .ini for auto run and put it into a meme image. Then spread it.

Yes that will hide the image but doesnt solve the problem of the user still having to run the program, or maybe Im not understanding something. You should make a tutorial.

[ande]

Yes that will hide the image but doesnt solve the problem of the user still having to run the program, or maybe Im not understanding something. You should make a tutorial.

No, you understand correctly. This is about as useful as any other file merger. It simple puts one file on the end of the other. Nothing more. Wont run, wont do anything.

There are only two ways malware could be hidden (and executed) in images. Either by feature or by flaw. And by flaw I mean (most of the time?) a buffer overflow vulnerability.

By feature
Code could be executed by a image viewer if the image viewer actually had this as a feature. Not as likely with image files, but there have been nemours examples of other file formats that have allowed things like javascript or VBscript to run as a feature. Pretty sure PDF had this a while back(maybe still?), Microsoft office files had(have?) this and so on.

By flaw
As with any other program, a image viewer can have flaws/bugs. And sometimes those flaws/bugs can be exploited. In most cases we are talking about a buffer overflow exploit. This could allow you to add malicious code to an image that would be executed when viewing the image. There are way too many details to go into here and now so I will not explain further. Know this tho, most image formats have been around for a loooong time and so thousends of people have tried finding these flaws already.

[Xedafen]

No, you understand correctly. This is about as useful as any other file merger. It simple puts one file on the end of the other. Nothing more. Wont run, wont do anything.

There are only two ways malware could be hidden (and executed) in images. Either by feature or by flaw. And by flaw I mean (most of the time?) a buffer overflow vulnerability.

By feature
Code could be executed by a image viewer if the image viewer actually had this as a feature. Not as likely with image files, but there have been nemours examples of other file formats that have allowed things like javascript or VBscript to run as a feature. Pretty sure PDF had this a while back(maybe still?), Microsoft office files had(have?) this and so on.

By flaw
As with any other program, a image viewer can have flaws/bugs. And sometimes those flaws/bugs can be exploited. In most cases we are talking about a buffer overflow exploit. This could allow you to add malicious code to an image that would be executed when viewing the image. There are way too many details to go into here and now so I will not explain further. Know this tho, most image formats have been around for a loooong time and so thousends of people have tried finding these flaws already.

Thank you.

[Deque]

Since you are looking for examples, here is a paper about one recent Android image exploit by Albertini and Apvrille:
https://www.blackhat.com/docs/eu-14/materials/eu-14-Apvrille-Hide-Android-Applications-In-Images-wp.pdf

[p_2001]

No, you understand correctly. This is about as useful as any other file merger. It simple puts one file on the end of the other. Nothing more. Wont run, wont do anything.

There are only two ways malware could be hidden (and executed) in images. Either by feature or by flaw. And by flaw I mean (most of the time?) a buffer overflow vulnerability.

By feature
Code could be executed by a image viewer if the image viewer actually had this as a feature. Not as likely with image files, but there have been nemours examples of other file formats that have allowed things like javascript or VBscript to run as a feature. Pretty sure PDF had this a while back(maybe still?), Microsoft office files had(have?) this and so on.

By flaw
As with any other program, a image viewer can have flaws/bugs. And sometimes those flaws/bugs can be exploited. In most cases we are talking about a buffer overflow exploit. This could allow you to add malicious code to an image that would be executed when viewing the image. There are way too many details to go into here and now so I will not explain further. Know this tho, most image formats have been around for a loooong time and so thousends of people have tried finding these flaws already.

There is a third way,  polyglots. You make a hybrid file of two different languages and send them.  An example would be gifar attacks where the gif file was both a valid gif and jar file.

[rocketballz]

You can make a virus in say python for example and use a program like aegis to spoof the extension as well as compress the size so it looks like a normal jpeg file or whatever

~APH ADMIN~

[ande]

You can make a virus in say python for example and use a program like aegis to spoof the extension as well as compress the size so it looks like a normal jpeg file or whatever

~APH ADMIN~

No you cannot. At least not the spoofing part. The file ending is the file ending. You can call your file abc.exe.gif or abc.gif.exe. But onle one of those will apply. Even tho the last one will get hidden in a default Windows vista(and above) system, it will not execute because it has .exe in the name.

PS: If you want that signature in all your posts, add it to your SIGNATURE. Not every single post. Check your profile settings page.

[rocketballz]

Actually that's not completly accurate.   It is still an exe file, it just spoofs the extension to look like a jpeg or gif.   The only exempt I can give you is one they I made...?

~APH ADMIN~

[ande]

Actually that's not completly accurate.   It is still an exe file, it just spoofs the extension to look like a jpeg or gif.   The only exempt I can give you is one they I made...?

~APH ADMIN~

I dont think you understand. You cannot actually spoof (trick, hoax, prank) the file ending, that would make no sense. You can change the exe icon and name it virus.gif.exe but the file ending would still be .exe. I guess it might work with some end-users, but anyone with a little bit of brains would not touch that.

[rocketballz]

I'll make a video tutorial if you'd like? 

~APH ADMIN~

[ande]

I'll make a video tutorial if you'd like? 

~APH ADMIN~

Dont think that would be necessary. I understand what you probably have done, but im telling you its not as fantastic as you sell it to be. You could upload the file as an attachment?