How can a virus exist in an image?

Question

I have recently watched this video of a Finnish internet security expert. Somewhere around eleventh minute, he talks about a virus which is hidden in an image and executes when the image is about to be displayed.

I am wondering how do they technically do such a thing, I mean how come the virus is executed, when the picture should be displayed and how come the picture is not compromised in some way. I thought the computer first looks at the extension, then opens it with appropriate program and lets the program work itself (and I don't expect regular image viewer to be able to run a virus within itself). Obviously it doesn't work like that, but no one I asked could help me out with this.

So does anyone know how do they do this, the principle? Thank you very much.

http://en.wikipedia.org/wiki/Buffer_overflow, has occurred in numerous image reading libraries. — Konrad Rudolph, Mar 12 '12 at 22:54
With buffer overrun, it is considered the #1 classical security issue. I recommend reading this book: http://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0072260858 Suppose the image is 10k, and the accepting agent takes only 9k,and the agent takes in only 9k, the remaining now overwrites the adjacent memory addresses. Suppose those are passwords, you are doom. Your password has changed. — CppLearner, Mar 12 '12 at 22:57
@CppLearner Have you got a source for the “#1” claim? I’ve always heard that SQL injections are #1 by a wide margin (but likewise I haven’t got a source handy). **EDIT** According to OWASP Top 10, SQLI is #1 *for web applications*. Still no sources for general vulnerabilities. — Konrad Rudolph, Mar 12 '12 at 22:58
@KonradRudolph Hm.. classical. Not modern. SQL appears in 1974, and first documented buffer overrun occurred in 1972.... besides,buffer overrun is intuitively the most dangerous problem in writing code. — CppLearner, Mar 12 '12 at 23:05
@KonradRudolph Do you have any references to buffer overflows in image reading libraries? This seems like technology that has been around long enough to have been hardened, especially open source libraries like libtiff etc. — Travis, Jun 19 '15 at 14:16
@Travis You’d be surprised. For example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0200 — Konrad Rudolph, Jun 19 '15 at 17:06

Martin Geisler · Accepted Answer · 2019-09-24T14:03:46.370

59

You're correct that your OS will pick a program and ask it to open the image. The OS will not ask the program to execute the image — that would be nonsense.

However, images are complex formats and often contain meta data (like the date and time when the picture was taken) and other parts that are not directly shown — you can hide stuff in there without affecting the image on the screen. So there might be hostile data lurking inside the image file.

Furthermore, program can have bugs, in particular buffer overflows. Briefly, a virus can exploit this by putting too large data into the meta data sections — larger than the program that decodes the image expects. The internal buffers overflow and with enough skill, a virus writer is able to put executable code into the right place in memory so that the program that decodes the image will end up executing the code. That way an innocent and "dead" file like an image can host an exploit.

edited Sep 24 '19 at 14:03

answered Mar 12 '12 at 22:56

Martin Geisler

72,968
25
171
229

@KonradRudolph: heh, not much I guess :-) I just tried to point him in the right direction by describing roughly that happens — the principle as Joe calls it. – Martin Geisler Mar 12 '12 at 23:00
@KonradRudolph: I got the joke :-) – Martin Geisler Mar 12 '12 at 23:10
@Matt Yes but apparently somebody else didn’t …. – Konrad Rudolph Mar 12 '12 at 23:11
Ok... I'm dense... I don't get it (didn't downvote though). Now I'm curious. – Ed S. Mar 12 '12 at 23:19
5

@EdS., I think Mr. Rudolph implies that Mr. Geisler resembles Mr. Damon. Oh, and I downvoted because I disagree. – mechanical_meat Mar 13 '12 at 03:17
5

Okay, I didn't get the joke then... But I'm flattered to be compared to Matt Damon like this :-) – Martin Geisler Mar 13 '12 at 07:31
3

@MartinGeisler I think this is a really good illustration for the "meta data" :) http://stackoverflow.com/a/5509538/230884 – CppLearner Mar 13 '12 at 08:01
2

@CppLearner: wow, amazing! Also amazing that one of my cores run at 100% when showing that animated GIF... – Martin Geisler Mar 13 '12 at 09:15
Hhaah. Welcome. you might want to put that up there. Yeah. Same here. That's definitely a GIF worm. – CppLearner Mar 13 '12 at 09:34
well, apparently the people on SO do not know what "buffer overflow" means and how computers work. Just let me sprinkle a little truth into this thread - since its currently full of fantasies and bullshit : It has never been possible to include actual viruses into images. Best thing one may achive is CRASHING your IMAGEVIEWER. Thats about it. Sorry. – specializt Jun 24 '14 at 17:04
4

Just want to point out that specializt is making assumptions that effects of buffer overflows are limited (to crashing) which is not in general true. – Ben Voigt Dec 20 '14 at 15:47
@MartinGeisler : The same thing apply to git objects. It seems many popular libraries and projects *(even the main official one)* don’t tread git databases with the same security level a web browser would treat an image *(without buffer overflow, a lot of data is allocated from uncompressed input)*. Moreover, their developers tend to only rely on static code analysis tools which are unable to analyse how function can interact with each others when there’re split between files *(no whole program analysis)*. It means there’s a [lot of cash to win](https://bounty.github.com) *(just for example)*. – user2284570 Oct 19 '15 at 13:18

score 3 · Answer 2 · answered Mar 12 '12 at 23:30

3

A virus can store information in an image, and can exploit a vulnerability in an image-viewing program. It can not "infect" an image, so much as maliciously alter an image such that the program that is likely to open it will be subverted and trigger an exploit in that process.

If a virus puts malformed data in an image to exploit program X, and the image is opened in program Y, it is likely that the image will either not render because it is too malformed, or will render as an innocent or random looking image in that program.

The flaw as with all of these things is not in the image format, but rather in the implementation of the image-decoder.

answered Mar 12 '12 at 23:30

SecurityMatt

6,593
1
22
28

2

Modifying a file in such a way to cause malicious behavior -- why do you not call that "infection"? – Ben Voigt Jul 24 '14 at 19:26
@BenVoigt, I don't get what you mean.... why do you call that "infection"? The file is downloaded from the Internet. As long as you don't open it it's effectively quarantined. – Pacerier Dec 20 '14 at 15:08
@Pacerider: That is what quarantine means. But I don't understand how it is related to my comment. A quarantined infected file is still an infected file. And your quarantine concept is misleading... It is not an explicit user action which opens the file, but the thumbnail generation. To actually quarantine the file you should deny read permission. – Ben Voigt Dec 20 '14 at 15:42

score 2 · Answer 3 · answered Mar 12 '12 at 23:16

2

It does not have to be displayed, it has to be read.

The OS might have a thumbnail generating thread that will parse all images it finds. A buffer overflow in that code will allow code execution without user intervention.

This goes for any file that has any form of automatic read feature, to extract properties of a mp3, index a PDF, etc.

answered Mar 12 '12 at 23:16

ixe013

9,559
3
46
77

Here is a link to the vulnerability which made remote code execution possible merely by opening the folder where the malicious file was located http://technet.microsoft.com/en-us/security/bulletin/ms04-028. – ixe013 Mar 13 '12 at 03:22

score 0 · Answer 4 · answered Jul 07 '20 at 16:39

Some image formats have specified actual code sections, supposedly to be executed on error. You might find it interesting to read up on the Windows Metafile image format and the MICE vulnerability.

Wikipedia says: "... the vulnerability is an inherent defect in the design of WMF files, because the underlying architecture of such files is from a previous era, and includes features which allow actual code to be executed whenever a WMF file opens." --- https://en.wikipedia.org/wiki/Windows_Metafile_vulnerability

The same article also quotes Secunia, but does not include a citation: "The vulnerability is caused due to an error in the handling of Windows Metafile files ('.wmf') containing specially crafted SETABORTPROC 'Escape' records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails."

How can a virus exist in an image?

4 Answers4

Linked

Related