Lethal Shell Game

With researchers embedding malicious shell code in Web images and PDF files, can criminals be far behind?

4 Min Read

Is there something just a little bit strange about that photo or PDF file you just viewed from your Web browser? Maybe the colors look a little off, or there's an extra frame that doesn't seem to have a purpose?

If so, you should worry. You might be the victim of the newest form of Web attack: image-embedded shell code.

Experts at iDefense Labs, the security research arm of Verisign, have discovered a new, relatively simple method of embedding shell code, often used to penetrate enterprise security defenses, in commonly-loaded Web images, such as computer graphics, online photos, or PDF documents. The researchers will present their findings early next month at the Black Hat conference in Las Vegas.

"It's a great disguise for all kinds of exploits, because every browser has an image viewer, but there's no capability in the viewer to detect an anomalous image," says Michael Sutton, director of iDefense Labs. "The dangerous code is hiding in plain sight."

The new attack vector hasn't yet been exploited by criminals. Greg McManus, a senior security engineer at iDefense Labs, discovered the new approach as he searched for ways to find shell code that he had randomly injected into Web servers, as attackers often do.

"The shell code you need to penetrate a [corporate] network is usually quite small, maybe less than 100 kilobytes, and it's hard to find," he says. "I knew that if I could put it inside a big file, like an image file, it would be easier to locate."

McManus started experimenting with simple images that might be clicked on or automatically downloaded with a Web page. "My first attempt was pretty obvious, because it had a pink color or bars down the side where the code had been embedded," he recalls. But after further experimentation, he found a way to insert the code into less obvious images, such as innocent-looking graphics or photos.

"That means an attacker could target a specific computer by putting the code into an image that the user would be interested in," McManus observes. "I could put it in pictures of my family, or where I live."

A large image file also makes an excellent vehicle for malicious code, because most users are willing to wait a long time for a picture or PDF file to load, Sutton says. "If it's something they really want to see, people will wait 10 or 20 seconds for an image," he says. "On a high-speed network, [an attacker] could download a huge amount of information in 10 or 20 seconds."

The size of the image file also means that attackers could conceivably create larger shell programs than they currently do and still have a reasonable hope that the user will accept them without suspicion, Sutton observes. "The usual limit is about 100K, but this method could break that barrier." Such larger programs usually aren't necessary, because shell code is typically used only to get into the network, where separate code or programs can be executed, he notes.

The iDefense attack is different than worms and viruses that have been discovered in popular graphics programs such as Excel or Word, researchers say. "In those cases, the code is separate from the image. It usually mangles the image, and it can be detected" by an intrusion detection system, Sutton says. The new vector embeds the code in an image, which on the Web is often compressed, making it virtually undetectable by today's IDS products.

"What are you going to do, block all documents and images? Scan each document or image individually before it's accepted? Strategies like that would defeat the whole functionality of the Web," Sutton says.

In the future, security tools might conquer the problem by scanning for anomalous images or files. "If you look in the right place, you can see that an infected file is different from a non-infected file," McManus says. "It should be possible to teach a [tool] to scan for the irregularities."

Will black hats jump on the bandwagon and start launching image-embedded attacks as soon as iDefense Labs presents its findings at the Black Hat conference on Aug. 3? "It's not very difficult to do in simple image formats, but it takes a bit more work in more sophisticated formats, such as JPEG, where the application automatically removes some details because they aren't detectable by the human eye," McManus says. "It takes a little bit more work to put code in those more sophisticated formats. But it's doable."

"We don't know if it will become a popular medium for attackers to use," Sutton concedes. "But it's definitely another factor for security people to consider."

— Tim Wilson, Site Editor, Dark Reading

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights