Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Lethal Shell Game

With researchers embedding malicious shell code in Web images and PDF files, can criminals be far behind?

Is there something just a little bit strange about that photo or PDF file you just viewed from your Web browser? Maybe the colors look a little off, or there's an extra frame that doesn't seem to have a purpose?

If so, you should worry. You might be the victim of the newest form of Web attack: image-embedded shell code.

Experts at iDefense Labs, the security research arm of Verisign, have discovered a new, relatively simple method of embedding shell code, often used to penetrate enterprise security defenses, in commonly-loaded Web images, such as computer graphics, online photos, or PDF documents. The researchers will present their findings early next month at the Black Hat conference in Las Vegas.

"It's a great disguise for all kinds of exploits, because every browser has an image viewer, but there's no capability in the viewer to detect an anomalous image," says Michael Sutton, director of iDefense Labs. "The dangerous code is hiding in plain sight."

The new attack vector hasn't yet been exploited by criminals. Greg McManus, a senior security engineer at iDefense Labs, discovered the new approach as he searched for ways to find shell code that he had randomly injected into Web servers, as attackers often do.

"The shell code you need to penetrate a [corporate] network is usually quite small, maybe less than 100 kilobytes, and it's hard to find," he says. "I knew that if I could put it inside a big file, like an image file, it would be easier to locate."

McManus started experimenting with simple images that might be clicked on or automatically downloaded with a Web page. "My first attempt was pretty obvious, because it had a pink color or bars down the side where the code had been embedded," he recalls. But after further experimentation, he found a way to insert the code into less obvious images, such as innocent-looking graphics or photos.

"That means an attacker could target a specific computer by putting the code into an image that the user would be interested in," McManus observes. "I could put it in pictures of my family, or where I live."

A large image file also makes an excellent vehicle for malicious code, because most users are willing to wait a long time for a picture or PDF file to load, Sutton says. "If it's something they really want to see, people will wait 10 or 20 seconds for an image," he says. "On a high-speed network, [an attacker] could download a huge amount of information in 10 or 20 seconds."

The size of the image file also means that attackers could conceivably create larger shell programs than they currently do and still have a reasonable hope that the user will accept them without suspicion, Sutton observes. "The usual limit is about 100K, but this method could break that barrier." Such larger programs usually aren't necessary, because shell code is typically used only to get into the network, where separate code or programs can be executed, he notes.

The iDefense attack is different than worms and viruses that have been discovered in popular graphics programs such as Excel or Word, researchers say. "In those cases, the code is separate from the image. It usually mangles the image, and it can be detected" by an intrusion detection system, Sutton says. The new vector embeds the code in an image, which on the Web is often compressed, making it virtually undetectable by today's IDS products.

"What are you going to do, block all documents and images? Scan each document or image individually before it's accepted? Strategies like that would defeat the whole functionality of the Web," Sutton says.

In the future, security tools might conquer the problem by scanning for anomalous images or files. "If you look in the right place, you can see that an infected file is different from a non-infected file," McManus says. "It should be possible to teach a [tool] to scan for the irregularities."

Will black hats jump on the bandwagon and start launching image-embedded attacks as soon as iDefense Labs presents its findings at the Black Hat conference on Aug. 3? "It's not very difficult to do in simple image formats, but it takes a bit more work in more sophisticated formats, such as JPEG, where the application automatically removes some details because they aren't detectable by the human eye," McManus says. "It takes a little bit more work to put code in those more sophisticated formats. But it's doable."

"We don't know if it will become a popular medium for attackers to use," Sutton concedes. "But it's definitely another factor for security people to consider."

— Tim Wilson, Site Editor, Dark Reading

  • iDefense Labs
  • Microsoft Corp. (Nasdaq: MSFT)
  • VeriSign Inc. (Nasdaq: VRSN)

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Attackers Leave Stolen Credentials Searchable on Google
    Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
    How to Better Secure Your Microsoft 365 Environment
    Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: We need more votes, check the obituaries.
    Current Issue
    2020: The Year in Security
    Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprises
    Assessing Cybersecurity Risk in Today's Enterprises
    COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-01-26
    NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...
    PUBLISHED: 2021-01-26
    NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to...
    PUBLISHED: 2021-01-26
    A reflected XSS vulnerability exists in tohtml/convert.php of Winmail 6.5, which can cause JavaScript code to be executed.
    PUBLISHED: 2021-01-26
    A SSRF vulnerability exists in Winmail 6.5 in app.php in the key parameter when HTTPS is on. An attacker can use this vulnerability to cause the server to send a request to a specific URL. An attacker can modify the request header 'HOST' value to cause the server to send the request.
    PUBLISHED: 2021-01-26
    packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by the Certification Authority trust store,