Spreading Malware through Images with Stegosploit Tool

Share This

Next gen cyber attacks could be through Internet images using Stegosploit tool which allows hackers to embed malware in an image

Security Researcher Saumil Shah has developed a Stegosploit tool wherein hackers can embed executable JavaScript code within an image to trigger a drive by download.

Internet is becoming a major source of media and eventually emerging as a hub of various advertisements. Hence, we can see so many innocent images scattered all over the Internet be it any of the social networking sites or the search engines. Security researcher Saumil Shah feels that it is this field which the next generation Cyber attackers could exploit.

Saumil Shah, a security researcher from Net Square security, recently presented his Stegosploit project at Hack In The Box Conference held in Amsterdam. During the conference he demonstrated an updated method of his digital steganography project known as Stegosploit Tool, which allows hackers to embed executable JavaScript code within an image to trigger a drive by download.

What does all this mean?

In layman terms it would simply mean that going forward there are chances that people might download potentially dangerous malware into their devices just by viewing an innocent looking image, even without clicking or downloading that image. While a person views an image, the hidden malware could get downloaded in the computer or smartphone or Tablets without the knowledge and consent of the user. Now, this malicious program or the malware can be very dangerous as it can steal user’s confidential data like photographs, login credentials, financial information etc. The worst part here is that antivirus and the malware detection scanners of present times are not equipped to detect  these types of cyber attacks yet, thus even though the devices are protected with the safety programs they are useless in a scenario if the attackers choose to attack through the Stegosploit tools.

Steganography: This is a technique of transmitting some messages in hidden form, in such a way that the message becomes a part of something else such as an image or article or shopping list or even cover text. This technique is being used since 1499 and one striking example of Steganography would be when some hidden message is written with an invisible ink between the visible lines of an innocent friendly letter.

Usually in case of cryptography, the encrypted message arouses much interest; however in case of steganography the secret message does not trigger any attention and thus gets saved from unwanted scrutiny, this is why steganography is preferred over cryptography.

History has revealed that people have used a combination of cryptography and steganography in the past to transmit secret messages to the ‘right people’.

In his demonstration Shah said that steganography method “hides the message in plain sight”. On the contrary, the technique developed by Shah i.e. “Stegosploit tool” is an advanced method of the steganographic method wherein the exploits will not only be delivered in plain sight but also in style.

Besides being a security researcher, Shah also has a passion for photography.

It was five years back when Shah decided to combine his passions of hacking and photography; thus he started experimenting steganographic techniques in the images.

Using this Stegosploit tool, Shah has been taking known exploits in Chrome, Safari, Explorer and other HTML5 Canvas supporting browsers and coded these exploits into the image layers. Shah has dubbed the resultant files as Imajs (image + JavaScript) which loads as JavaScript in a browser and renders as an image as well as an executable. Thus Shah was able to hide two different kinds of content in one single file delivering malicious content in the images.

During encoding process, the image may appear to be totally unaltered depending on which layer the JavaScript has been embedded. The Stegosploit technique is able to distribute the executable code around the inside of an image file which makes it next to impossible to be detected by the current antivirus programs. To detect this hidden code, the antivirus needs to scan each and every byte in an image which would directly affect the speed of the internet.

It was in the month of March when, Shah gave the first demonstration of his Stegosploit tool at SyScan. Then, the technique could render the malware by using two images; one would contain the executable code and the other would contain a code to decode it. However, Shah has further worked on his technique and now both the executable as well as the decoder codes can be embedded within a same image. The technique is possible with PNG as well as JPEG images. Further, as long as the size of the file remains unchanged it can be added to any webpage including Twitter, Imgur, Instagram, dating profiles and many more.

People who view photographs and images online would be easily victimized as the malware gets downloaded just by viewing and does not need to be clicked or downloaded. This can be a greatest technique which cyber attackers can exploit in the near future. Shah is pretty confident that we will witness these attacks soon, though as of now there aren’t any cases of hackers using this technique yet.