Indian Researcher Finds A Way To Hack Computers Using Pictures

Saumil Shah, a cyber security expert and CEO of Net-Square, a company specialising in information security based in Gujarat, India has managed to develop a security exploit that allows a hacker to not only deliver exploits but also trigger them using perfectly valid image files of different formats. Shah spent years in developing the exploit that he likes to call “Stegosploit”. The name “Stegosploit” takes its inspiration from the word Steganography which is termed as the act of concealing message or another image in a media file. In Shah’s case he was successful in combining malicious JavaScript and image code in JPG or PNG file. The brilliant aspect of Stegosploit is that any image with the harmful code is rendered as a perfectly normal image on your browser.

So the question now is how does the Stegosploit work? The process starts with encoding the malicious code inside a picture’s pixels. Shah’s malicious code “IMAJS”, a combination of image code and JavaScript is hidden within the pixels of a picture. An end user cannot distinguish between an infected image and a safe one. Once the encoding is complete, Shah takes the advantage of Canvas, a safe HTML 5 element that allows dynamic decoding of images to automatically deploy the code. In this case the hacker has the option of sending malware directly in the code or it can be programmed to open the proverbial backdoor of your computer for other malware installations. The exploit only works on browsers and those using dated or vulnerable browsers are at risk.

There are a couple of factors that minimise the threat associated with the photos laced with Shah’s code. First, as mentioned above the exploit works on vulnerable browsers. If you open the picture on any desktop photo viewing application it is completely harmless. Secondly, the image you upload on the internet should be devoid of any extensions. This means you cannot upload a tainted image on websites like CrazyEngineers where we allow files of certain extensions to be uploaded. Finally, it is near impossible to successfully upload these images on social networking websites because services like Facebook and Google+ like to get rid of unnecessary data on any image before upload.

Saumil Shah discussed his findings at the HITBSecConf 2015 held at Amsterdam on 28th May. Before his presentation he sat down with the folks over at Motherboard to show them how he was able to inject the codein a picture and wreak havoc on an infected PC.

Source: Crazy Engineers

. . . . . . . .

Leave a Reply