Bitcoin Forum

http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html

Looks like Bobby Tables decided to pursue a career in photography. ;D

I have the impression that this a rather new development. I'm not sure of the scale of the threat, or how well anti-virus software is prepared to cope with it.

It's not a new development at all. Basically how it works is, the EXIF tags (which can contain any text the author of the image wants) of an image on the web server contain PHP code. Normally, this wouldn't be a problem, since the PHP server should never treat EXIF tags (or any other arbitrary text read from an external file) as code to be executed by the server. But the PHP code on the server contains a function which can indeed treat arbitrary text as code to be executed, and the EXIF tags were (stupidly) fed to this function despite it being well-known that such functions should never be allowed to operate on external data without safeguards for exactly this reason. This allows whoever created the image to execute whatever code they want on the web server and basically take full control over it.

Anti-virus software won't help, since it's not a virus - it's just ordinary text in a location where ordinary text normally exists. The real threat comes from poorly-written PHP code treating this text as though it were code. Anti-virus software can't protect against stupidity.

Sounds scary. Soon .txt files won't be safe to use. :(

They aren't safe to use if you're dumb enough to write a program in such a way that it treats every text file it reads as a list of commands to be executed. This exploit would never have happened if the author of the PHP code wasn't a complete idiot. You don't pass arbitrary text read from external files into a function that can execute that text as code. That's the number one thing that non-morons don't do.

It looks like that wasn't actually the attack vector, just the way they hid their backdoor.  I think they infected some other way, then buried the preg_replace/exif stuff deep in the code hoping nobody would notice it.  It would look relatively harmless (though perhaps strange to someone who knew the code), as it's not obvious it is eval'ing a string, and the actual string is hidden out of the source in the image file, so it doesn't stand out.  Pretty clever.  Not so clever of whoever thought mixing eval into a regular expression function was a passable idea.

well, you can hide just about anything inside its alt stream, how to execute it is another story though.

So I guess if there is someone to harm us, he will find a way to bypass any security and make sure you get hit from the direction you least expected. If this is happening then it's a matter of time when malware might cause actual damage to humans, not just to their devices.

Wow, interesting read.

This all sounds like a non event to me.

You mean a file can contain code? Wow. Never knew!

You mean a program can be written to execute code? Wow. Never knew!

People knew, it simply didn't pop into our heads until someone brought up a specific example.