Bitcoin Forum
March 28, 2024, 08:58:08 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Malware Hidden Inside JPG EXIF Headers  (Read 1622 times)
btceic (OP)
Sr. Member
****
Offline Offline

Activity: 392
Merit: 250


♫ A wave came crashing like a fist to the jaw ♫


View Profile WWW
July 17, 2013, 12:07:08 AM
 #1

http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html

♫ This situation, which side are you on? Are you getting out? Are you dropping bombs? Have you heard of diplomatic resolve? ♫ How To Run A Cheap Full Bitcoin Node For $19 A Year ♫ If I knew where it was, I would take you there. There’s much more than this. ♫ Track Your Bitcoins Value
1711616288
Hero Member
*
Offline Offline

Posts: 1711616288

View Profile Personal Message (Offline)

Ignore
1711616288
Reply with quote  #2

1711616288
Report to moderator
"Bitcoin: mining our own business since 2009" -- Pieter Wuille
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711616288
Hero Member
*
Offline Offline

Posts: 1711616288

View Profile Personal Message (Offline)

Ignore
1711616288
Reply with quote  #2

1711616288
Report to moderator
1711616288
Hero Member
*
Offline Offline

Posts: 1711616288

View Profile Personal Message (Offline)

Ignore
1711616288
Reply with quote  #2

1711616288
Report to moderator
1711616288
Hero Member
*
Offline Offline

Posts: 1711616288

View Profile Personal Message (Offline)

Ignore
1711616288
Reply with quote  #2

1711616288
Report to moderator
Foxpup
Legendary
*
Offline Offline

Activity: 4312
Merit: 3037


Vile Vixen and Miss Bitcointalk 2021-2023


View Profile
July 17, 2013, 11:56:09 AM
 #2

Looks like Bobby Tables decided to pursue a career in photography. Grin

Will pretend to do unspeakable things (while actually eating a taco) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4
I am not on the scammers' paradise known as Telegram! Do not believe anyone claiming to be me off-forum without a signed message from the above address! Accept no excuses and make no exceptions!
livan
Newbie
*
Offline Offline

Activity: 24
Merit: 0


View Profile
July 18, 2013, 08:27:49 AM
 #3

I have the impression that this a rather new development. I'm not sure of the scale of the threat, or how well anti-virus software is prepared to cope with it.
Foxpup
Legendary
*
Offline Offline

Activity: 4312
Merit: 3037


Vile Vixen and Miss Bitcointalk 2021-2023


View Profile
July 19, 2013, 02:17:26 AM
 #4

I have the impression that this a rather new development. I'm not sure of the scale of the threat, or how well anti-virus software is prepared to cope with it.
It's not a new development at all. Basically how it works is, the EXIF tags (which can contain any text the author of the image wants) of an image on the web server contain PHP code. Normally, this wouldn't be a problem, since the PHP server should never treat EXIF tags (or any other arbitrary text read from an external file) as code to be executed by the server. But the PHP code on the server contains a function which can indeed treat arbitrary text as code to be executed, and the EXIF tags were (stupidly) fed to this function despite it being well-known that such functions should never be allowed to operate on external data without safeguards for exactly this reason. This allows whoever created the image to execute whatever code they want on the web server and basically take full control over it.

Anti-virus software won't help, since it's not a virus - it's just ordinary text in a location where ordinary text normally exists. The real threat comes from poorly-written PHP code treating this text as though it were code. Anti-virus software can't protect against stupidity.

Will pretend to do unspeakable things (while actually eating a taco) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4
I am not on the scammers' paradise known as Telegram! Do not believe anyone claiming to be me off-forum without a signed message from the above address! Accept no excuses and make no exceptions!
mprep
Global Moderator
Legendary
*
Offline Offline

Activity: 3752
Merit: 2607


In a world of peaches, don't ask for apple sauce


View Profile WWW
July 19, 2013, 09:25:54 PM
 #5

Sounds scary. Soon .txt files won't be safe to use. Sad

Foxpup
Legendary
*
Offline Offline

Activity: 4312
Merit: 3037


Vile Vixen and Miss Bitcointalk 2021-2023


View Profile
July 20, 2013, 04:42:07 AM
 #6

Soon .txt files won't be safe to use. Sad
They aren't safe to use if you're dumb enough to write a program in such a way that it treats every text file it reads as a list of commands to be executed. This exploit would never have happened if the author of the PHP code wasn't a complete idiot. You don't pass arbitrary text read from external files into a function that can execute that text as code. That's the number one thing that non-morons don't do.

Will pretend to do unspeakable things (while actually eating a taco) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4
I am not on the scammers' paradise known as Telegram! Do not believe anyone claiming to be me off-forum without a signed message from the above address! Accept no excuses and make no exceptions!
scintill
Sr. Member
****
Offline Offline

Activity: 448
Merit: 252


View Profile WWW
July 20, 2013, 04:55:59 AM
 #7

the EXIF tags were (stupidly) fed to this function despite it being well-known that such functions should never be allowed to operate on external data without safeguards for exactly this reason.

It looks like that wasn't actually the attack vector, just the way they hid their backdoor.  I think they infected some other way, then buried the preg_replace/exif stuff deep in the code hoping nobody would notice it.  It would look relatively harmless (though perhaps strange to someone who knew the code), as it's not obvious it is eval'ing a string, and the actual string is hidden out of the source in the image file, so it doesn't stand out.  Pretty clever.  Not so clever of whoever thought mixing eval into a regular expression function was a passable idea.

1SCiN5kqkAbxxwesKMsH9GvyWnWP5YK2W | donations
btceic (OP)
Sr. Member
****
Offline Offline

Activity: 392
Merit: 250


♫ A wave came crashing like a fist to the jaw ♫


View Profile WWW
July 20, 2013, 12:59:46 PM
 #8

Sounds scary. Soon .txt files won't be safe to use. Sad

well, you can hide just about anything inside its alt stream, how to execute it is another story though.

♫ This situation, which side are you on? Are you getting out? Are you dropping bombs? Have you heard of diplomatic resolve? ♫ How To Run A Cheap Full Bitcoin Node For $19 A Year ♫ If I knew where it was, I would take you there. There’s much more than this. ♫ Track Your Bitcoins Value
mprep
Global Moderator
Legendary
*
Offline Offline

Activity: 3752
Merit: 2607


In a world of peaches, don't ask for apple sauce


View Profile WWW
July 20, 2013, 03:03:48 PM
 #9

Soon .txt files won't be safe to use. Sad
They aren't safe to use if you're dumb enough to write a program in such a way that it treats every text file it reads as a list of commands to be executed. This exploit would never have happened if the author of the PHP code wasn't a complete idiot. You don't pass arbitrary text read from external files into a function that can execute that text as code. That's the number one thing that non-morons don't do.
So I guess if there is someone to harm us, he will find a way to bypass any security and make sure you get hit from the direction you least expected. If this is happening then it's a matter of time when malware might cause actual damage to humans, not just to their devices.

mufa23
Legendary
*
Offline Offline

Activity: 1022
Merit: 1001


I'd fight Gandhi.


View Profile
July 20, 2013, 03:10:33 PM
 #10

Wow, interesting read.

Positive rep with: pekv2, AzN1337c0d3r, Vince Torres, underworld07, Chimsley, omegaaf, Bogart, Gleason, SuperTramp, John K. and guitarplinker
FirstAscent
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1000


View Profile
July 20, 2013, 05:08:31 PM
 #11

This all sounds like a non event to me.

You mean a file can contain code? Wow. Never knew!

You mean a program can be written to execute code? Wow. Never knew!
mprep
Global Moderator
Legendary
*
Offline Offline

Activity: 3752
Merit: 2607


In a world of peaches, don't ask for apple sauce


View Profile WWW
July 21, 2013, 11:46:30 AM
 #12

This all sounds like a non event to me.

You mean a file can contain code? Wow. Never knew!

You mean a program can be written to execute code? Wow. Never knew!
People knew, it simply didn't pop into our heads until someone brought up a specific example.

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!