Indian Researcher Finds A Way To Hack Computers Using Pictures

Saumil Shah, a cyber security expert and CEO of Net-Square, a company specialising in information security based in Gujarat, India has managed to develop a security exploit that allows a hacker to not only deliver exploits but also trigger them using perfectly valid image files of different formats. Shah spent years in developing the exploit that he likes to call “Stegosploit”. The name “Stegosploit” takes its inspiration from the word Steganography which is termed as the act of concealing message or another image in a media file. In Shah’s case he was successful in combining malicious JavaScript and image code in JPG or PNG file. The brilliant aspect of Stegosploit is that any image with the harmful code is rendered as a perfectly normal image on your browser.


Stegosploit
Image Courtesy: Saumil Shah [#-Link-Snipped-#]​

So the question now is how does the Stegosploit work? The process starts with encoding the malicious code inside a picture’s pixels. Shah’s malicious code “IMAJS”, a combination of image code and JavaScript is hidden within the pixels of a picture. An end user cannot distinguish between an infected image and a safe one. Once the encoding is complete, Shah takes the advantage of Canvas, a safe HTML 5 element that allows dynamic decoding of images to automatically deploy the code. In this case the hacker has the option of sending malware directly in the code or it can be programmed to open the proverbial backdoor of your computer for other malware installations. The exploit only works on browsers and those using dated or vulnerable browsers are at risk.

There are a couple of factors that minimise the threat associated with the photos laced with Shah’s code. First, as mentioned above the exploit works on vulnerable browsers. If you open the picture on any desktop photo viewing application it is completely harmless. Secondly, the image you upload on the internet should be devoid of any extensions. This means you cannot upload a tainted image on websites like CrazyEngineers where we allow files of certain extensions to be uploaded. Finally, it is near impossible to successfully upload these images on social networking websites because services like Facebook and Google+ like to get rid of unnecessary data on any image before upload.

Saumil Shah discussed his findings at the Stegosploit: Hacking With Pictures « HITBSecConf2015 – Amsterdam held at Amsterdam on 28th May. Before his presentation he sat down with the folks over at #-Link-Snipped-# to show them how he was able to #-Link-Snipped-# in a picture and #-Link-Snipped-# on an infected PC.

Replies

You are reading an archived discussion.

Related Posts

Free Course from 2nd to 4th June: https://www.designnews.com/focus-on-....custm.fofeblasts60115#lecture_track_cgid_287
Infosys has announced a new dress code for all their employees: all casuals and no formals! This comes as a big step that breaks Infy's almost three decade long tradition...
Hello ITians Please introduce yourself. Myself Jasim from Rajasthan and pursuing Btech IT from RTU.
The cash on delivery system has been one of the major forms of payment in Indian e-commerce. It's not very convenient to the online retailers and at times even to...
Intel has announced Thunderbolt 3 - the fastest and the most flexible and versatile connection for your peripherals. I've been following the Thunderbolt technology through various discussions on CrazyEngineers about...