Researcher demonstrates Stega-sploit or malware code hidden in image viewed on web

[blankslate]

http://thehackernews.com/2015/06/Stegosploit-malware.html

Next time when someone sends you a photo of a cute cat or a hot chick than be careful before you click on the image to view — it might hack your machine.

Yes, the normal looking images could hack your computers — thanks to a technique discovered by security researcher Saumil Shah from India.

Dubbed "Stegosploit," the technique lets hackers hide malicious code inside the pixels of an image, hiding a malware exploit in plain sight to infect target victims.

Just look at the image and you are HACKED!

Shah demonstrated the technique during a talk titled, "Stegosploit: Hacking With Pictures," he gave on Thursday at the Amsterdam hacking conference Hack In The Box.

According to Shah, "a good exploit is one that is delivered in style."

Keeping this in mind, Shah discovered a way to hide malicious code directly into an image, rather than hiding it in email attachments, PDFs or other types of files that are typically used to deliver and spread malicious exploits.

To do so, Shah used Steganography — a technique of hiding messages and contents within a digital graphic image, making the messages impossible to spot with the naked eye.

~snip~

However in this case, instead of secret messages, the malicious code or exploit is encoded inside the image’s pixels, which is then decoded using an HTML 5 Canvas element that allows for dynamic, scriptable rendering of images.

Pretty clever way of delivering malware. Now I'm checking up on how to disable html5 scripting in my browsers.

I bet the our favorite Alphabet security arm has probably been working on this as well and now is pissed that someone else figured it out and made more people aware of the possibility.


.....

 

[VirtualLarry]

OK, who thought allowing executable script code hidden in images was a good idea??? Wasn't the ability to embed scripts in PDF files bad enough???

 

[KeithP]

Much ado about nothing...
https://***********/@christianbundy/why-stegosploit-isn-t-an-exploit-189b0b5261eb

Edit: what a lovely forum we have here. Anyway, just Google "Stegosploit".

-KeithP

 

[John Connor]

Since the domain is AmazonAWS I wonder if that was the reason for the censor? The domain is medium (dot) (com).

Anyway, I thought this was crap. I have and used stenography before. Even in my avatar.

If anyone uses one of those Stego. programs make sure it doesn't just add text to the end of the image. You can test this by hidding text in an image and renaming the image file .txt and looking at the text. There are several Stego. programs on Sourceforge. I have encrypted the text and then added it to an image.

 

[MustISO]

OK, who thought allowing executable script code hidden in images was a good idea??? Wasn't the ability to embed scripts in PDF files bad enough???

That's the problem with a lot of the software and OS's out there. The developers wanted to add more and more functionality without any consideration to the security risks. Executing any code via an image is just horrific but it's possible they just never intended to handle that situation.

 

[John Connor]

Since the domain is AmazonAWS I wonder if that was the reason for the censor? The domain is medium (dot) (com).

Actually, this site switched to Amazon. LOL