Future attacks: Hiding exploit code in images

Successfully hiding messages in images has already been done, but is it possible to deliver an exploit in one – and run it?

Saumil Shah, founder and CEO of Net-Square, has demonstrated at Hack in the Box Amsterdam 2015 that it’s possible, and has posited that such attacks are more than likely to crop up in the near future, as he can’t be the only one who thought about this, tried it and succeeded.

His research was motivated by his love of photography and browser exploits, and his desire to explore innovative means of exploit delivery. The advantage of using steganography for this is based on the fact that, if done right, the message is completely hidden and, as he pointed out, “you can’t stop what you can’t see.”

Also, what could be more innocent than a lovely image?

He is not the first one to try and hide exploits in images. But he created Stegosploit, a technology that lets attackers deliver executable JavaScript code via images, and trigger them, too.

The technology opens the door for attacks executed as simply as pointing users to sites containing a booby-trapped image or delivering the image via email. By virtue of simply viewing the image, the exploit code is triggered and can deliver malware on the victim’s computer.

“A single file can be rendered as a perfectly valid HTML file, executed as a perfectly valid Javascript file, and displayed as a perfectly valid image, all at the same time,” he explains.

“Stegosploit is the result of malicious exploit code hidden within pixels of the image carrying it. The image however, is a multi format container, which also contains the code required to decode the steganographically encoded pixels to execute the exploit.”

This type of attack won’t show in network traffic, he pointed out, be invisible to the naked eye, and the image will “autorun” in the browser.

In order to make the attack payload look harmless and not trigger defenses, Shah split it into two: dangerous pixel data (exploit code), and a safe decoder.

Exploit code is encoded into the bit layers of an image’s pixels – the result is called Imajs (a combination of image and JavaScript), and they work on browsers that support HTML5 Canvas (current versions of Mozilla Firefox, Google Chrome, Internet Explorer, Safari, Konqueror and Opera), which allows in-browser decoding of steganographically encoded images.

As far as he knows, no means of malware detection have been able to successfully identify these images for what they are.

Shah has been experimenting with encoding exploit code in JPGs and PNGs. PNGs are better for this, he says, as JPGs have a problem with compression and, therefore, losing information vital to make the exploit work. But still, JPGs are way more popular, and there is a way around the “lossy compression”: iterative encoding.

In addition to all of this, the exploit code delivered via an imajs can be triggered months after the file is received or seen. “We can ‘timeshift’ payload delivery using caching,” Shah added.



This could turn out to be a digital forensics incident response nightmare – how far would you go back to search your logs for evidence about the attack? And how would you find it? For all effective purposes, the entire file is a valid image file.

A temporary quick-fix prevention of this kind of attack can be to re-encode all images – resize them, turn them into BMPs and back, etc. This is one of the reasons why the exploit wouldn’t work if the imajs was uploaded to Facebook – the social network automatically process the images, and this would result in information loss.

But the real, definite solution will have to come from browser developers, and soon, he noted.

For more details about his research, you can check out the talk slides or, better yet, the video of a previous talk on the same subject Shah gave earlier this year on SyScan’15 Singapore (note: at the time, he still hadn’t managed to embed both the attack code and the decode in the image).