PNG Images Loaded With Hidden Viruses

In “places I’d least expect to get an infection” news this week, it looks like the popular image format PNG is vulnerable to advanced malware injection and distribution techniques, some of which were thought to have been dead and buried over 15 years ago.

First discovered by Peter Gramantik, a security researcher at Securi, the crack works by exploiting the ancient “iFrame” hole, which can launch a separate browser window outside the viewing range of a monitor without the user being any the wiser.

Because the data is operating within the parameters of an image, this makes it far more difficult for standard antivirus protection suites to detect, allowing the program to spread much further and to many more computers than it might be able to otherwise.

Sucuri

The iFrame in this particular instance was used to call up a JavaScript file (jquery.js), which would then launch a PNG file called “dron.png”. While on the the surface everything looks relatively normal, it was a simple feedback loop in one of the div elements that first tipped Gramantik off to the scheme.

By placing the image outside of the standard viewing area, dozens of malware programs can be secretly funneled into a computer. This technique leaves the infected system open to a wide range of various malware threats, including one which seems to be sourced back to a Russian website notorious for hosting two well-known Trojans, as well as 1,000-plus domains hooked up to its modestly sized botnet.

This attack vector isn’t exactly news to members of the security community, and the same idea has been implemented a dozen different ways throughout the years and different image formats. Even so, Gramantik still warns us that the virus could be customized to work on different platforms and that anyone who values their data shouldn’t take the threat too lightly.

“Most scanners today will not decode the meta in the image, they would stop at the JavaScript that is being loaded, but they won’t follow the cookie trail.”