Security

Weekly malware round-up


Proliferation of images and video on the Net are making it easier to embed exploits by using media as a camouflage around malicious code. Four exploits discussed below are doing just that.

YouTube, with all its popularity, presents one brimming opportunity to affect masses, and the ‘Zlob' malware intends to do just that. This exploit uses the site to lure users to initiate a fake video link that not only bombards them with ads but also downloads Trojans to their computers. This article from Techworld provides details on the exploit. Here's a video from Websense about another exploit that basically dupes the user in executing a file (.exe) that opens up a video on YouTube while downloading scripts and Trojans in the background.

SecurityFocus describes a malware root-kit called Mpack that's used to compromise a number of legitimate Web sites through a process where users are redirected to malicious sites running Mpack. Once there, Mpack exploits specific vulnerabilities based on the user's browser to install Trojans and steal sensitive information.

Interestingly, the Mpack software is available in "commercial" scale via underground channels and comes with updates to the latest vulnerabilities that can be exploited. Sold by a Russian group of programmers, the root-kit also provides malware authors with statistics on the systems infected. Is malware getting organized ?

This techworld article talks about a malicious PHP exploit hidden in a GIF file. The exploit uses an interesting technique that lets the file propagate as "just an image," since the file does contain an image followed by the exploit. It doesn't have much attention yet, but experts say it's sufficient to allow hackers to run malicious code on a legitimate Web site.

Bottom line

Be careful where you click, because there's a mash-up of exploits out there, and information on them is the best first-aid.

12 comments
TechExec2
TechExec2

. [b]Summary[/b] ** Apparently it is true that it is possible to hide PHP script (or anything else) at the end of a GIF image file (the tainted GIF). ** By themselves, tainted GIFs are completely benign and not a threat. ** In order for a tainted GIF to be of any use to a hacker, TWO things must occur: Event #1: The hacker must install the tainted GIF file on the web server. Event #2: The hacker must break into the web server and install code that accesses the tainted GIF file. ** "Event #1" is not permitted except on certain websites like photobucket.com. ** "Event #2" is impossible on a secure web server. ** If the hacker can perform "Event #2", he really doesn't need the tainted GIF from "Event #1". He can already take over your web server. The real threat is, and has always been, "Event #2".

pr.arun
pr.arun

Thank you for summarizing the scenario. The tainted GIF was found on a major unnamed photo-sharing site. In the present scenario, where the concept of web-APIs is fast catching on, where sufficient programming capabilities are being made available to end-users to access web based features (mash-ups for example), especially when companies are vying to host third party code for greater public penetration, would not the malicious code repositories pose a serious concern. It is the combination of the code in GIF files with the added programming features possible today that in my opinion may pose a threat.

TechExec2
TechExec2

. [b][i]"...would not the malicious code repositories pose a serious concern..."[/i][/b] Any code installed and run on the web server is the webmaster's responsibility. If code from a "code repository" contains bugs or security weaknesses, it is his responsibility to find and fix the problems. As for web APIs: Tainted GIFs don't constitute a problem for the caller or provider of a web API. The protocol between the web servers is typically an XML stream (text) over HTTP. It is the responsibility of each web server to validate the contents of that XML stream before using it. Once again, the webmaster has complete control over this vis-a-vis malware. If a web server contains a page that displays a tainted GIF hosted on photobucket.com, there is no problem. The web server never touches the tainted GIF. The page is sent to the browser and the browser requests the tainted GIF directly from photobucket.com. The embedded script is ignored by the browser. I don't LIKE the idea that a GIF file can be made to silently carry something other than just the image. But, it does not concern me either. The webmaster still has complete control over this by controlling the code that he installs on the web server and ensuring the server is secure. If he does that well, there is no problem. If he does not do that well, the web site has a serious problem regardless of tainted GIFs.

TechExec2
TechExec2

The key is not letting your server get too "intimate" with other servers that you do not control and therefore should not trust. ;)

pr.arun
pr.arun

Thanks for the explanation, though I would like to permutate on the possibilities of any threat that could take place. ;)

TechExec2
TechExec2

. Take away: This "exploit" claim is completely bogus nonsense. SANS ISC handler Lorna Hutcheson says (1)(2): [b][i]"...its interesting and scary to find a file that acts like a regular gif file, but contains a script exploit..."[/i][/b] -and- [b][i]"...The second idea, but completely untested at this point, is that PHP will ignore everything else and just look for its delimiters. Which means, it would be a great method for a RFI attack..."[/i][/b] It's only "interesting and scary" if you DON'T KNOW WHAT YOUR FRIGGIN' TALKING ABOUT. 1. There is no "exploit". It is simply a malformed GIF file that is completely ignored by PHP on the web server. 2. The "second idea" requires that the GIF file be present on the web server AND the web server must be mis-configured to attempt to parse, compile, and execute GIF files. This is so stupid. My opinion of SANS has dropped a notch. Nothing to see here. Move along. Move along... ----------------------------------------------------- (1) Malicious GIF conceals PHP attack (NOT!) http://www.techworld.com/security/news/index.cfm?RSS&NewsID=9240 (2) PHP Exploit Code in a GIF (NOT!) http://isc2.sans.org/diary.html?storyid=2997

pr.arun
pr.arun

Also, with help from Wikipedia , its mentioned that for servers with the PHP configuration flag register_global ON, it is indeed possible to insert location of the malicious file in the URL and execute on the target server. So the exploit : First load the code on the servers via harmless pictures. Then write a little code that changes file names. Execute code. Now does that not qualify as an exploit ?

TechExec2
TechExec2

. [b][i]"...Now does that not qualify as an exploit ?..."[/i][/b] No. If you have register_globals = ON, and you have insecure PHP code already on your website such that your website can be compromised, you have much bigger problems than some embedded PHP code in a GIF file. With that problem on your website, who needs to fool around with embedding PHP code in a GIF file? The notion that merely embedding PHP code in a GIF file constitutes an exploit or a vulnerability is hogwash. Without a REAL exploit, like the one you describe, the embedded PHP code in a GIF file is completely worthless.

pr.arun
pr.arun

I am not an authority on security exploits but like to present the following scenario. The images are going to be used as a repository for the code to remain on the server. Now , later I will write a script to copy from those files... which appear to be just GIFs files... but are actually code. So what appears as a mere image copying, is actually me extracting the code from the files. Now, I have all this exploit code in one place and then deface the site for a small hyperlink that executes my code. Altering the main legitimate site for a small hyperlink changed or added to run my exploit. Is this not a possible scenario ? Also, the point in focus is that the GIFs are being used as a repository for malicious code.

pr.arun
pr.arun

The article mentions the PHP code as an exploit and not that the GIF image is an exploit. Embedding the PHP code in an image file is a cheeky way to bypass filters and place code on a WebServer. Now, what happens if I do the same for a period of time over a legitimate site and then write a little script that one day renames the files. And suppose I am talking about a major image hosting site... Does not that classify as a threat ?

TechExec2
TechExec2

. Ok. Let's assume that a tainted GIF file gets uploaded to a web server on a special-purpose image hosting site and it contains some PHP code after the valid GIF data. How exactly is the PHP code going to be executed?

pr.arun
pr.arun

So it takes a little bit of defacing to the main site to get the code executed and thus run the exploit.

Editor's Picks