If someone sends you
a photo of a cute cat or a hot chick than be careful before you click on the
image to view — you might be hacked.
Yes, the normal
looking images could hack your computers — thanks to a technique discovered by
security researcher Saumil Shah from India.
Dubbed "Stegosploit,"
the technique lets hackers hide malicious code inside the pixels of an image,
hiding a malware exploit in plain sight to infect target victims.
Shah demonstrated the
technique during a talk titled, "Stegosploit: Hacking With
Pictures," he gave on Thursday at the Amsterdam hacking conference
Hack In The Box.
According to Shah,
"a good exploit is one that is delivered in style."
Keeping this in mind,
Shah discovered a way to hide malicious code directly into an image, rather
than hiding it in email attachments, PDFs or other types of files that are
typically used to deliver and spread malicious exploits.
To do so, Shah used Steganography —
a technique of hiding messages and contents within a digital graphic image,
making the messages impossible to spot with the naked eye.
Here's How to Hack
digital pictures to send malicious exploits:
Until now
Steganography is used to communicate secretly with each other by disguising a
message in a way that anyone intercepting the communication will not realise
it's true purpose.
Steganography is also
being used by terrorist organisations to communicate securely with each other
by sending messages to image and video files, due to which NSA officials
are forced to watch Porn and much porn.
However in this case,
instead of secret messages, the malicious code or exploit is encoded inside the
image’s pixels, which is then decoded using an HTML 5 Canvas element that
allows for dynamic, scriptable rendering of images.
The "Secret
Sauce" behind Stegosploit — this is what Shah calls it.
"I don’t need
to host a blog," Shah told Motherboard, "I don’t
need to host a website at all. I don’t even need to register a domain. I can
[just] take an image, upload it somewhere and if I just point you toward that
image, and you load this image in a browser, it will detonate."
The malicious code,
dubbed IMAJS, is a combination of both image code as well as JavaScript hidden
into a JPG or PNG image file. Shah hides the malicious code within the image’s
pixels, and unless somebody zoom a lot into it, the image looks just fine from
the outside.
Shah demonstrated to
Lorenzo Franceschi of Motherboard exactly how his hack works. He used
Franceschi’s profile picture and then prepared a demonstration video using his
picture as the scapegoat.
In the first video
presentation, Shah shows a step by step process on how it is possible to hide
malicious code inside an image file using steganography technique. You can
watch the video given below:
In the second video,
Shah shows how his Stegosploit actually works. His exploit works only when the
target opens the image file on his or her web browser and clicks on the
picture.
You are HACKED!
Once the image is
clicked, the system’s CPU shoots up to 100 percent usage, which indicates the
exploit successfully worked. The malicious code IMAJS then sends the target
machine’s data back to the attacker, thereby creating a text file on the target
computer that says — "You are hacked!"
Shah also has
programmed his malicious image to do more stealthy tasks, like downloading and
installing spyware on victim’s machine, as well as stealing sensitive data out
of the victim’s computer.
No comments:
Post a Comment