Is it possible for a virus to be embedded in a image?

This one question which I've always pondered about can a virus be embedded in a image (jpg,gif,png,etc)? I know a worm could but what about a Trojan or other malware? Part of the reason I ask is because my brother has a bunch of images on his Android phone and I would like to know the chances of him becoming infected with malware from the images he downloaded?

I think anything you download can have a virus attached to it. I'm no expert though! 

Hi SuperSapien64

Yes, it's possible for a malware to be embedded in a picture file. Or it's possible for a picture file to be specially crafted in order to be infected. Someone explained that concept in the thread below, if you want to take a look at it.

This looks new and slipped by the Gmail filters this morning.

I guess that one of our Security Experts here like Didier or Mike could tell you more about that practice

Hi SuperSapien64

Yes, it's possible for a malware to be embedded in a picture file. Or it's possible for a picture file to be specially crafted in order to be infected. Someone explained that concept in the thread below, if you want to take a look at it.

This looks new and slipped by the Gmail filters this morning.

I guess that one of our Security  Experts here like Didier or Mike could tell you more about that practice

Yes I'm aware of that method it can be used with almost any media or document file like a PDF for example. But I'm curious if its possible to script malicious code the same its possible for a text file to have malicious scripts since PNG,GIF and TIFs all support transparent layers wouldn't be possible to embed code in the transparent layers and exploiting variabilities in a operating system?

I hope I'm not opening Pandora's box by mentioning this concept.

Edited by SuperSapien64, 26 April 2015 - 09:09 PM.

Yes its possible to have an image embedded with malicious code that will be executed by the program in which it could be open. See the reply to this question here:

http://security.stackexchange.com/questions/55061/can-malware-be-attached-to-an-image

Security Updates are being released for programs that could be exploited by these methods, so its a threat that exists and is considered as dangerous by software' authors.

There are some cases where pictures can in fact carry viruses, but once again even that is extremely rare. Typically, a virus-carrying picture must be created by someone with malicious intent, so they're not going to infect existing photos. When they first appeared they were placed on websites so that visitors would be infected...The other picture-related vector for virus propagation is a picture that's not a picture...there's nothing that says a ".jpg" file needs to actually contain a picture...Depending on how it's done, and how up to date your system is, it's possible for a virus to masquerade as a picture. If you attempt to view the picture, you get a virus instead.

Can a virus be transmitted in a picture?

 

...digital steganography...Malware authors can employ this technique to conceal malicious code in otherwise normal looking media files like images, without arousing any suspicion...digital steganography means that even everyday images encountered on the web are not above suspicion...

How Digital Steganography Hides Malware

Attackers are resourceful individuals but they typically look for methods that offer a stealthy way to distribute malware to a wide range of Internet users. Image files are not really an effective way to accomplish that goal because in an image format malicious code cannot be easily executed and distributed. While there have been proof-of-concept virus reports of such infections, they are rare and certainly not widespread. What we more commonly see is a disguised malicious executable containing viral code which has been created and renamed .jpg so that it masquerades as a picture.

 

Hi SuperSapien64

Yes, it's possible for a malware to be embedded in a picture file. Or it's possible for a picture file to be specially crafted in order to be infected. Someone explained that concept in the thread below, if you want to take a look at it.

This looks new and slipped by the Gmail filters this morning.

I guess that one of our Security  Experts here like Didier or Mike could tell you more about that practice

Yes I'm aware of that method it can be used with almost any media or document file like a PDF for example. But I'm curious if its possible to script malicious code the same its possible for a text file to have malicious scripts since PNG,GIF and TIFs all support transparent layers wouldn't be possible to embed code in the transparent layers and exploiting variabilities in a operating system?

I hope I'm not opening Pandora's box by mentioning this concept.

 

 

Extremely unlikely, especially today.  Theoretically, it's possible, but a true image file that delivers malicious content is unlikely; I don't think this is something that you should be concerned about or spend much time pondering.  However, attackers can and do use images for many different things.  For example, embedding an [invisible] image into a website or an e-mail with a source URL of an attacker's web page along with unique parameters to identify the user.  Often used for statistical purposes, and for tracking targets.  An example of steganography could be an attacker planting payload code / other instructions within an image, then obfuscating/encrypting/or encoding the image, only to deobfuscate/decrypt/decode it upon the page's loading and extract the planting code/instructions from the source.

This one question which I've always pondered about can a virus be embedded in a image (jpg,gif,png,etc)? I know a worm could but what about a Trojan or other malware? Part of the reason I ask is because my brother has a bunch of images on his Android phone and I would like to know the chances of him becoming infected with malware from the images he downloaded?

 

I'm a bit confused by your statement. You say a worm can, but you wonder about a virus or trojan.

 

I call all malicious software malware.

Typically, a virus is defined as malware that propagates but needs user interaction to propagate.

A worm, on the other hand, propagates but does not need user interaction.

 

What is your example of a worm that propagates via embedding in images?

From what I've heard, in the cases of steganography the image is not actually dangerous in the normal sense, you could download the image without risk BUT if you run any exe files by the image's evil author then those exe files, will find that image and use it's code to inform themselves of what to do next. The virus arrives in two parts, an executable part (which might execute by driveby, by exploiting a program or by tricking the user into running it) and an image (which secretly holds instrcutions for the executing part). That means the executing part can't set off antivirus scanners because it isn't doing anything malicious (it's just following orders to "find the image example.jpg, read the steganographic code hidden in it and then do what that code tells it"), the malicious orders are hidden within the image, but they can't do anything without the executable running and reading the malicious instrcutions.

In the case of images designed to exploit software, and then run malicious code themselves, the image is dangerous alone, because it is able to execute itself, due to bugs in the software which is used to open it. Theoretically it should be impossible for an image to be a virus, images are non-executable code, they don't give instructions telling computers what to do, they should just get read by image viewing software and then the image viewing program turns their code into a pattern on screen. BUT because nobody's programming is ever perfect all real world image viewing programs have a chance of having flaws in their code, mistakes in their design meaning that it is possible for certain codes to cause them to act strangely. Think of an image viewing program as being a black box, in goes a string of data read from the image file, out comes a pattern of pixels on screen, and what if this box had a mistake in it's design that if the code "d0dgy-c0d3" ever gets read in the input string of data then the box decides to treat all further instructions as being orders for actions, not just code for pixels. An attacker could make a specially crafted image file with the code "d0dgy-c0d3" in it's data somewhere and after that a series of malicious instructions. Then when the data of the image file goes into the black box of the software it reads the pixels as usual, then it reads the code "d0dgy-c0d3" and after that it treats ubsequent code as executable rather than as beng the pixels of an image, and the attacker now has whatever code he wrote after the line "d0dgy-c0d3" running as an executable on the victims computer. This is why image viewing/editing software needs updates every so often to patch it and stop malicious images from being able to run code. If you look back over the description pages of security updates which windows has released over the last few months you'll notice some of them are to deal with specially crafted jpg ad png images, those updates are designed to make sure that image viewing programs within windows and IE do not treat code that confuses them as being executable. Fortunately, because it is much harder for attackers to find the necesary bugs in image viewing programs than it is for them to spread viruses by tricking people into running exe files which the user thinks are images (see next paragraph), this sort of attack is fairly rare.

The other thing to consider is images wth faked double extensions. Imagine a file called picture1.jpg.exe , most users would not see the second extension because (unless you change it's setting to "display full file extensions even for known file types" within folder options, you should change this setting now)windows would only show the first extension. On top of that many users might not even realise the significance of different file extension types, so even if they did see this they might not realise that the file is dangerous. The second extension is the real extension, but as most users would only see the first, and might even then not realise what it means, users would open the exe file thinking it was a picture, and get a horrible shock when it turned out to be a program in disguise.

In the case of your brother's phone I think images are the least likely way for it to get infected, more probable causes are: drivebys and malvertising, malicious apps (pretending to be legitimate) which somehow snuck into the relevant app store, malicious apps(pretending to be legitimate) sideloaded from outside the app store, a virus getting onto it when it was plugged into an infected device via connection cable. Even though images are not a likely way for the virus to have arrived I would still suggest it is not safe to copy the images off of the phone onto a computer because although the images might be perfectly safe the act of connecting a potentially infected phone to a computer might well be enough for the phone to infect the computer by autorun/autoplay type methods.

Edited by rp88, 27 April 2015 - 12:42 PM.

In other words its impractical from both a developmental and strategical standpoint. And methods like steganography would be more commonly used in espionage so the average user doesn't have to be concerned with this.
Thanks for explaining this in detail I feel a lot more relaxed about this and it helps eliminate possibilities for any Trojans (excluding freeware apps) on my brothers smartphone.

You're welcome on behalf of the Bleeping Computer community.

If you have not done so already, you may want to read: Answers to common security questions - Best Practices for Safe Computing

If you download that image from torrents or your winrar archive is infected when you unzip the files you could have a hidden virus in that image !!!

Avoid torrents and avoid windows with a bunch of crap software to install after windows is installed , those all in one software comes with hidden viruses you will never suspect ...Cyber criminals hide backdoors in those software so they will know fast if your pc is calling them to be ready for attack.

avoid windows with a bunch of crap software to install after windows is installed

You mean, OEM preinstalled version of Windows by manufacturers?

The practice of using any torrent, file sharing, peer-to-peer (P2P) program or visiting such sites is a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft.

• File Sharing (P2P), Torrents, Keygens, Cracks, Warez, and Pirated Software are a Security Risk

The practice of using any torrent, file sharing, peer-to-peer (P2P) program or visiting such sites is a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft.

• File Sharing (P2P), Torrents, Keygens, Cracks, Warez, and Pirated Software are a Security Risk

 

Even Linux or Android can become infested with malware when using P2P clients which is why I always uninstall them on Linux. But makes me wonder why do they even come pre-installed on so many Linux distros?