back to article iFrame attack injects code via PNGs

Security vendor Sucuri is warning that it's spotted an attack in the wild that embeds malicious code in PNG files. The iFrame injection attack loaded a valid jquery.js file with very little to alert even the researcher that something else was going on. As the company writes in this blog post, the only red flag in the code was …

COMMENTS

This topic is closed for new posts.
  1. Havin_it

    Good write-up

    The linked article is a rare and welcome example of a malware writeup that a layman actually has some hope of comprehending. Given that, I can live with is being a bit "OMG d00d" - full marks.

  2. Warm Braw

    Capital iZation...

    It's a sad reflection on the influence of Apple's marketing that we have HTML markup rendered in print as if it were part of the family of iThings.

    1. Pet Peeve

      Re: Capital iZation...

      Dude. It's called "camel case", and it's existed as a naming convention since the 80s at least. Nothing to do with apple, please find another thing to be angry about.

      1. Graham Dawson Silver badge

        Re: Capital iZation...

        Except html or xhtml markup like iframe has never been camel-cased. It is always written as iframe (or IFRAME if you want to shout about it), and in XHTML 1.0 onward, a requirement for case sensitivity of markup tags means that iFrame and iframe are different tags. Convention prior to that was for tags to be rendered in a single case for the sake of clarity.

        So no, I'm sorry, but you're dead wrong. This is in fact a lot to do with Apple, or more accurately to do with people automatically emulating the Apple iThing style in situations where it has no business appearing.

        1. wikkity

          Re: This is in fact a lot to do with Apple

          No it doesn't, it is due to someone who writes code automatically typed something as camel case without thinking, probably concentrating on writing something understandable, no where in the article is iFrame used in and html element or DOM manipulation code.

        2. Pet Peeve

          Re: Capital iZation...

          @Graham - Ha! I have to apologize to Warm Braw - I thought he was complaining about the camelcased method names in the javascript snippet, and not the word "iFrame" in the article text. I have to agree that spelling it as "iFrame" is bad, wrong, and probably because of a little too much Apple on the brain (not that there's anything wrong with Apple itself).

          It's "iframe", not "iFrame". Don't do that.

          I reversed the downvote, sorry Braw!

          1. Warm Braw

            Re: Capital iZation...

            Thanks. As you say, no "iFrame" in the code (where it would be reasonable), but plenty in the article itself!

          2. Graham Dawson Silver badge
            Thumb Up

            Re: Capital iZation...

            It happens. I have more than my fair share of those moments. :)

  3. albaleo

    So the user doesn't notice anything happening

    Naive questions... (gentle answers please)

    I don't see what's so special about this form of attack. (perhaps not enough coffee yet) The code to execute is embedded in a png. But presumably it could be embedded anywhere, for example in the text of a hidden element. Or perhaps not hidden at all. Creating an iFrame and setting a src for it is apparently a legitimate practice. Is there any reason the user should notice, whether done in a sneaky fashion or otherwise?

    Is the issue not more about the code that is eventually loaded into the iFrame. If it is allowed to perform some mischief, are we not already potentially doomed by any web page?

    1. Brewster's Angle Grinder Silver badge

      Re: So the user doesn't notice anything happening

      Most scanners are not going to check the data of a png for malicious code, and that seems to be the issue.

      1. albaleo

        Re: So the user doesn't notice anything happening

        But the code embedded in the png doesn't appear malicious in itself. I'm assuming the malicious code is at the url pointed too by the iFrame src attribute. Is security based merely on scanning urls in the original web page?

      2. Pet Peeve

        Re: So the user doesn't notice anything happening

        I don't understand why the embedded tag data in a png would be evaluated as javascript by a browser - how is this happening?

        1. maffski

          Re: So the user doesn't notice anything happening

          It's not directly, but JavaScript can access the image data, build a string out of it and then execute that string as JavaScript.

          So you need to infect the page with some JavaScript, which then downloads and decodes the image. The original JavaScript doesn't look dodgy so is allowed to run and the image is the transmission method for the 'bad' code.

          If this was combined with some basic obfuscation and stenography you could host your malware image on Flickr and no-one would be any wiser, it'd look like a picture of a cat.

          It's another example of why JavaScript was always such a stupid idea.

          1. Anonymous Coward
            Paris Hilton

            Re: So the user doesn't notice anything happening

            But surely being able to execute a string as if it were script is a vulnerability as old as the language? Such a string could be pieced together from any seemingly random source, such as just picking out every tenth character from an obfuscated bit of text. Why is this something new?

  4. Mage Silver badge

    iFrames are pretty evil concept

    I never liked the iFrame

    1. Anonymous Coward
      Anonymous Coward

      Re: iFrames are pretty evil concept

      "I never liked the iFrame"

      What are you saying?! Where would Facebook and Twitter BE without their massive, oppressive iframe script-injectors on half of the interwebs?

      I just love it when a client wants those stupid badge-links on their site and then blames me when it loads about as fast as molasses in Winter...

  5. Anonymous Coward
    Anonymous Coward

    So in other words this is just Steganography?

    I've been putting locking code in pngs for years to stop people swapping out assets in a game. Sometimes the code itself contains another layer of code within another encoded image. No chance that anyone casual will get through two layers, and certainly not an automated program.

    Just use the last 1 bit per byte for your Steganography layer, then every two pixels (8 bytes) of an image you can hide an entire other byte of code, with very little loss of quality. Ofcourse for each layer deep you go you need 8 times the pixels (so 64 x for two layers), but thats not a problem if you keep your injected code efficient.

  6. BlueGreen

    disable javascript in your browser!

    How difficult is it for people to get their heads round the concept that, if you disable JS then JS attacks Will Not Work.

    Turn off js, and find a world of 30% unusable sites and the rest are safe and damn fast.

    (this assumes you've done the obvious of previously disabling flash and java of course)

    1. Billa Bong

      Re: disable javascript in your browser!

      Switch off images too, or use http://lynx.browser.org/

      No, wait... that's a silly idea. I'd never be able to view cat lols again.

    2. DanDanDan

      Re: disable javascript in your browser!

      Ah, a fine solution. why don't I just stop using the browser altogether! I could avoid getting run over by avoiding roads, avoid AIDS by not having sex, avoid hangovers by not getting drunk. This could be fun...

    3. Seanmon

      Re: disable javascript in your browser!

      I wish.

      I agree, I typically run with noScript, but it's just becoming painful these days. Things like jQuery have taken web design away from the security-aware professional developer and put it into the hands of the skinny-suited and trendy-spectacled brigade.

      1. Pet Peeve

        Re: disable javascript in your browser!

        Oh, what a pile of crap. Jquery is used by experts just as much as amateurs (if not more - javascript is not exactly friendly to start with) - a lot of things you do every day in javascript are extremely annoying otherwise.

        Lots of clueless snark on this story today.

        1. itzman

          Re: disable javascript in your browser!

          It may be that professionals use Jquery, but an awful lot of 'creatives' who are only interested in a flashy looking page use it as well with absolutely zero understanding of what they are doing.

          Here at Itzman Towers, the creative designs the page and the geek implements it using as little code as possible and none of it third party.

          1. Pet Peeve

            Re: disable javascript in your browser!

            The only designerism related to jquery that I would consider harmful are css overrides, used because they can't be bothered to get their css right in the first place. Hint: if you have css overrides in your onload function, you are DOING IT WRONG.

            jquery is a unequivocally great thing - I'm a little less thrilled with plugin-itis that creeps into pages these days, but in most cases I would rather have an amateur webdesigner use libraries than try to write it in code, which is always asking for trouble.

            1. BlueGreen

              Re: disable javascript in your browser! @Pet Peeve

              I know JS probably better than you (used it extensively outside of browser environment and written a decent sized framework in it). I'm not clueless.

              "jquery is a unequivocally great thing"

              Very little in this world is unequivocally great, JS is no exception. Use it (JS, not jquery) in web pages where it's needed, otherwise don't.

              Look, just fucking don't unless absolutely utterly necessary OK? Wot itzman said: "[...]and the geek implements it using as little code as possible and none of it third party." I'm not going to visit anybody's web page to be awed, I just want to get some info then rapidly fuck off. I don't want an 'experience'. If JS was used much less then we'd gain a kind of herd immunity because it would become a much less attractive vector for malware, so less js-based malware would be produced, see? Stop putting others at risk for your ego's sake.

              1. Pet Peeve

                Re: disable javascript in your browser! @Pet Peeve

                @bluegreen: are you a doctor IRL too?

    4. Pet Peeve

      Re: disable javascript in your browser!

      Turning off third-party javascript (with noScript or scriptNo) does indeed work, though it can sometimes be a royal pain in the posterior to figure out what each site considers the minimum necessary for proper rendering the first time you visit.

      So, if the png is being sent from an ad site, this will indeed stop it dead. If it's a user uploaded image on the cdn subsite, which you've authorized in noScript, then you could still get nailed by this.

    5. itzman
      Unhappy

      Re: disable javascript in your browser!

      the problem is that so many sites are now using vast JavaScript frameworks that they have little idea of the integrity of and even less control over.

      "Include my JavaScript library with this link, and then put this line in your code, and magic happens"

      Most of these sites simply stop working when JavaScript is disabled.

      Leaving the user between a rock and a hard place.

  7. Hans 1

    You use jquery because

    a. you are useless at JavaScript

    b. you are lazy

    Idiots should never be allowed to look at a programming environment, let alone use it. In fact, the sad thing is that we are surrounded by idiots, for some reason they all decided to go for a career in IT. This of course helps me beef up my payslip, thanks guyz, but in return I have to live with the fruit of your stupidity all the bloody time. $#@!

    I'll take it even further, a well-designed web page has no JavaScript, use JSP/PHP - real men keep it server-side.

    1. Tim Brown 1

      I've written a fair bit of custom raw javascript but nowadays I prefer to use jQuery for a lot of stuff because:

      a) it takes care of most of the cross-browser compatibility problems

      b) It's well documented and relatively bug free.

      Sure I could write my own framework, but why should I re-invent the wheel?

    2. Anonymous Coward
      Anonymous Coward

      JS has its uses, not all websites are 'just' websites, i.e. displaying static information, they are web applications, they need JS to work as they do so much more.

      And yes people also use JQuery because it saves time, and time is money.

    3. Anonymous Coward
      Anonymous Coward

      @Hans 1

      A quick look at http://www.theregister.co.uk source code reveals they use jQuery :-)

      1. edge_e
        Boffin

        @ac

        http://www.theregister.co.uk renders far better with javascript turned off

    4. Anonymous Coward
      Anonymous Coward

      jQuery

      I would upvote this post a hundred times if I could for (a) and (b). - though I disagree about well-designed pages not using Javascript.

      There are so many people in IT these days (and particularly web dev) that have absolutely no concept of how anything they are doing actually works behind the scenes. So you end up with people importing in huge libraries just to do one simple function like an element select. When you ask them why is jQuery here? they don't have a clue, or else they spin off some nonsense about compatibility, without realising that every browser they are supposed to be supporting can actually use perfectly modern javascript.

      Later down the line they try to hack their way through making something fancy with some movement or fades or other stuff, and the only thing they bother looking into is another library to do it for them, or a jQuery extension. So you end up with these utterly sh*t sites that use a ton of resources to move a few pixels across the screen because the author has put 10 libraries ontop of each other, and every single instruction gets translated a hundred times before it actually does anything.

      Uggggh. Lazy, library-based, jQuery hacks.

      It's like watching one of them cheap cookery shows where the 'chef' starts opening tins and mixing them in a pot with packets of sauce... it ain't cooking, and you're not a chef, as you have no control over the food.

  8. Anonymous Coward
    Anonymous Coward

    Another Idiot question

    Ok, I'm a little slow today...

    @Maffski:

    "It's not directly, but JavaScript can access the image data, build a string out of it and then execute that string as JavaScript."

    I understood that right off.

    "So you need to infect the page with some JavaScript, which then downloads and decodes the image. The original JavaScript doesn't look dodgy so is allowed to run and the image is the transmission method for the 'bad' code."

    OK, you're hiding the malware with a PNG and using innocuous JS to download and execute it.

    "If this was combined with some basic obfuscation and stenography you could host your malware image on Flickr and no-one would be any wiser, it'd look like a picture of a cat."

    How does this follow? Does Flicker allow JS to be downloaded when a user looks at a picture page?

  9. bobcaruthers

    Re: Another Idiot question

    There is nothing magic or new going on with this technique. In a nutshell...

    Malicious code is disguised as pixels or meta data in a PNG file, so that when a server admin runs a checkup they don't spot the code. All they see is a list of PNGs, and a list of Javascript files that load PNGs. Everything looks normal, and the malware didn't get detected.

    So how does it do harm?

    The Javascript that loads the PNGs also has a little loop in it to unpick the hidden code from the PNG's pixels or meta data. The new code (more Javascript) is injected into the page and run, having all the permissions that any other Javascript does on that page. Now it can do malicious things - highjack ad links or something.

    How did it get on the server?

    Someone hacked a server and uploaded the Javascript covertly, they also presumably modified an HTML page to link to it. The PNGs can be on anyones server - like Flickrs - since there is nothing intrinsically harmful about them by themselves.

  10. Bruce Ordway

    NoScript

    >>It's another example of why JavaScript was always such a stupid idea.

    >>disable javascript in your browser!

    Why not by default? I rely on NoScript.

    It is good for thwarting attacks like this and even better... it gives me some control over the annoying video and audio files found in many web pages.

This topic is closed for new posts.