Pierluigi Paganini May 29, 2015

Stegosploit is the technique developed by the security researcher Saumil Shah that allows an attacker to embed executable JavaScript code within an image.

The security researcher Saumil Shah from Net Square security has presented at Hack In The Box conference in Amsterdam his Stegosploit project which allows an attacker to embed executable JavaScript code within an image to trigger a drive-by download.

The Stegosploit digital steganography project could open new scary scenarios for Internet users that could be infected by viewing a picture on any website, even without clicking on it or downloading it. The image could be the container for the priming of the malware. Shah has no doubts, Stegosploit could be the future of online attacks.

When an Internet user views the image, the hidden script would automatically load on the host the malicious code that could be used for various purposes, including control victim’s device and steal sensitive data.

The expert highlighted that antivirus software and malware detection solutions are not able to detect the Stegosploit leaving users open to any kind of attack.

Steganography was already exploited in the past by malware authors to hide information used by their malicious codes (i.e. C&C addresses or botnet parameters), but as Shah explained “Stegosploit” tool Shah takes the stenographic approach to a new level where exploits are delivered not only in plain sight, but also “with style.”

Shah started his project five years ago due to his desire to combine his two passions, hacking and photography.

“I really love photography and I had been looking into jpeg files and image files just because I could,” Shah told iDigitalTimes. “It was then that I began to wonder if non-image data could be encoded inside an image itself. Of course, Steganography in images has been around a long time and a lot of research has been done with encoding text on pictures, but with classic steganography you are just adding text into an image and both the text and the image are passive. What I wanted to do was encode active code into the image pixels so that when it was decoded, it isn’t viewed as an image, but rather, executes.”

Shah has worked on Stegosploit technique to hide executable code within an image and execute the same code in a web browser supporting HTML 5 Canvas. The expert exploits HTML5 CANVAS to read image pixel data using Java Script and decode the image within the browser.

Shah took known exploits for Chrome, Safari, Explorer and other browsers supporting HTML 5 Canvas, and coded them into the image layers. The result is a type of files, dubbed by Shah Imajs (image + JavaScript), that load as JavaScript in a browser while render as images execute the malicious content.

“Packaged into a tool called Stegosploit, Shah takes known exploits Chrome, Safari, Explorer and other browsers supporting HTML 5 Canvas, and codes them into the but layers of an images’ pixels. These kind of files which Shah dubbed Imajs (image + JavaScript) load as JavaScript in a browser that render as images but also execute – two different kinds of content all embedded in one file.” continues iDigitalTimes.

Current antivirus solutions could not detect the malicious JavaScript and the technique could also be unnoticed by victims because the image may appear completely unaltered depending on the layer where the script is embedded.

Shah demonstrated Stegosploit for the first time in March at the SyScan, initially the hacking technique required using two distinct images respectively to contain the executable code and code to decode it. Further efforts in the research on Stegosploit allowed its improvement, Shah succeeded to embed both the executable code and the decoder within the same image (PNG and JPEG).

Another element that makes the Stegosploit technique is that the file remains the same size, the Imajs could be easily shared through social media, including Instagram, Twitter, Imgur with serious consequences.

Security firms are not aware of cases of this Stegosploit technique being used in the wild, but they fear that it will become soon a scaring reality.

“I can’t be the only guy that thought this up,” said Shah.  “When I think of something I want to bring it out into the light and say ‘here’s a technique that’s very difficult to do but have at it. Use your creative thinking and find out some defenses against, because this thing is coming.”

Pierluigi Paganini

(Security Affairs – Stegosploit , malware)