Shah demonstrated the technique during a talk titled
, “Stegosploit: Hacking With Pictures,
” he gave on Thursday at the Amsterdam hacking conference Hack In The Box.
According to Shah, “a good exploit is one that is delivered in style.”
Keeping this in mind, Shah discovered a way to hide malicious code directly into an image, rather than hiding it in email attachments, PDFs or other types of files that are typically used to deliver and spread malicious exploits.
To do so, Shah used Steganography — a technique of hiding messages and contents within a digital graphic image, making the messages impossible to spot with the naked eye.
Here’s How to Hack digital pictures to send malicious exploits:
Until now Steganography is used to communicate secretly with each other by disguising a message in a way that anyone intercepting the communication will not realise it’s true purpose.
Steganography is also being used by terrorist organisations to communicate securely with each other by sending messages to image and video files, due to which NSA officials are forced to watch Porn
and much porn.
However in this case, instead of secret messages, the malicious code or exploit is encoded inside the image’s pixels, which is then decoded using an HTML 5 Canvas element that allows for dynamic, scriptable rendering of images.
The “Secret Sauce” behind Stegosploit — this is what Shah calls it.
“I don’t need to host a blog,” Shah told Motherboard, “I don’t need to host a website at all. I don’t even need to register a domain. I can [just] take an image, upload it somewhere and if I just point you toward that image, and you load this image in a browser, it will detonate.“
Shah demonstrated to Lorenzo Franceschi of Motherboard exactly how his hack works. He used Franceschi’s profile picture and then prepared a demonstration video using his picture as the scapegoat.
In the first video presentation, Shah shows a step by step process on how it is possible to hide malicious code inside an image file using steganography technique. You can watch the video given below:
In the second video, Shah shows how his Stegosploit actually works. His exploit works only when the target opens the image file on his or her web browser and clicks on the picture.
You are HACKED!
Once the image is clicked, the system’s CPU shoots up to 100 percent usage, which indicates the exploit successfully worked. The malicious code IMAJS then sends the target machine’s data back to the attacker, thereby creating a text file on the target computer that says — “You are hacked!“
Shah also has programmed his malicious image to do more stealthy tasks, like downloading and installing spyware on victim’s machine, as well as stealing sensitive data out of the victim’s computer.
The bottom line here is:
You should not presume the image files as “innocent” anymore, as they can hide malicious code deep inside its pixels that could infect your computers.
Therefore, always make sure before you click on one.
Shah has been working on the research [PDF
] during his spare time for almost five years, but he has not tested his technique on popular image sharing websites like Dropbox or Imgur. He also admitted that his method might not work everywhere.