How can a virus exist in an image?

2019-01-21 02:34发布

问题:

I have recently watched this video of a Finnish internet security expert. Somewhere around eleventh minute, he talks about a virus which is hidden in an image and executes when the image is about to be displayed.

I am wondering how do they technically do such a thing, I mean how come the virus is executed, when the picture should be displayed and how come the picture is not compromised in some way. I thought the computer first looks at the extension, then opens it with appropriate program and lets the program work itself (and I don't expect regular image viewer to be able to run a virus within itself). Obviously it doesn't work like that, but no one I asked could help me out with this.

So does anyone know how do they do this, the principle? Thank you very much.

回答1:

You're correct that your OS will pick a program and ask it to open the image. The OS will not ask the program to execute the image — that would be nonsense.

However, images are complex formats and often contain meta data and other parts that are not directly shown — you can hide stuff in there without affecting the image on the screen. So there might be hostile data lurking inside the image file.

Furthermore, program can have bugs, in particular buffer overflows. Briefly, a virus can exploit this by putting too large data into the meta data sections — larger than the program that decodes the image expects. The internal buffers overflow and with enough skill, a virus writer is able to put executable code into the right place in memory so that the program that decodes the image will end up executing the code. That way an innocent and "dead" file like an image can host an exploit.



回答2:

It does not have to be displayed, it has to be read.

The OS might have a thumbnail generating thread that will parse all images it finds. A buffer overflow in that code will allow code execution without user intervention.

This goes for any file that has any form of automatic read feature, to extract properties of a mp3, index a PDF, etc.



回答3:

A virus can store information in an image, and can exploit a vulnerability in an image-viewing program. It can not "infect" an image, so much as maliciously alter an image such that the program that is likely to open it will be subverted and trigger an exploit in that process.

If a virus puts malformed data in an image to exploit program X, and the image is opened in program Y, it is likely that the image will either not render because it is too malformed, or will render as an innocent or random looking image in that program.

The flaw as with all of these things is not in the image format, but rather in the implementation of the image-decoder.