Attack: Malware Attached to Images

Tuesday, August 12, 2014 @ 12:08 PM gHale

A cyber crime group is now using steganography, a technique of embedding information or code inside digital images.

While investigating an attack in an incident response engagement at a customer site, a researcher at Dell SecureWorks discovered the malware involved – Lurk — spread via a false digital image as part of a click-fraud campaign.

Symantec Fixes Zero Day
Mitigating Havex, an ICS Threat
Havex an ICS Game Changing Threat
Havex Varient Brings Attack via OPC

Steganography typically sees use in targeted attack scenarios, so the use of the method of hiding and slipping malware onto machines for click-fraud purposes is rare, said Brett Stone-Gross, a researcher with Dell SecureWorks’ Counter Threat Unit (CTU).

Attackers infected 350,000 victims in less than a year’s time, amassing a quarter of a million dollars in profit in just a few months, according to Dell SecureWorks researchers.

Most intrusion detection and intrusion prevention products can’t detect malware hidden with steganography, so the stealth method of spreading malicious code within an image is tough to catch, Stone-Gross said. “This is something that’s not very complex, but difficult to detect.”

Lurk ended up discovered in February by researcher Kafeine, who found the downloader malware spreading via iFrames on websites via an Adobe Flash exploit, CVE-2013-5330. Among the websites compromised in that campaign were eHow and Livestrong.

“If a person visiting one of these websites was running a vulnerable version of Adobe Flash, the exploit dropped a DLL file and executed the Lurk malware, Stone-Gross said in a blog. “When CTU researchers began investigating Lurk, they found very little published information about the malware’s behavior, operation, and function. This lack of information may be due to Lurk’s unconventional implementation and use of digital steganography.”

The attack requires the victim to have a vulnerable version of Adobe Flash, triggering the exploit which then downloads Lurk. In the case of the steganography payload, the malware downloads as a plain white image, which contains an encrypted URL that downloads a second payload.

Click here for more information on the attack.

Leave a Reply

You must be logged in to post a comment.