The problem of infected images and trojan disguised under them is an important due the form of todays choice of algorithms for searching for threats used in most antivirus programs. Antiviruses that use primarily signature analysis, and are keep with all the advantages and disadvantages of this technology, are often forced to ignore binary files to maintain high scanning speed.
This very feature of antivirus that leads to the fact that it could be the way to hide a succeed attack on a website. In this article, we’ll look at the most common cases of such attacks and ways how Virusdie helps to find and clean such images.
In most cases the infections on websites and servers due malicious images approach have two types: a new malicious file hidden as an image file; a modified valid image file with malicious code in its content. And the difficulty of finding and eliminating such infections is not so easy.
Malicious files hidden as an image file
Similar cases are described below quite often. On the server, an attacker uploads a file with a typical image extension (for example, * .ico, * .png, * .jpg, etc.) containing the code, eg.:
Such malicious files requests by the line of code in one of the files executed during the operation of the CMS site. This can be the main index.php file or one of the CMS template files. It is quite easy to find such file by the name on your website or a server using standard tool like File Manager. In most cases such hidden as an image files have suspicious filenames. For example, favicon_9b3623.ico. You can easily get to see the suspicious features of the file by simply opening it in the file editor. In the event that, if you open a hidden malicious image, you will see a source PHP or a JS code.
Although in this case the detection of harmful file is not difficult, eliminating such infection requires special attention. First you should check it such hidden malicious image requests by a line of code in some file of your CMS. To find such line just use a Search tools with searching by a file content. So use the malicious file name to find the CMS file where it requests.
After the CMS file found, just remove the code fragment where hidden malicious image requests. Then remove the hidden malicious image too.
Malicious code in a real image file
Cases of infection of real imagesmeans the php-code of js-code in a valid image file. It’s hard to find such infected files by name or other feature cos the code fragment mixed with a real binary file content.
Often, a fragment is appended to the end of a binary image file. The name of the file itself remains unchanged, and often the saved time of the last legal modification of the file to avoid detection, based on the detection of changed files on the server for a specific period of time. The case described is quite non-trivial for detection and, even more so, for elimination.
Most of modern antiviruses uses complex approach to find and eliminate such malware. For example, reputation methods simultaneously with heuristic and, in some cases, even signature analysis ones.
In most cases the better way is restoring file from a backup or removing a piece of code. However, you should be careful and check beforehand if the original copy of this image file don’t contains malicious inclusions.
Virusdie’s approach to analyzing image files
Since April 5, 2018, we are launching a testing program for new algorithms that allow not only to detect the cases of infection described above, but also to remove it.