New malware hidden in Images found in GoogleUserContent
Hackers niding malicious code in uploaded images on trusted Google sites. Malware that is hidden in Exchangeable Image File Format data has been found on GoogleUserContent sites, such as Google+ and blogger forums. This technique has been found on Pastebin and GitHub before. Hackers embed malicious code within uploaded images since images are rarely scanned for malware. These scripts can infect the website by uploading a predefined web shell placing pages, establishing backdoors and more, and then can email the addresses of successfully exploited sites back to the hacker.
Specifically, the code is injected into the technical EXIF metadata within the website images. EXIF headers are generated by digital cameras to record camera information in the headers of JPEG and TIFF files. Hackers can access EXIF data for existing images by leveraging any vulnerabilities found within the website that expose its coding. From there, they can inject malicious scripts. The malware hides in plain sight since it is injected into legitimate images that are already part of the sites. Hackers can compromise these, but they will still load and work properly, offering no sign to the webmaster or site visitors that something's wrong. Unless the metadata is checked and it is known how to decode them in each particular case, there is no sign of their malicious payload. It's hard to say where the images originate from, as their URLs are anonymized and have the same format.
This type of malware infection, a form of steganography, is possible on any site with downloadable images, not just sites that were generated within the GoogleUserContent system. The migration to Google is a more severe problem, for two reasons, Google images are widely downloaded and used and it's harder to report any exposed malware infections within that system. To spread, hackers try to gain access to popular images or get their own images uploaded and publicly distributed on trusted sites. Researchers believe that the main goal is to host malicious scripts on a reliable and trusted server so that they are always available for downloading from any compromised site. It could be an image uploaded for a blogger post, Google+ post or even a public picture from Google photos.
Anyone that downloads the image and uses it on their site will then be compromised as well. The hacker just has to wait for reports from that particular infected image and attack any sites that are using it. Because of this, it is possible for sites outside of the GoogleUserContent system to be infected. Another way hackers are using malicious code inside images uploaded to GoogleUserContent is by serving them as part of Office Documents. These remote images are loaded automatically once a user opens up a Word document.
Compromised images hide malicious JavaScript code, which can execute the code as part of the infection process. The images look normal, but a closer look reveals malicious code. In one sample, it was aimed at downloading an additional two-stage malware from a remote C&C server and then executing it. In order to detect these kind of attacks, Google needs to adopt better anti-malware techniques, specifically in the area of content analysis so that they would be able to prevent those type of files being uploaded to googleusercontent.com. Google has many tools to remove content but it's not obvious how to report malware in images. As a result, malware in images tht are uploaded to Google's servers are harder to report and take down. Most of Google's tools require providing links to original posts, pages or comments that contain the infringing content
This type of attack can be found virtually everywhere on the internet and like most malware attacks, it is generally random. Webmasters can add additional protection against these types of threats by keeping up to date with security patches, using strong passwords and an application firewall, and monitoring the integrity of the files on the servers. Web surfers also need to be aware of the dangers. Outside of ensuring the website is secured, users must also assume that no file or image is safe. Don't download images from unknown sources, and in the same way that mail is many times filtered, we'll see more of the same for images.