In the past, the security researchers have come across cases where notorious hackers were able to use EXIF data of images to hide malicious code. This technique is still widely used to infect web users with malware.
Going one step further, it has been found that hackers have found a way to share malware via trusted and reliable Google servers like those of googleusercontent. Contrary to the malware stored in text files, it’s much harder to spot malicious payloads in images. Moreover, it’s even harder to report malware found on googleusercontent.com to Google.
For those who don’t know, googleusercontent is Google’s domain for serving user-supplied content without affecting the safety of Google’s own pages.
As per a report by Sucuri, the following code was spotted in a script that extracts PayPal security code:
The script read EXIF data from a googleusercontent image, which was probably uploaded by someone on a Google+ or Blogger account. When the UserComment section of its EXIF data was decoded, it turned out to be a script that has the ability to upload web shell and arbitrary files.
This underlines a bigger threat as there is no way to spot the malware until one checks the metadata of images and decodes them. Even after spotting the malware, one can’t know the real source of the image.
Did you find this story interesting? Share your views and keep reading Fossbytes.