Can you really get a trojan in an image file and if so how will it be executed?

windows trojan images

Solution 1:

Exploits in image files take advantage of buffer overrun flaws in the image processing code of the OS. There were several significant such flaws found in Windows' GDI layer a couple of years ago - patches were released long ago but exploit images are still out there either just because they stayed or in the hope that they hit a machine that has not yet been patched.

The usual cause of such a security hole is passing image data between functions on the call stack and not properly checking maximum length of the data. This can be exploited by cleverly constructed data that is over-sized and arrange in such a way that it ends up overwriting code next in the stack frame (overwriting it with other code) or overwriting pointers to code that will be used to call other functions or as the called function returns to is caller (overwriting such a pointer to make it point to the exploit code), or overwriting data in such a way that causes another hole to be exposed. The exact method varies depending on the security hole in question.

Modern CPUs have a protection that stops most of these exploits if the code supports it. This works by the program/library explicitly marking which of its pages are data and which are code - the CPU will then raise an exception if anything in what should be data (such as image data) tries to be executed as code. IIRC Vista and above and recent versions of .Net have had all their libraries re-jigged to support this protection, and it is supported by other OSs too, but this does not stop all such exploits and only works if explicitly turned on (otherwise a lot of old code would break).

Solution 2:

I must admit that this aspect of trojans and viruses has always baffled me. As a software developer I've always checked length of arrays etc. so I don't see why things like buffer overruns should occur.

Well, welcome to the real world ;-). Buffer overflows &c. can happen in many languages (especially in those with manual memory management like C), and as developers make mistakes, they do happen.

While normally a buffer overflow will just crash the program (segmentation violation or similar), it may allow an attacker to execute code -> trojan activated.

For example:

http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

http://secunia.com/advisories/35216/

And for an explanation how this allows code execution:

https://stackoverflow.com/questions/460519/how-are-buffer-overflows-used-to-exploit-computers

Related

end-of-line, beginning-of-line keys for Terminal.app on Macbook Pro Keyboard
How do I compare two files with a shell script?
Find and remove all empty files
WAMP MySQL Service will not start
What do the [..] mean in 'ps' and how do you create a process like it?
Transparent background of Vim editor within the xfce-4 terminal
Global keyboard shortcut to eject external hard drive on Mac OSX Lion?
Antivirus software that doesn't run in the background
How can I go to Documents folder in Mac with Terminal
USB to DVI adapter to get around two monitor limit of my graphics card?
How is the extra mSATA SSD disk used/configured in a Dell XPS laptop?
Microsoft Word files have weird icons suddenly?