Can you really get a trojan in an image file and if so how will it be executed?

Solution 1:

Exploits in image files take advantage of buffer overrun flaws in the image processing code of the OS. There were several significant such flaws found in Windows' GDI layer a couple of years ago - patches were released long ago but exploit images are still out there either just because they stayed or in the hope that they hit a machine that has not yet been patched.

The usual cause of such a security hole is passing image data between functions on the call stack and not properly checking maximum length of the data. This can be exploited by cleverly constructed data that is over-sized and arrange in such a way that it ends up overwriting code next in the stack frame (overwriting it with other code) or overwriting pointers to code that will be used to call other functions or as the called function returns to is caller (overwriting such a pointer to make it point to the exploit code), or overwriting data in such a way that causes another hole to be exposed. The exact method varies depending on the security hole in question.

Modern CPUs have a protection that stops most of these exploits if the code supports it. This works by the program/library explicitly marking which of its pages are data and which are code - the CPU will then raise an exception if anything in what should be data (such as image data) tries to be executed as code. IIRC Vista and above and recent versions of .Net have had all their libraries re-jigged to support this protection, and it is supported by other OSs too, but this does not stop all such exploits and only works if explicitly turned on (otherwise a lot of old code would break).

Solution 2:

I must admit that this aspect of trojans and viruses has always baffled me. As a software developer I've always checked length of arrays etc. so I don't see why things like buffer overruns should occur.

Well, welcome to the real world ;-). Buffer overflows &c. can happen in many languages (especially in those with manual memory management like C), and as developers make mistakes, they do happen.

While normally a buffer overflow will just crash the program (segmentation violation or similar), it may allow an attacker to execute code -> trojan activated.

For example:

http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

http://secunia.com/advisories/35216/

And for an explanation how this allows code execution:

https://stackoverflow.com/questions/460519/how-are-buffer-overflows-used-to-exploit-computers