Is it possible to embed a keylogger into a jpg image?

Solution 1:

It is possible when there is a security hole in the application which you are using to open JPG file (or any other file), unless it's fake JPEG image.

So there are few scenarios:

  • running fake JPEG

    Non-experienced user downloaded file and thinks it's the image (because the icon looks like an image and OS doesn't show you extension), but it could be any executable file (.exe, .vbs, .msi, .cmd, .bat, etc.). So if your operating system doesn't warn you when you run fake image file, the image could be shown with keylogger installed. So always check your extension before opening suspicious files.

  • opening JPEG

    Any media file (and other) could carry some injected code designed to trick specific applications. They could have some flaws in parsing some data (e.g. in EXIF). So if application is buggy, the injected data could trick the application to run some arbitrary code.

    For example: Exploit:W32/JPG Vulnerability, Exploit:W32/JPG Vulnerability, MS04-028 exploit

  • loading JPEG from the server

    You could inject some programming code into JPEG, so once it's parsed by web application, it can execute any code in the given language. For example JPEG file can include special tags (<?php, ?>) and when parsed by badly coded application from the webhosting company (file_get_contents(), fopen(), readfile()), it could erase your www account.

    Example JPEG: php-logo-virus.jpg

    which has this code embedded into the file:

    ÿØÿàJFIF``ÿáfExifMM* éV@HQQQ<style>body{font-size: 0;} h1{font-size: 12px !important;}</style><h1><?php echo "<hr />THIS IMAGE COULD ERASE YOUR WWW ACCOUNT, it shows you the PHP info instead...<hr />"; phpinfo(); __halt_compiler(); ?></h1>

    So once you open above image, add view-source: before the address, so you'll see the injected PHP script. Note that the above image is just the example, and it won't do anything.

    Source: Code injection – a simple PHP virus carried in a JPEG image

  • loading JPEG file which isn't JPEG file

    When you see the link such as: http://www.example.com/foo.jpeg, you think it's an image, but it doesn't have to. It all depends on its MIME type and by loading it, you actually can load the script (such as Javascript), and on vulnerable/old browser, could install a keylogger. On the other hand, your browser doesn't have to be old to achieve that.

    For example, you're visiting the page which is fake bank website, or can be real bank (with some forum where somebody uploaded fake JPEG via XSS). So to implement XSS Keylogger, you just need document.onkeypress + AJAX calls. See: XSS Keylogger

    Also check: XSS Filter Evasion Cheat Sheet

  • loading JPEG which is SVG

    Sometimes when you load media file and web-browser recognise it as different image, it fallback to the format which was recognised. And what you can do in SVG files, you can include html and JavaScript into it (if your web-browser allows that), see: Create a table in SVG (and another one).

Solution 2:

Normally it wouldn't be possible. JPEG files contain just compressed image data; they don't really contain any parts which would be run as program code, and certainly not something that would give such broad access to the system.

However, programs have bugs. More specifically, some of the various libraries used for decompressing JPEG data may have bugs which allow the program to be tricked into running parts of the data as program code, often using a buffer overflow or similar bug.


(Also, some other image formats are poorly designed do contain runnable code by design... two of the better-known examples are WMF and PDF.)