How can a virus exist in an image?

Question

I have recently watched this video of a Finnish internet security expert. Somewhere around eleventh minute, he talks about a virus which is hidden in an image and executes

Answer 1

Some image formats have specified actual code sections, supposedly to be executed on error. You might find it interesting to read up on the Windows Metafile image format and the MICE vulnerability.

Wikipedia says: "... the vulnerability is an inherent defect in the design of WMF files, because the underlying architecture of such files is from a previous era, and includes features which allow actual code to be executed whenever a WMF file opens." --- https://en.wikipedia.org/wiki/Windows_Metafile_vulnerability

The same article also quotes Secunia, but does not include a citation: "The vulnerability is caused due to an error in the handling of Windows Metafile files ('.wmf') containing specially crafted SETABORTPROC 'Escape' records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails."

Answer 2

You're correct that your OS will pick a program and ask it to open the image. The OS will not ask the program to execute the image — that would be nonsense.

However, images are complex formats and often contain meta data (like the date and time when the picture was taken) and other parts that are not directly shown — you can hide stuff in there without affecting the image on the screen. So there might be hostile data lurking inside the image file.

Furthermore, program can have bugs, in particular buffer overflows. Briefly, a virus can exploit this by putting too large data into the meta data sections — larger than the program that decodes the image expects. The internal buffers overflow and with enough skill, a virus writer is able to put executable code into the right place in memory so that the program that decodes the image will end up executing the code. That way an innocent and "dead" file like an image can host an exploit.

Answer 3

A virus can store information in an image, and can exploit a vulnerability in an image-viewing program. It can not "infect" an image, so much as maliciously alter an image such that the program that is likely to open it will be subverted and trigger an exploit in that process.

If a virus puts malformed data in an image to exploit program X, and the image is opened in program Y, it is likely that the image will either not render because it is too malformed, or will render as an innocent or random looking image in that program.

The flaw as with all of these things is not in the image format, but rather in the implementation of the image-decoder.

Answer 4

It does not have to be displayed, it has to be read.

The OS might have a thumbnail generating thread that will parse all images it finds. A buffer overflow in that code will allow code execution without user intervention.

This goes for any file that has any form of automatic read feature, to extract properties of a mp3, index a PDF, etc.