Paper: Script in a lossy stream

Posted by   Virus Bulletin on   Mar 2, 2015

Dénes Óvári explains how to store code in lossily compressed JPEG data.

Malformed PDFs have become a common way to deliver malware. Naturally, when this started to happen, anti-virus products began scanning inside PDF files for traces of malicious code and, equally naturally, malware authors started to obfuscate that code to circumvent scanners.

Not everything can be used to store code though. Data streams compressed using lossy compressors like JPXDecode and DCTDecode are deemed unsuitable for storing any kind of code. After all, the lossy compression means one should not be able to retrieve an exact copy of the uncompressed data. For performance reasons, scanners therefore usually ignore this data.

But are they right to do so? Today, we publish a paper by CSIS researcher Dénes Óvári, who found a way to store code as a JPEG image using the DCTDecode filter. His trick, which he explains in the paper, was to encode the data as a greyscale JPEG image, so that no rounding occurs when the images is converted from the RGB to the YCbCr colour space.

To show that this is not merely a theoretical possibility, Dénes wrote a proof-of-concept where a simple (and in this case harmless) piece of JavaScript code was thus embedded inside a PDF.

You can read the paper here in HTML format or here as a PDF. Remember that all content published by Virus Bulletin can be read free of charge, with no registration required.

Both Adobe and anti-virus vendors were given advance notification of the publication of this paper.

Posted on 2 March 2015 by Martijn Grooten



Latest posts:

VB2018 paper: Uncovering the wholesale industry of social media fraud: from botnet to bulk reseller panels

Today, we publish the VB2018 paper by Masarah Paquet-Clouston (GoSecure) who looked at the supply chain behind social media fraud.

VB2018 paper: Now you see it, now you don't: wipers in the wild

Today, we publish the VB2018 paper from Saher Naumaan (BAE Systems) who looks at malware variants that contain a wiper functionality. We also publish the recording of her presentation.

Emotet trojan starts stealing full emails from infected machines

The infamous Emotet trojan has added the capability to steal full email bodies from infected machines, opening the possibilities for more targeted spam and phishing campaigns.

VB2018 paper: Who wasn’t responsible for Olympic Destroyer?

Cisco Talos researchers Paul Rascagnères and Warren Mercer were among the first to write about the Olympic Destroyer, the malware that targeted the 2018 PyeongChang Winter Olympic Games. Today, we publish the paper they presented at VB2018 about the…

VB2018 paper: From drive-by download to drive-by mining: understanding the new paradigm

Today, we publish the VB2018 paper by Malwarebytes researcher Jérôme Segura, in which he details the shift from exploit kits to drive-by mining. We also publish the video of his VB2018 presentation.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.