Hidden in images

Hiding Malware Inside Images

We recently wrote a blog about the Clearswift Information Governance Server and using Microsoft’s File Server Resource Manager (FSRM) to add custom document properties to documents which the Clearswift SECURE Gateways can act upon. These properties are also called ‘meta-data’, and in a recent article published in the media, there was a discussion about how malware has been found hidden inside the meta-data of images.

In the example, an image is hosted on Googles’ user content site but hidden in the meta-data (for images this is called EXIF data (EXchangeable Image File). After decoding, the code “appeared to be a script that can upload a predefined web shell and arbitrary files, place defacement pages, and then email the addresses of successfully exploited sites back to the attacker.”

Whilst the source and purpose of the file are not available, it does mean that these threat vectors do exist in the wild. Images are increasingly being used to communicate information, including malware by cyber-attackers, for example, to bots in botnets, as they are not examined or sanitized in the same way that documents are.

The Clearswift SECURE Gateways do have the ability to remove EXIF data from images for organizations using the Document Sanitization component of our Adaptive Redaction solution. It is not restricted to just EXIF data but can also remove other unwanted meta-data including GPS coordinates from images as well as other document properties, revision history and fast save data.

As the ways in which cyber-attackers deploy their malware becomes increasingly sophisticated, so too have the solutions to defeating them. Clearswift continues to invest and innovate in the area of advanced threat protection and data loss prevention, keeping organizations of all sizes across the globe, safe.