Misc. code in an image?

gigazer
gigazer used Ask the Experts™
on
Is it possible for someone to insert misc. or possibly dangerous code into an image file such as a .gif, .jpg, .bmp and so on?
The coding i am referring to is something like html tags, javascript and any other possible code format.
And if it is possible, how?

Thanks in advance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
malicious code can be in any file, it just depends which program is used to read/execute the file
Top Expert 2004
Commented:
Gigazer,

If i am not wrong , I have read in news articles that Al queda used image files to passon important secret information.
Though there were not malicious code as per the report , it was possible for them to pass information.

I am sure the agreement or rules of EE would deny us from telling you how to do this though you can easily get information
on how to do this going to google.com

Sorry that I cannot give information on this

Sunray

Author

Commented:
Well i don't really mean to give a step by step method of implementing such code into an image. I was just wondering, what type of image format i would have to keep an eye out for, or how i would tell a coded image from a safe one?

I am just curious and want to stay safe.
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Top Expert 2004

Commented:
> .. or how i would tell a  coded image from a safe one?
you can't if you don't know what you're looking for.
Any image may be infected, use lynx or links or w3m if you want to be safe :-))
You can embed anything into an image while preserving the image itself via steganography. This allows you to, among other things, put an image on your website and embed the copyright information into the image. However, a special program is required to perform the I/O. You'll find anything you need on google.

Cheers!
Exceter
>> Is it possible for someone to insert misc. or possibly dangerous code into an image file such as a .gif, .jpg, .bmp and so on?

Yes. However, this code would not be executable unless the code was extracted from the image by some other program. Therefore, for the code to be exectuted, the target machine would have to be infected already, unless there are other weaknesses inherent to the Microsoft OS of which I am unaware, when the image was cached by your browser.

Moral: Keep your virus scanner updated.

Cheers!
Exceter
Commented:
For few points, nothing much to add. I don't really buy the terrorist angle, nor the usefulness of stegonographics. I could at some more links to that effect, but at least one well-funded study showed it not in use like that.  But adding a watermerk is cool.

to insert misc. or possibly dangerous code into an image file such as a .gif, .jpg, .bmp and so on?

1)  yes.
-Some easier than others.

> The coding i am referring to is something like html tags, javascript and any other possible code format.

2) Not really like that

ahoffmann> malicious code can be in any file, it just depends which program is used to read/execute the file  

yup
There's the beef.

sunray_2003> Sorry that I cannot give information on this

Good. I agree. This is a public forum.

> how i would tell a coded image from a safe one?

3) Don't bother. The real popular ones are the ones to watch out for, and that was what so many Outlook problems were about.

3a) Do as ahoffmann said in first comment. Use a picture reader to display it. Do not simply let OS execute it

3b) Turn off Explorer's new feature to hide extensions for its executables.  Among the popular ways that malware is killing you/me/us, is the combo of permitting multiple dots in filename, and MS friendly way of hiding the parts that are essential filename extensions. So someone can right a program called "KillMyDisk.exe" and give it to you as file renamed to "PrettyPicture.GIF.exe", and when you look at in in Explorer, the friendly default displays: "PrettyPicture.GIF". As I recall, each OS upgrade insists even stronger that you do NOT want to see the whole boring name. I grieve the I always have to argue more and more with Microsoft OS interrogations and popups, as I try to, as "Administrator" (not dumb.guest) to configure it so I can actually view the details it prefers to hide, such as that for the renamed file.  Guess what happens if you click on that supposed GIF or BMP. DownTime, and probably it removes the traces of what it was as well. <ugh> This isn't a hack tool, it is common, and so easy to rename, over the prior decade this has gone on, and continues, so beware. it is not a virus, it is just a program you ran when tricked.

So, view the details, it is not really that bad on out eyes.
Commented:
 comments of sunBow are interesting: "PrettyPicture.GIF.exe" : as i can see, is not an image file. then, you are not inserting malicious code in an image file but pretending  that .exe file is an image file.  

  also, i'm not sure if steganography can be categorized as a tool to insert "malicious code". steganography and watermarking insert just insert some statements and not codes. the statements need to be extracted and then used. it's more like hiding some information within a heap. if it's malicious or not depends on the hidden information.

   i believe malicious code can be inserted in an image file, provided you know the holes present in the image viewer used by the other end.
simple question, simple points, simple answer, and a very simple solution too:
  see my previous comments ;-))

Author

Commented:
well i think my question was answered well enough by all the comments posted, so i will split more points between the answers i feel suited my needs, thank you for your cooporation.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial