Home » Malware » Can You get a Virus from an Image?

Can You get a Virus from an Image?


Table of Contents

The idea of getting a computer virus from an image has never crossed my mind. Most of us are aware of the dangers lurking on the internet. We may think twice before opening that email attachment or downloading unknown files from the internet. But getting a virus from an image is the last thing I will think about when viewing or downloading images from the internet.

Although very unlikely, you can get a computer virus from an image. Embedding the malicious code in the image is not a new idea. We can find examples of viruses hidden inside JPEG files as earlier as 2002 when a security company Sophos was researching a ‘proof of concept’ virus capable of appending itself to a JPEG image.

Mine and my family’s online safety is a priority to me, that’s why I am using Bitdefender Total Security Anti Virus which in my mind is the best Anti Virus software currently available.

I will strongly recommend checking the Bitdefender site for the latest offers.

Images are probably the most popular and common type of files found on the internet. Billions of photographs are taken daily and uploaded to the internet.

You may also like: Is Free Anti Virus Good Enough, or should I buy one?

After realizing how popular images are, you would rightly assume that the cybercriminals have already taken advantage of this popular file type and figured out how to “weaponize images” and used them against you.

Virus in the JPEG image file.

In 2002 a security company Sophos researched a ‘proof of concept” virus known as W32/Perrun-A or Perrun for short, which could append itself to the JPEG files.

However, the infected JPEG files were perfectly safe to view as long as the executable version of the virus which proceeded the image infection wasn’t executed first.

Let me explain.

The Perrun virus is an executable.

When started on the system, the virus deposited two files:

  • ‘extrk.exe’ – Extractor program – a program that extracted the virus from the JPEG files.
  • ‘reg.mp3’ – a modified Windows Registry entry which allowed the Extractor program to open the JPEG files.

After these two files were placed on a victim’s computer, the virus then searched for JPEG images files and appended itself to them.

And now comes the smart part.

When the unsuspected victim tried to view the image on their computer, the Extractor program handled the image, which in turn extracted the virus from the code embedded in the image to an executable form in the current directory and runs it.

You may also like: What is a Strong Password – Free Password Strength Checker.

Finally, the JPEG image was presented to the unsuspected user with the default system viewer.

As you can see, the virus relied entirely upon you running the infected EXE file in the first place. It was impossible to get a virus from an image simply by viewing it.

The weird design of this virus and the chances of spreading via the internet were perfectly described by the Senior Technology Consultant for Sophos Anti-Virus, Graham Cluley.

Not only is this virus not in the wild, but also graphic files infected by this virus are completely and utterly harmless, unless they can find an already infected machine to assist them. It’s like a cold only being capable of making people who already have runny noses feel ill.

Graham Cluley – Senior Technology Consultant for Sophos Anti-Virus.

The instruction on removing the virus from the infected machine was posted on the Sophos website in June 2002. It required the use of Sophos Anti-Virus software and modifying Windows Registry entries to restore the default image handler.

The W32-PerrunA virus removal instruction on the Sophos website
Virus in an image – Removal instruction of the Perrun virus posted by Sophos Anti-Virus.

Malware hidden in the JPEG image EXIF data.

Back in 2013, a cloud security company Securi Lab discovered a backdoor in an innocent-looking JPEG file. To their surprise, the backdoor code did not rely on the commonly used way of hiding the code but instead was stored in the EXIF headers of a JPEG file.

You may also like: How Does a Computer Virus Infect Computers?

An EXIF is a standard that specifies the formats for the images, sound, and tags used to store information about the image size, Author, dimension, or equipment used like the camera model, lens type or settings, etc.

If you ever took a picture and your camera knew where that picture was taken, assuming it had a built-in GPS, the EXIF data or metadata is where the GPS coordinates were stored, among many other data.

Properties window of a JPEG image with EXIF data.
JPEG file EXIF data.

As in the previous example, viewing the infected images was perfectly safe as the metadata (EXIF data) was harmless by itself, and it required a third-party code to extract, assemble and execute the code.

The crucial part of the code was hidden among many other EXIF tags, in this case, the ‘Make’ and the ‘Model’ tags as per the image below.

Screenshot of the hidden malware in the JPEG image metadata or EXIF data.
Malware is hidden in the JPEG metadata (EXIF) data.

Below is the code extracted from the compromised website, which first reads the bun.jpeg metadata, then calls a preg_replace function with a ‘/e’ modifier hidden in the ‘Make’ tag, and finally executing the eval function found in the ‘Model’ tag.

The PHP function used to read and replace the exif data
Two harmless PHP functions are commonly used to read an image’s EXIF data and find and replace a string.

When we put everything together, we will end up with the following code.

The php code used to extract and execute the code hidden in the jpeg metadata.
The final function will execute the eval function decoding the base64 encrypted string.

When decoded, the function will execute anything provided by the POST variable zz1 posing a serious security threat to any system.

Decoded base64 string
Decoded base64 string with a POST method and zz1 variable as input.

A similar example of an image used to deliver a malicious code to the victim’s computer was described by computer security expert Mikko Hypponen in his fantastic but also funny TED presentation in 2011, which you can watch below.

The relevant part starts at around 10 minutes mark, but I highly recommend watching the whole presentation.

Although the example above is not a virus but a backdoor used to retain access to the already compromised systems, it shows the ingenuity of criminals and the perseverance in finding new and harder-to-detect methods of delivering malicious code to unsuspected victims using image metadata or EXIF data.

Using Steganography to conceal malicious code.

Steganography, especially the technique known as stegosploiting, can conceal the malicious code in the image file.

This technique can be used in conjunction with an unpatched browser to execute malicious code hidden in the image on the user machine simply by opening an image in the browser.

The whole idea relies on converting a JavaScript code into image pixels in an image file. Once opened by the browser, that file is decoded using an unpatched exploit and then executed on the client.

The hidden malware code may look something like that in the decoded GIF file:

Malicious code hidden in an image using steganography
A decoded gif image file with malicious code embedded. Source: ImageDetox: Method for the Neutralization of Malicious Code Hidden in Image Files.

The above example proves that simply opening an image found on Google in your browser may, in principle, be dangerous.

Why then computer virus infection using this method is not so widely spread?

Probably because, as I have said before, this method relies on your browser to have a specific unpatched exploit that can be used to decode and execute the hidden code.

Today, however, any exploits discovered in the modern browsers are patched almost immediately, and the update is applied automatically, often without user knowledge.

Keep the browser up to date and get Anti Virus software.

Most of the techniques described above rely on some third-party code running on the already compromised systems or unpatched vulnerabilities to be successful.

It is then unlikely that you get a virus from google images even if they were themselves infected.

It doesn’t mean, though, that cybercriminals are not getting smarter. On the contrary, they constantly search for new exploits and ways of delivering malicious code to your machine.

That’s why I’m using a suite of malware and virus detecting software on my machine, you can find more details in my Favorite software and Hardware section below this article.

It doesn’t matter if you use a good free version of the Anti Virus or purchase a commercial copy; as long as you use one, the chances of your computer getting infected with a virus are slim.

My Favorite Software and Hardware.

Thank you for reading this article. I hope you found it helpful. Here is the list of the software and hardware I am personally using, which I believe you may also find useful. These are affiliate links, so if you decide to use any of them, I will earn a small commission at no extra cost to you. But in all honesty, this is the exact software I have installed on my computer and the hardware I have been using to secure my online accounts or store my passwords.

1Password Password Manager - I have been using 1Password for over three years now, and in my opinion, it is the best Password Manager yet. You can try 1Password for free or check the latest deals on the 1Password website.

YubiKey - This is a hardware authentication device that you can use to protect your online accounts or even computers. If you are thinking of getting one, I will highly recommend Yubikey 5C NFC, which, thanks to the NFC, can also be used with your phone. If you are an Apple user, the YubiKey 5Ci is the best next choice, in my opinion.

Bitdefender Total Security - I had tried other Anti-Virus software whenever my Bitdefender license was about to expire. However, at the end of the day, this is still my favorite Anti-Virus. You can check the latest offers on the Bitdefender site.