科技回声

9 条评论

ishi超过 11 年前

It's a clever idea, but not a malware attack - just a way to hide what the attack does and make it more difficult to detect. It still needs some javascript code to extract the malicious payload from the image.

pritambaral超过 11 年前

I don't see how the embedded JavaScript can be used without the accompanying malicious loader script.As I see it, this is just another form of obfuscation. Not an entry vector.

评论 #7189719 未加载

nwh超过 11 年前

Not really newsworthy, just obfuscation. If it was yet another libtiff CVE, then I'd be worried.

acron0超过 11 年前

Article calls this steganography but...I'm not sure it really is, as the payload is hidden in the file format's metadata...not _encoded_ into the pixel data.

评论 #7189411 未加载

评论 #7189660 未加载

blueskin_超过 11 年前

Yet another reason to leave javascript off.

评论 #7189463 未加载

评论 #7189330 未加载

Pxtl超过 11 年前

So it's javascript code that won't be caught by a virus-scanner... imho, once you need a virus-scanner for javascript, you've already failed. Serving any javascript from an un-trusted source is a failure. Sad that half of the web-based advertising industry is based on this principle.

rsxzi超过 11 年前

This technique has been around since prior to 2008 at least, the biog entry below introduced the code[1], along with providing a tool to compress your js into an image using ruby [2].The technique has a legitimate use as a suave compression method and was termed "super packing" in 2011 [3][1]<a href="http://blog.nihilogic.dk/2008/08/imageinfo-reading-image-metadata-with.html" rel="nofollow">http://blog.nihilogic.dk/2008/08/imageinfo-reading-image-met...</a>[2]<a href="http://www.nihilogic.dk/labs/canvascompress/" rel="nofollow">http://www.nihilogic.dk/labs/canvascompress/</a>[3]<a href="http://daeken.com/superpacking-js-demos" rel="nofollow">http://daeken.com/superpacking-js-demos</a>

评论 #7189944 未加载

mikemoka超过 11 年前

It seems like this is allowed by design, so am I missing something? Why hasn't such a "feature" been turned off by all the newest browsers and rendering engines?I know this method could have been made available for canvas image editing purposes but is there any legitimate reason for allowing javascript to be executed as well and not to strip it out automatically?

评论 #7190368 未加载

homakov超过 11 年前

>relatively new way to distribute malware>JavaScript code stored in an obfuscated PNGthey reinvent the wheel agian?

9 条评论

ishi超过 11 年前

pritambaral超过 11 年前

I don't see how the embedded JavaScript can be used without the accompanying malicious loader script.As I see it, this is just another form of obfuscation. Not an entry vector.

评论 #7189719 未加载

nwh超过 11 年前

Not really newsworthy, just obfuscation. If it was yet another libtiff CVE, then I'd be worried.

acron0超过 11 年前

Article calls this steganography but...I'm not sure it really is, as the payload is hidden in the file format's metadata...not _encoded_ into the pixel data.

评论 #7189411 未加载

评论 #7189660 未加载

blueskin_超过 11 年前

Yet another reason to leave javascript off.

评论 #7189463 未加载

评论 #7189330 未加载

Pxtl超过 11 年前

rsxzi超过 11 年前

评论 #7189944 未加载

mikemoka超过 11 年前

评论 #7190368 未加载

homakov超过 11 年前

>relatively new way to distribute malware>JavaScript code stored in an obfuscated PNGthey reinvent the wheel agian?

PNG Image Metadata Found Leveraging iFrame Injections

9 条评论

PNG Image Metadata Found Leveraging iFrame Injections

9 条评论