Aaron Mulgrew by Aaron Mulgrew | | Blog

News this week of a malvertising campaign that uses polyformatted images should act as a wake-up call for Security teams everywhere. Deep Secure Pre-Sales Consultant Aaron Mulgrew assesses the risks.

Malvertising is the use of online advertising to spread malware, typically by injecting malicious or malware-laden advertisements into advertising networks and ultimately into the webpages of respectable sites. The latest malvertising campaign discovered by researchers has some particularly interesting characteristics, notably the use of polyformatted files and the exploitation of image file formats. It’s a potent combination that should have people re-evaluating their cyber security defences.

Split Personality

A polyformatted file is one file that can be read and interpreted by two completely different programs as valid. Here at Deep Secure, we illustrate this in demonstrations with a file that is both a valid jpg and a valid piece of html. Sounds crazy? Actually its remarkably simple to create a file with a split personality like this. In layman’s terms the first chunk of the file is read and interpreted as an image and rendered accordingly. The remainder of the file is ignored by the program rendering the image. Equally, the remainder is html code which can be read and executed by a browser.

Malicious Online Adverts

In this malvertising campaign, the cyber criminals are crafting adverts that operate in exactly the same way. The image will typically be a banner ad or similar, it is rendered correctly as an image, but then the javascript also contained in the image is executed, taking the user to a fake website where they can be further exploited.

Undetectable Threats

Those charged with the security of advertising networks will use detection-based technology that will look for javascript and try to detect if it is doing something bad like redirecting to another/fake website. However, by concealing the script in an image (effectively in a polyformatted file) the malicious javascript cannot be detected. In essence, the exploit is undetectable and that’s what should concern security teams.

Image Transformation

Deep Secure’s Content Threat Removal platform is the perfect counter to threats of this sort because it isn’t based on a detection paradigm. Instead, Deep Secure intercepts all images crossing the security boundary, extracting what is necessary from the image content, discarding the original file and re-creating a brand new, threat-free one for onward delivery. This approach neutralises the threat presented by polyformatted files and threats concealed in images using steganography.

For more information, or to chat with a Deep Secure security expert about the threats posed by polyformatted files and image steganography, contact us today on +44 (0) 203 950 5116.


View all posts