How Malicious Patches are Bound with Images

Sub7 and Bifrost (or any other popular RAT I can think of) have never provided the ability to include malicious code in .jpg or .mp3 files (or any non-executable format).

Sub7 and ProRAT had, however, the ability to pack the malicious binary and a .jpg file (or any other file for that matter) in one self-extracting archive with an icon of your own choice (check the image below). When you clicked on the resulting .exe file, it stealthily extracted the files, installed the backdoor, and then opened the .jpg file with the default image viewer leading the unsuspecting user to believe that everything is okay.

There are other ways to deploy a malicious payload on the victim’s machine. For example, the attacker could create a specially crafter image file to exploit a vulnerability in your image viewer, which would allow the attacker to execute arbitrary code including installing backdoors. An example for this is the famous MS06-001 in Windows Graphic Device Interface (GDI).

That is not only limited to image files, one vulnerability in Windows Media Player allowed a specially crafted .mpg file to execute code on the victim’s machine.


Selecting the result file format:
Selecting the format

Selecting the icon:
Binding process

Leave a Reply

Your email address will not be published. Required fields are marked *