Can Images Have Viruses?

Out of all the drawbacks that technology has brought forward, the virus has to be one of the most annoying ones as it can lead to the loss of important files and can infect your computer in the most unexpected ways. 

Computer code

There are various ways through which a virus enters a specific device but can it enter via images? This blog post sheds light on how viruses enter your computer or mobile phone via images and how you can steer clear of them.

The short answer is yes, viruses can enter your computer through an image, but this depends on many factors, including the status of the memory card, protection you use, exact actions of the user, existing malware, type of image file, and browser vulnerabilities.

People often wonder who would have the time to create a malicious computer code and hunt other people’s PCs but people do have the time to pull off such acts and the primary reason is to extract credit card information or some confidential information out of a computer. 

How Does a Virus Enter Your Devices?

Malware has various routes available to it to find its way into your computer or mobile phone. Some of the most common ways a virus can infect any device is via online downloading platforms, email attachments, Bluetooth, cracked software, videos, etc. 

But one of the most unpredictable ways viruses can get access to you is via images. This is the most unexpected way a virus breaks into your computer. When surfing the internet we are always on the lookout for suspicious links or ads but steering clear of infected images doesn’t cross our minds. 

The entrance of viruses through images from the internet is quite rare but equally catastrophic. Concealing malicious code behind images goes back a long way but it didn’t get enough attention; that’s why the majority of people are still ignorant of viruses embedded in images. 

We can discover examples of viruses concealed inside image files dating back to 2002 when a security firm named “Sophos” was working on a “proof of concept” virus called W32/Perrun-A that had the potential to add itself to an image file. A ton of photos are now posted on the internet regularly which has increased the chances of falling under the trap of viruses hidden behind images. 

Hackers often choose the most popular images available on the internet as their host for viruses because they are aware of the fact that the users that will be clicking on that image will be numerous; therefore, they can target a large number of devices conveniently. 

JPEG File Viruses 

As mentioned above, Sophos company’s research on an image virus called Perrun revealed that the images that were embedded with malicious code did not infect the computer as long as the executable form wasn’t activated first. 

To understand how this works, you should know that Perrun is an executable form of the virus. When the virus is run or executed on any computer, it dumps two files; extrk.exe and reg.mp3. 

The “extrk.exe” file is an extractor program – a tool used for the extraction of viruses from JPEG files. And the “reg.mp3” is a Window Registry parameter that allows extrk.exe to access JPEG files. Perrun scans the computer for the JPEG files to append themselves in the images once the aforementioned files are successfully installed into the computer.

When the owner of the PC attempts to click and view the picture on their computer, the extractor file i.e. extrk.exe extracts the virus that is encoded in the image in the current working directory and executes it. 

Therefore, it is clear that the virus was harmless until you were just viewing it. As soon as you launch the infected extrk.exe, that’s when the virus is transformed into an executable form. This indicates that this type of virus is entirely dependent on the user and does not have the capability to activate itself. 

Graham Cluley, Senior Technology Consultant, Sophos Anti-Virus, states that this virus is not very common even in this era. Furthermore, even the image files that are embedded with malicious code cannot harm your PC; however, if your PC is already infected then the existing virus can help out in the activation of the Perrun. 

Then in June 2002, Sophos’ website published the instructions for uninstalling the malware from an affected PC. In order to remove such viruses, alter Window Registry Entries, and recover the default image handler, it is vital to use an appropriate antivirus program. 

Hidden Malware In JPEG Image EXIF Data

Securi Lab, a cloud security firm, detected a backdoor in a JPEG image that looked entirely safe on the surface in 2013. Next, they discovered something that surprised them; the backdoor code was in the EXIF headers that are included in a JPEG file instead of the traditional method that is used to disguise such malware. Lens, model of the camera, and camera settings are written into the EXIF data and useful to photographers. 

The purpose of an EXIF is to provide the format for photos, sound, and tags used to hold information regarding the size of the image, dimension, author, or the type of equipment such as Lens, model of the camera, and camera settings. Many of you must have noticed how our mobile phones note the location of where the picture was taken; it is due to the EXIF data, also called metadata which stores your GPS coordinates and a variety of other information such as time and image size; however, it is important that your mobile phone has a built-in GPS system.

As we discussed above, the images infected with the virus meant no harm because the metadata, or EXIF data, is safe until there was a third party application at their call that triggers the execution of the virus. 

The image below shows that the key component of the code was concealed amid a variety of other tags. Especially the “make” and “model” tags. 

In the image below, you can see the code from a hacked website, which scans the bun.jpeg metadata before proceeding to any other task. Then it runs the function of preg replace with an /e modifier concealed in the EXIF “make” tag and lastly, executes the eval function embedded in the “model” tag. 

Virus code in EXIF data

Here’s the code you get after everything adds up: 

Resulting code

After the decoding process, the function will carry out whatever the POST variable zz1 specifies, creating a major security risk to all systems.

virus code

The example that we mentioned above is not exactly a virus but a backdoor used to maintain access to hacked systems. It still demonstrates the attackers’ brilliance and determination in devising innovative ways of conveying the code containing the virus to the PC with the help of the metadata or EXIF data of an image.

Steganography Technique For Hiding Virus

The malicious code is embedded in any JPEG image file with the help of Steganography which is also known as stegosploiting. This approach is used with an unencrypted browser to launch malicious malware concealed in the JPEG file in the user’s system just by simply opening the file in the browser. 

The entire concept of Steganography is based on transforming the code of Javascript into image pixels in the image file. After the file has been opened in the browser, the decoding process initiates and is launched on the server using an unsecured exploit. In the decoded GIF file the concealed malicious code appears this way:

Example of steganography

This indicates that merely accessing a google photo on the internet can be potentially hazardous for your PC. The reason that this method is not extensively used is that it relies on whether or not your browser has an unpatched vulnerability that may be used to launch and decode the concealed code. 

However, in this era, any vulnerabilities found in contemporary browsers are patched fairly instantly and the browsers keep updating themselves automatically without even letting the user know. 

Update Browser And Install Antivirus Software 

All of the ways that a virus can enter a system rely on third-party code that is already present in an infected system or on unpatched issues in the browser. It’s, therefore, improbable that your PC will get infected via Google images even if they are embedded with malicious code.

However, with every passing day, the attackers, better known as cybercriminals, are getting more innovative. They are constantly researching new ways to deliver a virus into your system and break all the layers of protection you have put on. 

That’s why it is important to install effective antivirus software that regularly detects any and every threat coming your system’s way. The antivirus software you opt for should have the basic detection features and the potential to eliminate threats before they enter your computer; it doesn’t matter if the software is free or paid, it should do its job in the best manner as that’s what really matters. 

FAQs

Q. Can images straight from camera have viruses?

 Yes, images straight from the camera can carry viruses if the memory card of the camera is compromised. The chances of your camera being infected with a virus are extremely low. Therefore, when you take a picture with your camera then it might get infected when it is stored in the memory card, not because of the camera. 

Q. How do you know if an image is safe?

It’s quite hard to figure out whether the image file is safe or not. However, if you require just the image content then you can easily transform the original image into a duplicate with the help of an online tool and utilize that file.

Q. Can you get viruses from JPEGs?

Yes, JPEG files can get infected with a virus but they do not cause any serious harm until it is executed. 

Q. Can PNG files carry viruses?

Yes, PNG files have the potential to get infected by viruses as black hat hackers have figured out ways to store scripts inside an image. 

Below is a video on the difference between viruses, malware and spyware:

Some Advice

Viruses can be a pain in the neck but with help of antivirus software and by taking the necessary measures to steer clear of them, you will be able to get rid of the trouble they cause. Image viruses do exist but not widely and they are not even that big of a threat unless you have an already infected system. 

To summarize, all you need is a good antivirus software to steer clear of any unexpected attacks. This article covers everything you should know about image viruses and how to avoid it. If you have any queries, let us know in the comments section.

Click the link below to learn what to do if your computer is infected with ransomware.

By Nicholas

Nicholas is a staff writer at Photodoto. His interests include photography, collecting cameras old and new, video editing, and all things 3d. If a new gadget comes out on the market, he's sure to be the first to try it. He enjoys experimenting with low light photography, very long exposures and high speed filming.