Attackers are using a known, but uncommon method of maintaining access to an already compromised server by hiding backdoors inside the headers of legitimate image files, researchers said.
More than a dozen sites suffered from this method of attack, said website security firm Sucuri’s chief technology officer Daniel Cid. However, he didn’t mention if there was any evidence to connect all of them to a single source. At present, the company is still investigating while they work with their clients.
They found the images on a previously compromised webserver. In the cases they’ve seen so far, including the ‘bun.jpg’ case covered on the Sucuri blog, the website was either running an outdated version of WordPress (a popular CMS platform used by millions of domains), or outdated versions of Joomla, which is an alternate platform similar to WordPress.
The images themselves “still load and work properly,” Cid said.
“In fact, on these compromised sites, the attackers modified a legit, pre-existent image from the site,” he said. “This is a curious steganographic way to hide the malware.”
Once the server suffers compromise, the attackers will modify the image’s EXIF headers and re-upload the image. At this stage, the image renders normally, and most webmasters won’t notice anything off. However, should the compromise end up discovered and the server’s security tightened, the image provides a firm hold the attackers will later use in order to regain access.
Using the exif_read_data function in PHP to read the image’s headers, and the preg_replace function to execute the embedded commands; the attackers can keep control over a webserver long after the user patches the vulnerable software and the server’s other core files. This happens because the image’s MAKE header has “/.*/e” as a keyword — this is the ‘eval’ modifier, used to execute the content fed to preg_replace.
Once the header parses, Sucuri’s researchers discovered base64 encoded lines, that when decoded offered the final part to the backdoor itself, a function that will execute any content delivered to it via POST. Using this, an attacker can issue commands, or call for shell scripts hosted remotely and execute them. Moreover, depending on how the server ends up configured, the commands issued to the backdoor could be running with elevated privileges.
Cid explained they found the backdoors during memory examinations after a client requested help recovering from a breach. When questioned about detection, he added unless modified to detect these kinds of patterns within a given file, IDS and IPS systems wouldn’t have prevented this type of attack.
“The thing I recommend the most is file integrity monintoring,” Cid said. “If you can detect files being modified, then you can discover this type of attack.”