Recently I was made aware of an issue with the popular screenshot sharing app, Gyazo. An individual I follow on Twitter found some malware hiding in their Gyazo folder that appeared to take on a name of one of the applications itself. Interesting, I thought. Is it the app itself that’s considered malware or is it something else entirely?
Screenshot sharing apps may be a new attack vector for malware.
Gyazo itself isn’t malware, and it was deemed that that specific incident was a false positive on the part of Malwarebytes, which has since updated to not recognize it as malware. But that does pose a number of interesting questions about such apps, and about embedded pictures and picture links in general.
In fact, using pictures to run scripts and inject programs for nefarious purposes isn’t a new venture either. There is a group that was spreading such mayhem around 4Chan some years ago, where you had to download and save a picture as something else, which resulted in a script being run that downloaded a trojan in the background. Even steganography, or the hiding of information within a picture itself, is sometimes used as a way to hide a malicious configuration files for other malware to read, and it certainly can also hide larger files, but that doesn’t mean that that bit of code actually gets executed.
Permissions, and a way to have it executed are all problems for such things. But those aren't necessarily that limiting in this day and age. Exploits are indeed exploits of things not necessarily thought of as being such.
I tried sending a steganographically hidden file embedded in a PNG through Gyazo to see what would happen. The original PNG was 928KB and with the payload it was 1.2MB. That isn’t necessarily an unusual size for a PNG either. Once sent through Gyazo the size increased, interestingly, to 1.42MB. I was not, however, able to recover the hidden file, which was only the java version of Linpack. So something doe indeed happen on the server side of Gyazo that prevents the injection of malicious software itself. I would have assumed compression, though the size increase is somewhat telling.
But what about other methods? Peter Gramantik, a security researcher from Securi, found a photo in July 2013 that used the exif data of itself to store and to facilitate the execution of code. In fact, a simple script to call home and download another far more damaging piece of software is absolutely technically possible and even probable. Exif data isn’t modified by Gyazo.
There was a vulnerability quite some time ago that dealt with how metadata was read by Windows within the PNG file format. This accidentally allowed arbitrary code to be executed without any permission on the part of the user. So a picture viewing program could indeed read that exif data and then execute that code. Technically.
The most likely scenario is only have configuration and scripts being available, though hidden, to be read by an already installed piece of malware. The ZBOT malware used this approach. There were pictures of sunsets and kittens that provided direction to the ZBOT, though it was already installed via other means.
So no, Gyazo isn't malware and it's not necessarily likely to be spreading any self-executing pictures in the near future, but that doesn't mean it isn't possible either.
With proper controls in place, there should be nary a worry. Making sure UAC is enabled (or that you have to specifically give admin rights in any other OS), should prevent arbitrary code from being able to run. That and having a good AV software and surfing smart.