Platform Technology Updates: Better Malware Detection for Multiple Image Formats with TitaniumCore

At ReversingLabs, we're constantly updating and improving our technology and platform to stay ahead of malware authors. While opening an image isn't generally considered to be dangerous, malicious code can hide in images–leading to a malware attack when browsers execute the code.

We've revised several of the image validation, steganography detection, and image format support capabilities of the TitaniumCore (represents ReversingLabs analysis engines) to provide an even deeper level of support. Here are a few of the recent updates: 

PNG Format Support

PNG (Portable Network Graphics) is a lossless image format intended for use on the web, and therefore one of the most commonly encountered image formats. It is also commonly used by malware authors to transport executable code across various boundaries and by security researchers when testing image validation capabilities.

With TitaniumCore's revised PNG module, we have encountered over 653, 540,683 PNG samples.

The PNG unpacker module has been completely rewritten and equipped with a new set of heuristics and algorithms which allow more thorough format analysis.

Notable changes include:

• Improved metadata extraction and validation
• Image data stream decompression and validation
• Extraction of unknown, suspicious and corrupt PNG chunks
• Extraction of hidden data from intentionally malformed chunks

GIF Format Support

GIF (Graphics Interchange Format) is a popular format for storing still and animated images. Despite the emergence of more efficient animation formats such as WebM, GIF is still found in abundance on the web. This can be credited to its small size and a great deal of supporting tools. Combined with structural simplicity of the format, this makes GIF an ideal format for transporting malware.

TitaniumCore's cloud has encountered at least 28,832,884 GIF samples.

The TitaniumCore GIF unpacker has been rewritten from the ground up and is now equipped with a new set of features:

• Improved metadata extraction and validation
• Image data stream decompression and validation
• Extraction of hidden data from various GIF blocks
• Advanced classification logic and heuristics, now able to detect various exploits

BMP Format Support

BMP (Bitmap Image File) is an old format for storing bitmap images and has a well established presence within the Windows ecosystem. Due to its convoluted structure, big file size and years of maintaining backwards compatibility, it has been surpassed by more popular formats such as PNG. Nevertheless, BMP is still supported by all major web browsers and imaging programs, which makes it largely inconspicuous and thus very convenient for malware authors.

So far, we have encountered 18,065,622 BMP samples. As with most image modules, BMP unpacker employs the heatmap feature to detect and extract hidden regions of the file.

Various other features include:

• Metadata extraction and validation
• Image data stream decompression and validation
  
• Support for both Windows and OS/2 bitmaps
• Classification heuristics based on various factors

Image Validation and Steganography Detection

TitaniumCore features a new image validation strategy, complete with two rewritten unpackers - TIFF and JPEG (Tagged Image File Format and Joint Photographic Experts Group). Both are well known image formats and are often used to transport malicious code over various boundaries.

We have encountered over 1,150,415,225 JPEG samples, and 54,570,336 TIFF samples.

Both TIFF and JPEG unpacker have been completely rewritten and expanded with a vast set of metadata tags, and will now warn about unknown tags, irregularities, intentionally crafted infinite loops, and more. They will also attempt to extract potential embedded files using various heuristics.

Revised unpackers will also come equipped with the heatmap feature - a new steganography extraction technique for image formats which allows easy detection and extraction of code caves.