Can malware be attached to an image?

The other answers mostly talk about attaching arbitrary code to images via steganographic techniques, but that's not very interesting since it requires that the user be complicit in extracting and executing that. The user could just execute malicious code directly if that's their goal.

Really you're interested in whether there's a possibility of unexpected, arbitrary code execution when viewing an image. And yes, there is such a possibility of an attacker constructing a malicious image (or something that claims to be an image) that targets specific image viewing implementations with known flaws. For example, if an image viewer allocates a buffer and computes the necessary buffer size from a naive width * height * bytes_per_pixel calculation, a malicious image could report dimensions sufficiently large to cause the above calculation to overflow, then causing the viewer to allocate a smaller buffer than expected, then allowing for a buffer overflow attack when data is read into it.

Specific examples:

  • http://technet.microsoft.com/en-us/security/bulletin/ms05-009
  • http://technet.microsoft.com/en-us/security/bulletin/ms04-028
  • http://www.adobe.com/support/security/bulletins/apsb11-22.html
  • https://www.mozilla.org/security/announce/2012/mfsa2012-92.html
  • http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1205
  • http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability

In general, these sorts of things are difficult to protect against. Some things you can do:

  • Keep your systems and applications updated.
  • Enable DEP.
  • Enable ASLR if possible.
  • Avoid running programs with administrative privileges.
  • On Windows, Microsoft's EMET could also provide some protection.

Yes, there are ways to 'exploit' buffer overflows.

Sometimes the code may need to be executed via a separate script, and in theory you could assemble a virus from multiple images that contained code hidden within the picture using stenography but there are easier ways.

Basically many computer systems expected images to comply with the exact specification for the type and the failed to correctly range check the formats/parameters being passed.

By 'engineering' an image so that externally it looks like it complies but internally it does not, it was to be possible to trigger stack corruption/buffer overflows that would allow code hidden in an image to be executed under the authority of the user.

But note that this does not ONLY apply to images, it can apply to ANY file, take a look at the recent RTF exploit in MS word.


You can always hide files/programs/anything in the 'slack space' of any file. Then you could run a script later to extract and/or compile what you have hidden... For instance, you could embed a malicious executable (or smaller script) within multiple images on a website. When a user goes to the website, they download the images.

Learn more about Slack Space here: http://www.computerhope.com/jargon/s/slack-space.htm and then play around with it yourself by grabbing a hex editor (http://mh-nexus.de/en/hxd/) and messing around.