How is it possible to embed executable code in an image

The answer is simple. That was not a photo. And .pif is not an image format. Count on NYTimes to provide correct technical info.

As the log on NYTimes's article says, and as FireEye's actual report confirms, the file used was a .pif file. It's one of the less known of Windows's executable file extensions.

.pif is legacy from MS-DOS, like .com. It's intended to be a "program information file" (hence the name), storing a shortcut to a (DOS) program along with various info to the system on how to treat it. Even today, Windows gives .pif files a shortcut-type icon.

The funny thing is that, today, Windows doesn't really care if the .pif is really just a program information file. Try it: rename any .exe file into a .pif and run it. There might be some difference like the icon not displaying, but that's all. That's what uniform treatment of files of different formats gets you. Thanks, Microsoft!

Why does this happen? Short answer: Because Windows. Longer answer: Windows runs a .pif through ShellExecute, which technically should find a suitable program to open a file and then use it to open it. With .pif files, it first checks if it is really a file that points to an MS-DOS executable. If it doesn't conform to the .pif file format, ShellExecute checks if it contains executable code. If it does, it gets run as if it was a .exe. Why? Because Windows!

What did the suuper-scary genius hackers do? These guys didn't bother doing anything complicated: they made a self-extracting-and-executing SFXRAR archive out of a virus installer and a program (probably just a .bat) opening an image of a girl that they found on the internet, renamed that devilish contraption into a .pif file and sent it to the hapless freedom fighter.

Why did they use .pif? For two reasons, obviously:

  1. Few people know that it can run as an executable file (thanks, Microsoft!)

  2. It obviously sounds like .gif or .tiff or .pdf or something very image-y. Even you didn't doubt from its name that it was an image format, didn't you, OP? ;)

Concerning your actual question ("how is it possible to embed executable code in an image"). Yes, it is possible to execute code via a specially crafted image provided it is opened in a vulnerable program. This can be done by exploiting an attack like a buffer overflow. But these specific hackers were most probably not clever enough for this.

Edit

Interesting note: these guys actually used DarkComet, which has the ability to generate compressed executables with different extensions, .pif being in their list. I'm not sure about displaying an image, but this could be a functionality added in a newer version.

Another edit

I see you're asking on how to protect against this specific "vulnerability". The answer is simple.

First, make sure Windows shows you file extensions. Windows mostly hides them by default (thanks, Microsoft!)

Then learn this by heart: .exe .com .cmd .bat .pif .vb .vba .vbs .msi .reg .ws .wsc .wsf .cpl .lnk. These are the best known file types that can easily execute potentially malicious code or otherwise harm your computer if opened, whether you have vulnerable applications installed or not. If someone sends you such a file saying it's an image of a pretty girl, you can be sure it's another low-profile hacker like these syrian guys.

Another option is simply being pro-active and checking and double-checking any downloaded file with an unfamiliar file format. It could be malware, you know.

As for real images with exploits... you could probably try keeping your software up to date.


Nothing is perfect, and a common kind of bug is a buffer overflow, where in short data gets copied where it shouldn't be, and in some cases this can lead to arbitrary code being executed.

For example here is a bug in old Microsoft versions in which if you viewed a certain image with IE than arbitrary code could be executed.

Note that this is very implementation-specific, so opening the same image in firefox or chrome would simply result in a broken image, but no code execution.

Buffer overflow in layman's terms

Buffer overflow technical details


Mints97's answer is great, but I think there may be more to it than that. An especially wonderful (read: terrible) problem with Windows is that it supports complete Unicode character set in filenames, including (and this is the worst), U-202E.

While I am sure it has some good innocuous uses, but it can allow people to maliciously change the filename in a way that is difficult for the average user to notice. This is excellently documented in this howtogeek.com article.

Essentially the hacker can put U-202E in a filename and change filename by gnp.tab to filename by bat.png. The character reverses the order of all of the name after itself. All the attacker needs to do is choose the correct file type that executes, and Windows will associate it with the executable name.

This is harder to guard against than you think. The best defense would be to scan the names of files for this. The CMD command dir seems to report a ? for this Unicode character. Python, and I am sure other languages, can get the Unicode name, so a script or program of some sort could prevent this problem.

By far the simplest solution is to also look at the four letters before a file extension and make sure the reverse isn't an executable name. (I think there are some four letter executable names, but I am not sure).

Be wary!

EDIT: I made a python script download here that reads the file names in a directory for U-202E. It tells you if a) the actual name and b) the extension. It should support working with multiple files and multiple U-202Es in one name.