• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Return of the EXIF PHP Joomla Backdoor

November 3, 2015Peter Gramantik

56
SHARES
FacebookTwitterSubscribe

Our Remediation and Research teams are in constant communication and collaboration. It’s how we stay ahead of the latest threats, but it also presents an opportunity to identify interesting threats that aren’t new but may be reoccuring.

Such as today’s post, in which we explore a case we shared close to two years ago where we found malicious payloads were being injected into images.

My colleague Rodrigo Escobar passed us a very interesting payload, in which the backdoor was being embedded right into the JPG EXIF header data. It was specific to a hacked Joomla! install, and coincidently used the same markers as what we reported on in our last post on the subject. This time however, the image was working correctly, so it seems they’ve managed to get it right.

This time our team noticed the image was still working on the website and it loaded without any problems. The interesting part is that the code is stored within a seemingly innocent image file – the Joomla! logo – which can be loaded and viewed:

parse_jpg3

Breaking Down the Backdoor

This initiating (and quite discreet) piece of code was added to the application.php core file in Joomla in order to read EXIF data from the logo image. Note as well that the @preg_replace includes some EXIF data about the image, such as the Description, Aritist, Model, etc.

parse_jpg

 

The application.php file simply loads as a core part of Joomla. When it loads the logo using this malicious snippet, it executes information stored in the EXIF header. Here is one part of the malicious JPG header, the image itself is valid, but the attackers added base64_decode in the header:

parse_jpg1

When the data is loaded using the PHP exif_read_data function, it returns an array filled with the data itself. The EXIF data is all listed as filled in by the attacker:

parse_jpg2

 

You can also clearly see the obfuscated base64 part of the code, which is the encoded Joomla backdoor itself. There’s nothing more – it’s just a very common backdoor.

In summary, the attackers broke up the string of malicious code and inserted it into each of the sections of the EXIF data on the JPG image. The EXIF data is like a puzzle waiting to be base64 executed, and when the application.php file loads, the @preg_replace pieces together EXIF data, which successfully executed the backdoor.

Malware Everywhere

The malware authors are always trying to find new ways to hide malware, and some cases going back to old techniques, anything to make it as invisible as possible.
You can read a related blog post where I described similar situation involving malicious code hidden in PNG file.

We have recently discussed infected Word document macros and even fake Google Drive phishing, so be wary of your sources even with commonly trusted forms of media.

Who knows, maybe in another two years, I’ll share with you a blog post about malware hiding in a JPG EXIF header again… Repetitio mater studiorum est – Repetition is the mother of all learning. Keep your eyes open and stay safe!

56
SHARES
FacebookTwitterSubscribe

Categories: Joomla Security, Website Malware Infections, Website SecurityTags: Encryption, Obfuscation, Website Backdoor

About Peter Gramantik

Peter Gramantik is Sucuri’s Sr. Malware Researcher who joined the company in 2013. Peter’s main responsibilities include crafting signatures for new malware, and improving existing and researching new detection techniques. His professional experience covers 15 years of fighting malware. When Peter isn’t researching malware, you might find him doing technical and cave dives, riding his Harley Davidson, playing the guitar and singing in a band, or cooking BBQ for his family and friends. Connect with Peter on Twitter.

Reader Interactions

Comments

  1. Duncan Michael-MacGregor

    November 4, 2015

    Fantastic write up, you can’t help but admire the sneakiness and originality of the hackers. EXIF of all things!?!

  2. Armando

    November 13, 2015

    With things like this I always wonder how the attackers actually manage to get the initial files on the server in the first place.
    Can you point me in the right direction?

    I too have had my website hacked some years ago, fascinating to see the obfuscated code and what it does exactly. How did it get there?! No idea…

    I’d really like to know where such a hole could exist and learn how to close it.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

The Anatomy of Website Malware Webinar

Joomla Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.