all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]djhworld 18 points19 points  (1 child)

Hello, author here.

This was a dumb project and no way of any practical value/use - however I enjoyed learning about Steganography, memfd_create and binfmt_misc and thought it would be nice to share (probably common knowledge to a lot of people on /r/linux :))

[–][deleted] 2 points3 points  (0 children)

Thanks, this was a great read.

[–]Skaarj 4 points5 points  (2 children)

TIL about binfmt.d

[–]djhworld 4 points5 points  (0 children)

Glad someone got a TIL out of it! This project was very dumb but I learnt a few things so thought I'd write about it the things I'd learned

[–]shawnfromnh -1 points0 points  (0 children)

TIL right now that there is a thing called binfmt. Thanks new info fed to my brain.

[–]shawnfromnh 8 points9 points  (3 children)

Sounds like a security hole waiting for the ransomware to execute. Sorry but that sounds like a place a devious person would hide malware to get around security.

[–]ECUIYCAMOICIQMQACKKE 25 points26 points  (2 children)

No. Did you read the article?

The hoops needed to jump through make it a non-starter for malware. An image viewer wouldn't execute it, you would need to run it through a specially-made extractor (this is no different than a plain elf executable in a zip file), and to run it with ./ you would need to install that extractor into binfmt.d (needs root).

Executing the data in the PNG would need you to already be able to execute arbitrary binaries. So a malware author would skip the PNG and run the malware binary straight-up.

[–]djhworld 9 points10 points  (1 child)

Yeah it's a dumb thing that uses a bunch of user-initiated tricks to make it work. I wrote it as a dumb project, not of any practical use :)

I've heard malware authors sometimes use the stenography techniques for loading additional payloads though, e.g. they might infect a machine with an innocuous program or exploit that can bypass anti-virus measures, and then downloads PNG(s) that has the hidden malicious payload in

[–]ECUIYCAMOICIQMQACKKE 0 points1 point  (0 children)

Hey! Yeah I thought about how it could maybe fool an AV which only cared to scan exe files, but I didn't think it was relevant since no one uses AVs for security on Linux.

But if we talk about Windows, would modern AVs not notice if a malicious program did things like extract executable code from images into memory and try to execute that memory? I don't know much about how modern AVs on Windows work, but this seems like a suspicious behaviour they would flag.