my new photo malware and Google’s webp images
We have been seeing a persistent attack by email for some time now. The subject is always “my new photo”, my photo or the equivalent in Spanish
Until 2 days ago the zip attached to the email just contained a single malware file which is generally identified as Androm or Gamarue or Wauchos depending on which antivirus you have installed. It obviously takes a few hours or even a day or more for the antivirus companies to catch up with new versions so some users get infected
Over the last few days there has been a change in delivery methods. Along with the “normal” executable file there is what appears to be a standard jpg that won’t display natively in window explorer or in the majority of imaging/photo editing/viewing programs. It will display in Chrome browser. Looking at the file headers, the image is a genuine image but is the “new” webp format from google https://developers.google.com/speed/webp/ which needs a codec from google to display in windows explorer or a plug in to display or use in common image editing/viewing programs
We will almost certainly see requests or comments in various forums or facebook or other tech help sites. It is believed that if a user “accidentally” or otherwise runs the exe file then the image is displayed in the browser ( if chrome is default) or the google plugin or codec has been installed and the user thinks that it was just an image and not a malware file.
Of course the .exe file has the extension hidden by default and the icon suggests it is a jpg image file which makes the unwary more likely to click on it and consequently become infected
I have been charting the progress of this malware for some time now, since it first appeared at end of August 2014 https://myonlinesecurity.co.uk/new-photo-malware/
To clarify this 100% and make it clear for those who don’t have English as a first language
The post is not about preventing malware attacks as such but to inform everybody about the new format being used, particularly the increasing use of Google’s webp format, which explains why we do see quite a few posts saying that the user cannot see the jpg image in an email or on a webpage in IE, FF etc but it does in chrome OR why they cannot view or edit a downloaded jpg
The zip file contains 2 files
1 is a standard .exe with an icon that looks like a jpg that if you don’t have show hidden extensions shown can confuse a user and lead to infection when clicked on. That is an old trick and we have advised a user how to overcome that for ages.
The problem, is the second file in the zip which has a jpg extension and icon and is a genuine image file. BUT is not a standard jpg but a google developed “new” webp format image
Windows by default will NOT display webP images and no default windows image viewers display them. Google chrome ( and Opera) do display them. IE does NOT display them
The biggest concern is that a user will not see a preview of the image in his windows explorer and when he double clicks that image file to view it also see nothing except a big x
We can start to expect requests for help in forums asking why they can’t see jpg images
We did see a similar thing a few months ago when Faceboook tried a short lived experiment of using webp images instead of standard jpgs. They soon stopped because of complains, but scuttlebutt is they want to bring them back because of better compression and consequent bandwith cost savings.
Malware authors ( and sex sites) are always the first ones to adopt new technology and once they start to push the tech, others follow suit
You can see the difference here . The first image is a standard jpg image ( 61 kb) . The second image is a standard png image (735 kb) which is used on many websites to avoid going blotchy when cut down in resolution to save on bandwith but the original, is a much larger file size. The 3rd is the Google webp image (29kb) that will only display in Chrome browser and not in IE or Firefox. Unless you are using Google chrome all you will see is the first and second images. The third image ( which is identical to the other 2 ) will just appear as a blank spot with a small x and the words “webp image of my new photo” . You can see from this why many web developers and website owners want to use webp to cut down file sizes and still get very high quality images to display.
If you open the image files in a hex editor or analysis program you will see the file type headers information
for jpg they are ……JFIF…..`.`……Exif..MM
for PNG they are .PNG……..IHDR……………g…..sRGB………gAMA……a…..pHYs……….
For Webp they are RIFFhs..WEBPVP8