security - How can a virus exist in an image?

Question

I have recently watched this video of a Finnish internet security expert. Somewhere around eleventh minute, he talks about a virus which is hidden in an image and executes when the image is about to be displayed.

I am wondering how do they technically do such a thing, I mean how come the virus is executed, when the picture should be displayed and how come the picture is not compromised in some way. I thought the computer first looks at the extension, then opens it with appropriate program and lets the program work itself (and I don't expect regular image viewer to be able to run a virus within itself). Obviously it doesn't work like that, but no one I asked could help me out with this.

So does anyone know how do they do this, the principle? Thank you very much.

Answer 1

You're correct that your OS will pick a program and ask it to open the image. The OS will not ask the program to execute the image — that would be nonsense.

However, images are complex formats and often contain meta data (like the date and time when the picture was taken) and other parts that are not directly shown — you can hide stuff in there without affecting the image on the screen. So there might be hostile data lurking inside the image file.

Furthermore, program can have bugs, in particular buffer overflows. Briefly, a virus can exploit this by putting too large data into the meta data sections — larger than the program that decodes the image expects. The internal buffers overflow and with enough skill, a virus writer is able to put executable code into the right place in memory so that the program that decodes the image will end up executing the code. That way an innocent and "dead" file like an image can host an exploit.