In this section, we will tell you the story of a simple steganography trick that led to the discovery of a devastating new attack vector. Today’s sophisticated attackers are likely to exploit such tricks to steal content and execute transactions from vulnerable applications that may reside behind an organization’s perimeter.

In January 2007, Lifehacker.com posted a description of how users could hide ZIP files within image files. You can find the post at http://lifehacker.com/software/privacy/geek-to-live--hide-data-in-files-with-easy-steganography-tools-230915.php.

This “stego trick” worked because image-rendering software reads files from the “top” (header) down, consuming data that represents the GIF format and ignoring data that makes up the compressed ZIP file. Tools that work with ZIP files, on the other hand, typically begin reading files from the “tail” (footer) up, and ignore the data that makes up the GIF image. Attackers quickly realized that because JAR files are also based on the ZIP format, they could use this trick to hide JAR files in GIFs, and thus the GIFAR was born.

The combination of a GIF and a JAR file creates a GIFAR. Figure 2-14 shows a simple representation of a file that is both a GIF image and a JAR file.

Figure 2-14. A GIFAR

An examination of the file in a hex editor shows the header of a GIF file and the footer containing ...