GIFAR's Magical Mimes Filed in 8 by 3 (2012)

outline and notes for 2012 file types brownbag

GIFAR's Magical Mimes Filed in 8 by 3

File types, identification technology, and their weaknesses

File types?

a few examples:

  • live and raw bytes of common files types:
  • html/xml/text, pl/py/rb/sh, png, swf, PDF, exe, doc, mp3, avi, jar/zip/docx

the basic schemes

  • file name extensions (trust)
  • file metadata (tag)
  • resource forks and EAs
  • MIME type tags and headers
  • file(1) magic (check)
  • icons?

How is all of this used?


  • Apache modules may try to compress GIF, JPG, but not PNG,JAR

Exceptions to policy

  • configured in HIDS/NIDS : eg MSSE exclude from scan "*.jar"
  • WAF / IPS policy : Disallow requests to *.cgi, *.pl
  • Email security : Gmail won't allow exes ...

In response and triage

  • easy to prioritize/triage by file extension ...
  • automated analysis may rely on file typing
  • Fireeye/Damballa, FTK's Cerebus, ?

Basic Deceptions


  • change extension/name
  • can simply hide files in windows or UNIX, eg ..

    Simple mutation

  • compression/packing/encoding to evade detection
  • magic tricks: gif/php stego



Release the GIFAR!

other examples of multiple valid types


bsk@bebo-bt5:~/anet/gsec$ file -v
magic file from /etc/magic:/usr/share/misc/magic,com_smf/Itemid,54/topic,7655.msg41049/

/. thread:

copy of original GIFAR presentation?:

R. Brandis. Exploring below the surface of the gifar iceberg. Whitepaper. 2009

Image Repurposing for Gifar-Based Attacks by Smitha Sundareswaran, Anna C Squicciarini :

DeCore: Detecting Content Repurposing Attacks on Clients’ Systems by Smitha Sundareswaran, Anna C Squicciarini

Dan Crowley of Jack of All Formats


  • nil


  • pic/details for compression / encoding?
  • research on filetype usage in Cerebus, Fireeye, Sourcefire..
  • ? anti virus screen snip of exception config - at work ?
  • reorg this page and pretty up the links


Background books that don’t address file typing in any depth:




Roel @ Kasperky Lab’s blog post about antivirus detection of scripts hiding as PEs, Nov 2005

Magic byte vulnerability

Malware Hidden Inside JPG EXIF Headers

Newer info from Talos is on their blog here

Written on November 7, 2012