back to article Steganography alert: Backdoor spyware stashed in Microsoft logo

Internet snoops have been caught concealing spyware in an old Windows logo in an attack on governments in the Middle East. The Witchetty gang used steganography to stash backdoor Windows malware – dubbed Backdoor.Stegmap – in the bitmap image. "Although rarely used by attackers, if successfully executed, steganography can be …

  1. Danny 2

    It's a genuine threat

    I clicked on a photo of the Prime Minister and my nephew lost his mortgage, my benefits were cut and the Bank of England was scammed out of £65 billion.

    XKCD is coming back to London on November the 7th.

    1. Anonymous Coward
      Anonymous Coward

      Re: It's a genuine threat

      That e-mail was legit, it was the online leadership vote sent to registered Conservative members.

    2. Androgynous Cupboard Silver badge

      Re: It's a genuine threat

      Well played Danny, very well played.

      1. Danny 2

        Re: It's a genuine threat

        Remember, you can't call the Tory party conference a 'war' on the poor. It's a special fiscal operation.

  2. Bitsminer Silver badge


    The Windows logo always was an "indicator of compromise" for some people. For example, some Linux fanbois.

    Some hackers took the hint seriously...

    1. John Robson Silver badge

      Re: IoC

      The old "I heard that if you play the Windows install CD backwards it plays satanic messages", "That's nothing, I heard if you play it forwards it installs Windows."

      1. milliemoo83

        Re: IoC

        "How do you keep Windows NT secure?"

        "Keep it in the shinkwrap"

        Linux fortune cookie.

    2. OldCrow 1975

      Re: IoC

      I was a Linux Fanboy when I was 50. Twenty years later. Still a Linux FANBOY. The best part is my penguin logo is just an image. Nothing else.

      Make sure to set your /etc/hosts.deny to ALL ; paranoid

      You will have a lot less difficulty. That is a courtesy message for the uninformed. Happy Sunday. It is a lovely day so far.

      1. ICL1900-G3

        Re: IoC

        Amen to that.

      2. Anonymous Coward
        Anonymous Coward

        Re: IoC

        "The best part is my penguin logo is just an image. Nothing else."

        DYRTFA? The windows logo was just a bitmap image. Nothing added. Until recently.

        As for FANBOY? Oh come on, like me you're a FANOLDFART. Only in my case it's reserved for macOS

  3. VoiceOfTruth Silver badge

    Trusted hosts

    -> trusted hosts such as GitHub

    Since when is GitHub a trusted host? Perhaps the author of the article has a different definition to me. Trusted to me means somebody or something that I know or I trust. The next level down is somebody who I know and trust says that such a thing is trustworthy - a chain of trust. But GitHub? It is a web site where people submit code. Are we now supposed to trust something just because it is on GitHub?

    I know what the author is getting at - GitHub is well known. But that does not automatically make it trustworthy. NPM was considered trustworthy by many, and look what happened. Anyone who just automatically trusts GitHub and therefore anything on it needs a lesson or two.

    1. Will Godfrey Silver badge

      Re: Trusted hosts

      "Anyone who just automatically trusts GitHub and therefore anything on it needs a lesson or two."

      ... and will probably soon get them.

    2. M.V. Lipvig Silver badge

      Re: Trusted hosts

      Microsoft owns Github. That should remove any concerns you might have about security. No need to be concerned about the effectiveness of what doesn't exist, right?

    3. OldCrow 1975

      Re: Trusted hosts

      Dilbert said it best.

      Change is good. You go first.

    4. Yet Another Anonymous coward Silver badge

      Re: Trusted hosts

      Github is unlikely to be blocked by corporate firewalls. An app downloading from is likely to generate more suspicion

    5. doublelayer Silver badge

      Re: Trusted hosts

      It's not about personal trust, as nobody was sent to GitHub to retrieve this file. Any person who trusts any file they get from GitHub has a very bad security posture. It's about what sites set off alarms, get blocked, or even get flagged as unusual on automatic filters. Most sites don't have GitHub in their filters of suspicious domains. There are probably other sites where uploading an image is possible and won't be blocked automatically by the traditional filter lists.

  4. PRR Silver badge

    I knew a guy in the PRE-Internet age who claimed that JPEG files could contain anything, even code. We all granted the possibility but thought it would take much deliberate perversion to get that code executed. 27 years later, that day is here?

    He also said Flash-ROM BIOS could contain malware.

    1. Anonymous Coward
      Anonymous Coward

      27 years later, that day is here?

      You haven't been following the Windows exposures much over the years, have you?

      1. Yet Another Anonymous coward Silver badge

        Windows wmf vector drawing files let you embed commands directly

        So you could start a file with "# format c:" and the opening the file would do that

  5. Howard Sway Silver badge

    snoops have been caught concealing spyware in an old Windows logo

    Pro Tip : To protect against this threat, peel all stickers containing the logo off your laptop in order to stop the spyware "diffusing" into your system. Likewise, never insert a dvd with the logo on it into a drive. If you see the logo on screen at startup, your machine has been infected, and it is highly likely that it will send your personal data back to snoops such as Microsoft without your knowledge or consent.

    1. Anonymous Coward
      Anonymous Coward

      Re: snoops have been caught concealing spyware in an old Windows logo

      I'm personally very happy that it's now clear that anything with that logo is unsafe. Microsoft's own website, that of partners, consultancies offering related services - best block anything with that logo to be safe.

  6. MachDiamond Silver badge


    The best place to hide something is in plain sight. Some TLA that suspects there could be a file containing stealthed data might have a blind spot when it comes to the graphic for the OS's startup splash screen. I'm going to file this.

    As an aside, I have a couple of books that describe hiding places that can be created around the home that are lots of fun. Some are too well known, but might still be good if you are just hiding a bit of cash and a common burglar is unlikely to have the time or knowledge to find it. Some are known to TLA's so if that's your worry, better keep working on it. Some are truly brilliant and their design leads to other methods that are possible now using powerful neo magnets that weren't around when the books were written. I've seen a couple online that use hardware from Ikea that's been developed to not look like a nut, screw or bolt. You'd have to thoroughly destroy something to get at the insides if you didn't know where to look for the hidden fastener.

  7. OldCrow 1975

    That was close

    That Penguine logo on my computer seems fine.

    1. Yet Another Anonymous coward Silver badge

      Re: That was close

      although penguins are susceptible to fishing scams

  8. pip25

    So if the payload was encoded in the image found in the artcle....

    ...does that mean that The Register is now hosting malware?

  9. Rol

    Let's pretend we're selling pure evil in a script shop?

    I do hope the intelligence agencies are keeping up with the fight. Perhaps a lovely malware script shop for wannabe hackers. Except the scripts redirects a DNS lookup to the agencies server and sends back the IP of a perfectly legit looking site for the oinks to fiddle with, yet it's just a mock-up of the real thing.

    While they are busy turning off incubators at the local special care baby unit, or launching nuclear missiles, the local police are just minutes away from kicking their door in and dragging them off to spend a long time as an unwilling sex worker in a max security prison.

  10. aerogems Silver badge
    Black Helicopters

    A Picture Is Worth A Thousand Words

    And those 1,000 words can contain malicious code if run on your computer.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like