Digital Imaging and Communications in Medicine (DICOM) is an international standard for transmitting, storing, retrieving, printing, and displaying medical imaginginformation, such as X-ray, CT scans, MRIs, and ultrasound. A DICOM file comprises a file format definition and a network communications protocol.

Can a DICOM file contain malware?

The DICOM file header consists of a 128-byte file preamble, followed by a 4-byte DICOM prefix. The preamble is part of a compatibility feature designed to allow medical imagery files to be processed by both DICOM and non-DICOM software.

  • A DICOM viewer disregards the file preamble, observes the DICM string, processes the DICOM content, and displays the DICOM images.
  • A TIFF viewer can use offset information in the file preamble to access and display the image pixel data in the file while disregarding the rest of the DICOM content.

Unfortunately, this preamble design can give threat actors a new way to spread malicious code. By using a header of another file type, for example, .exe, attackers can hide malware in an otherwise regular DICOM file. Cylera, a company providing cybersecurity solutions for hospitals, published technical details and proof-of-concept (PoC) code for this vulnerability, which has been assigned the CVE identifier CVE-2019-11687.

Let’s examine a sample and see how Deep CDR (Content Disarm and Reconstruction) can solve the problem:

In this case, Deep CDR removed the unapproved content and reconstructed the DICOM file with only its legitimate data. Thus, renaming the file extension to .exe did not work with the sanitized file. As a result, the malicious code is no longer executable. Also, file structure integrity is fully reserved, so users can safely use the file without loss of usability.

Deep CDR ensures every file entering into your organization is not harmful helping you prevent zero-day attacks and evasive malware. Our solution supports sanitization for over 100 common file types, including PDF, Microsoft Office files, HTML and many image file types.

Contact us today to understand more about OPSWAT advanced technologies, and learn how to protect your organization comprehensively.


Tags: Deep CDR