Steganography: the art of concealment


Last year security vendor AVG researchers discovered that a popular banking Trojan, a Vawtrak variant, was using steganography as a method of obfuscating update files.

In this particular case, those update files were hidden within the Least Significant Bits (or white space if you prefer) of a 4Kb encrypted favicon graphic which, in turn, was then distributed using the Tor network via a Tor2Web proxy. This was very clever stuff, deviously clever in fact, as it not only meant that a Tor browser wasn’t required to access the updater servers, but also the favicon activity in the browser being a normal activity would not arouse suspicion.

That Tor hidden services were being exploited by a piece of malware in this manner was not that surprising, however, the use of steganography was more so. Not least as this is a concealment methodology that is often, and wrongly I should add, thought of as being something of a toy technology. On its own, there is an argument to suggest it’s not the most secure method of keeping data secret; throw it into a layered defensive mix and steganography certainly manages to throw some weight about though. Nor is this anything new, it’s been around seemingly forever.

I recall using a homebrew keylogger to capture the input of anyone daft enough to use my PC 25 years or so ago, and then throw that data into an image file using basic steganography methods. It may have been somewhat Heath-Robinson in approach, but it successfully got me root on more than one occasion following social visits by assorted sysadmins to my flat back in the day.

More recently Dell, or at least the SecureWorks’ Counter Threat Unit (CTU) part of the business, uncovered steganography alive and kicking in the malware world of today. Last year it published research on the Stegoloader malware family, which uses steganography to avoid detection. Like Vawtrak, it’s a clever use of the technology as it enabled the malware to be distributed via a seemingly innocuous portable network graphic (PNG) file hosted legitimately and never actually stored on the victim’s computer. More recently, towards the end of 2015, malware families such as the Miniduke APT group, Aulreon rootkit and Lurk downloader were all found to be employing steganography in one way or another.

A book about cryptography disguised as a book about magic and called Stegangraphia, was written by one Johannes Trithemius back in 1499

If that weren’t scary enough, an Indian security researcher has demonstrated how steganographic techniques can be used to hide malicious exploitable code directly within an image. Saumil Shah calls this Stegosploit, and has shown how the exploit code is encoded within the pixels and decoded using the HTML 5 Canvas element meant for dynamic rendering. This has been reported as enabling the exploit, a mixture of image code and JavaScript, to run just by loading the image carrier in a browser. That’s actually not true.

Stegosploit works by embedding the JavaScript code inside the image file and obscuring the payload. The malicious JavaScript still has to be sent to your browser, it’s not really just a matter of looking at an image and getting pwned. Really, the exploit has already happened because you downloaded the malicious code. The requirement for unpatched, vulnerable, browser clients to be used also sits in here.

So what, exactly, is steganography. Literally, steganos means concealed and graphei which means writing gives us ‘concealed writing’ and that about sums it up. And when I said it was nothing new, I meant it; a book about cryptography disguised as a book about magic and called Stegangraphia, was written by one Johannes Trithemius back in 1499.

Whereas an encrypted file cannot be made sense of without the key to decrypt it, it is usually visible and obviously an encrypted file. This in and of itself is enough to draw attention to the fact that there is ‘something’ there that someone wants to keep private; and that can be enough to pique the interest of the very folk you don’t want to see it. This may be a moot point, as long as the encryption is strong enough, you might think. However, in a scenario where you could be legally obliged or illegally forced to hand over the key it’s less than ideal. Steganography provides a method of hiding the file, making discovery much less likely. Combine encrypted files with steganographically hidden ones and you have something approaching the best of both worlds.

But it’s not all about just hiding content in images; the carrier can be anything that allows the sender to obfuscate additional data. In the case of network steganography, for example, it has been possible to do this with unused field in the headers of TCP/IP protocols. More recently, some researchers have made progress with transcoding steganography where audio files (specifically speech ones) have been compressed to allow space to be freed up that can then be used to hide data. Free tools such as DeepSound are available, which make hiding data in audio a point and click affair, and offer the ability to encrypt data using AES-256 for further protection, across a number of audio encoding formats.

Back in 2011, the Internet Society released a paper that revealed how a ‘stealthy and context aware sound Trojan’ for smartphones called SoundComber used steganographic techniques. This was all very clever stuff, but none more so than how it could use such things as ring tone volume changes or patterns of vibration to obfuscate the sending of data. By controlling the quality of the audio output, the user determines the space available for the hidden data. The greater the amount of background noise the greater the amount of space to hide stuff in.

The VBKlip banking Trojan even hides its communications by using a non-sensical HTTP connection requesting a non-sensical dummy file. What’s the point of that you might think? The point is that it uses steganographic techniques to hide account number data in the HTTP response headers themselves.

Or how about Twitter, which was also found to be used in a complex malware attack process just last year. Going by the name of Hammertoss, this particular attack methodology was highly ingenious in that the malware itself checked for specific Twitter accounts that were generated on a daily basis by an algorithm built into the thing. The Hammertoss controllers, with the same algorithm, would then look for the same Twitter account on the same day and post a Tweet to it that linked to an image. Yep, you’ve guessed it; that image would have a command and control message concealed within using steganography. The FireEye research on this is well worth a read.

As every different route taken by an attacker using steganography requires a different, and threat specific, countermeasure it can seem like the steganographic threat is unsurmountable to many industry observers. With the mobile malware sector about to explode, and smartphone steganography looking like it may well play a serious role in facilitating that, we can’t say we blame them.

Indeed, given that The Powers That Be have more than a little tendency to jerk knees when it comes to encryption and the terrorist threat, it’s perhaps surprising that there hasn’t been a move to outlaw ‘least significant bit’ abuse or white space in image files. After all, back in 2012 there was proof that steganography was being used by terrorists. Well, one terrorist at least, when an Austrian national was arrested with a memory stick hidden in his underpants. I kid ye not.

Smuggling data out of an organisation is made much easier when that data is concealed within something outwardly innocuous

Masqood Lodin was heading back from Pakistan when he was arrested, and the stick was found to contain a pornographic film entitled ‘Sexy Tanja’ which, again I kid ye not, contained 100 or so documents concealed within the file. After many months of forensic work, these were found to include al-Qaeda plans to attack cruise ships and mount ‘lone wolf’ gun attacks across Europe.

Here at IT Security Thing we are in no doubt that the use of steganography, or at least steganographic techniques in the broadest sense, will continue to be exploited by attackers for as long as there is a payoff in it. That payoff, be it hiding malware distribution, disguising command and control centre commands or obfuscating confidential and encrypted communications, is simply hiding all of the above in plain sight. So how do you defend against the steganography threat? Good question, and the best answer comes wrapped in the protective blanket of best practise that is a layered approach to security.

One area that steganography has always had the opportunity to work to good effect is that of IP theft. Smuggling data out of an organisation is made much easier when that data is concealed within something outwardly innocuous. Detecting data smuggling is usually achieved by content monitoring or filtering of some sort, but that ain’t gonna work if the thing you are monitoring for is stuffed right up inside a thing you are not.

Even if your defences look for anomalous behaviour, that’s not going to get you too far in the data hidden within other data scenario. Of course, some sideways logic quickly comes to the fore: if someone is going to use steganography to smuggle data out, then they need to use steganography tools to do so. Monitoring for the use of such tools, or just their presence on any system, would be an effective defensive posture.

Like all threats, at an individual level they remain stealthy only until discovered, analysed and undone by the good guys. Once a researcher knows what software is being used to do the concealment, and the reveal for that matter, then it becomes a matter of looking for that. Machine learning may even prove to be helpful in the hunt for hidden data, tracing datasets and helping spot longer than expected protocol streams.