Thursday, November 26, 2020

How cyber criminals are using hidden messages in image files to infect your computer

Must read

A new CSI tool could pinpoint when fingerprints were left behind

A suspect says it on every forensics TV show ... "Of course my fingerprints were at their house, I delivered a package to them earlier this...

Video: Blood Spatter 101

The Smithsonian Channel series: Catching Killers have created an informative video to show how today, bloodstain pattern analysis is routinely used in murder investigations - analysts draw on...

Unique DNA marking system helps catch thieves

HUNDREDS of suspects have been screened in custody as part of a operation launched by Cheshire Police to target those who commit a crime. A...

FBI errors throw forensic convictions into question

Holding your hands up and saying "we got things wrong" is a difficult thing to do. But that's exactly what the FBI and US...
Michael Whyte
Crime Scene Officer and Fingerprint Expert with over 12 years experience in Crime Scene Investigation and Latent Print Analysis. The opinions or assertions contained on this site are the private views of the author and are not to be construed as those of any professional organisation or policing body.
- Forensic Podcast -

When you hide a message inside of another message, it’s called steganography. While you might not have known its name, this technique has a long and colourful history.

Commonly a plot device in mysteries shows, a message is written in invisible ink on the back of a real letter. When the intended recipient gets the letter, they gently heat it up revealing the message. Anyone else who has the letter is generally unaware there’s a hidden message on the back.

That’s steganography.

This technique has been used for centuries by militaries and intelligence operations around the world in a variety of low tech ways.

But recently we’ve seen a resurgence in steganography’s usage with a new audience, malware authors.

The system

Before we dive into how malware authors are leveraging this technique, let’s take a deeper look at the advantages and disadvantages of steganography.

The system relies on a shared secret with two pieces of information: that the message exists and how to reveal the message.

If I want to communicate with you, the reader, in secret after our initial meeting. We decide on a method of hiding messages to each other. We’re going to use the first letter of each word in a paragraph.

Howard called Edward after school. Edward, expecting the call, answered on the second ring. Laughing at a shared joke, they quickly started to discuss their science fair project. Last year, Julie won the fair with a twist on the classic baking soda volcano. Once they discussed why her presentation was so effective, they started to figure out how to win the top prize.

Besides being an utterly horrid piece of writing (yes, it’s original), this paragraph serves our purpose well. Hidden in the completely mundane writing is our message. By taking the first letter of each word, we recreate the message, ‘H E L L O’.

Since we knew how the message was concealed, it was easy to reveal.

This also highlights steganography’s biggest weakness, if you know of the existence of the message you can easily intercept it. The strength of the system is in how much noise is around the actual message and how well the message is hidden within that noise.

What about encryption?

This differs from encryption. In a scenario involving encryption, outsiders (not the sender or recipient(s)) are aware that the message exists, they simply can’t decipher it.

The same example:


We’ve ‘encrypted’ this using a simple shift cipher (which is so easy to break you should never use it outside of this type of example). The ASCII value of each letter was incremented by five ( H = 72 + 5 = 77 = M ) to produce our cipher text. Since it’s such a short message, it’s ridiculously easy to crack by hand but the point is the same.

Encryption doesn’t hide the fact that there’s a message, it just tries to make that message very hard to read.

In the digital world

We’ve seen steganography’s use in the physical world. Let’s a take a look at it’s use in the digital world where it really starts to shine.

It turns out that a lots of very common file formats can safely have additional information stored inside the file without affecting that file’s normal functions.

Take for example, this photo.

It’s a simple JPEG of a mountain scene. However when you run it through a decoding tool (like this handy one from Alan Eliasen, you’ll find a hidden message.

There is a subtle difference in the file from the original and the one containing the message but it’s not a difference that you would see or one that a tool would find unless it was specifically built to look for it.

The below image shows where in the file the hidden message is encoded.

Even knowing where to look you won’t find any visual differences. The message is hidden in the areas of the digital file that don’t impact it’s primary content.

Evading detection

Because steganography uses slack space and other areas of these common file formats but doesn’t affect the content itself, it is extremely difficult to detect.

Most security tools we use in the active defence of our organisations do not look for data hidden using steganography.

That’s not to say that it’s impossible to detect messages hidden using these techniques. There are a number of tools that can help in a forensics investigation but they are very time consuming to use and don’t guarantee detection.

Given these constraints, it simply isn’t practical to scan every file entering or leaving an organization for hidden material. This makes steganography a very power technique for the to get data past existing defences.

New uses

Fortunately, steganography was really only seen during in-depth investigations. It is rare but not unheard of to come across examples of steganography during in-depth investigations of specifically targeted attacks, collusion, or other multi-party investigations.

That has started to change.

Recently, we’ve seen more and more malware authors are taking advantage of steganography in a number of ways.

It was first noticed with a piece of malware named Duqu. This complex malware sometimes hides encrypted information inside JPEG images it then sends out of an infected network, easily bypassing any content filtering.

In 2014, French researcher Xylitol, discovered that a variant of the Zeus malware (ZeusVM) was using steganography to hide commands it was sending to infected machines.

Last summer, Brett Stone-Gross at Dell Secureworks discovered that the Lurk campaign took the ZeusVM technique to it’s logical conclusion. This downloader now delivers other malware via steganographic techniques.

More recently, the team at Dell Secureworks analyzed Stegoloader which shows just how rapidly malware authors are incorporating these techniques into their products. This malware uses a suite of counter-forensic techniques to avoid detection and eventually downloads additional functionality hidden in a PNG file.

As more malware authors see tangible benefits from leveraging steganographic techniques, they will quickly become widespread.

Data hidden using only steganography can be extremely difficult to detect. The performance challenges of scanning almost every file for small, non-impacting anomalies are huge. It’s just not practical to check every file coming in and out of an organisation at the depth required.

That has created an opportunity that we have seen malware authors taking advantage of. To date, we’ve seen steganography used to hide data leaving an organisation, covertly send commands to infected machines, and smuggle malware across existing defences.

More examples are being found as this criminals see the very real advantages of this technique.

Defenders and the security industry are racing to catch up. The best current defence is to attempt to prevent infection in the first place.

A strong security practice focusing on actively monitoring, strong access controls to your data, and one that continues to invest in it’s people is the best approach for now.

Source: Information Age

- Advertisement -

More articles

- Advertisement -

Latest article

Trees and shrubs might reveal the location of decomposing bodies

Plants could help investigators find dead bodies. Botanists believe the sudden flush of nutrients into the soil from decomposition may affect nearby foliage. If...

Are Detectives discounting the associative value of fingerprints that fall short of an identification in their investigations?

Every day, Fingerprint Experts in every latent office across the globe examine fingermarks that they determine to fall short of an identification....

Using the NCIC Bayesian Network to improve your AFIS searches

This National Crime Information Centre (NCIC) Bayesian network is based on the statistical data of general patterns of fingerprints on the hands...

DNA decontamination of fingerprint brushes

Using fingerprint brushes across multiple crime scenes yields a high risk of DNA cross-contamination. Thankfully an Australian study has discovered a quick and easy way to safely decontaminate fingerprint brushes to prevent this contamination risk and allows the brushes to be safely reused even after multiple cleaning cycles.

Detection of latent fingerprint hidden beneath adhesive tape by optical coherence tomography

Adhesive tape is a common item which can be encountered in criminal cases involving rape, murder, kidnapping and explosives. It is often the case...