When you hide a message inside of another message, it’s called steganography. While you might not have known its name, this technique has a long and colourful history.
Commonly a plot device in mysteries shows, a message is written in invisible ink on the back of a real letter. When the intended recipient gets the letter, they gently heat it up revealing the message. Anyone else who has the letter is generally unaware there’s a hidden message on the back.
This technique has been used for centuries by militaries and intelligence operations around the world in a variety of low tech ways.
But recently we’ve seen a resurgence in steganography’s usage with a new audience, malware authors.
Before we dive into how malware authors are leveraging this technique, let’s take a deeper look at the advantages and disadvantages of steganography.
> See also: How to stop macro-based malware in its tracks
The system relies on a shared secret with two pieces of information: that the message exists and how to reveal the message.
If I want to communicate with you, the reader, in secret after our initial meeting. We decide on a method of hiding messages to each other. We’re going to use the first letter of each word in a paragraph.
Howard called Edward after school.
Edward, expecting the call, answered on the second ring.
Laughing at a shared joke, they quickly started to discuss their science fair project.
Last year, Julie won the fair with a twist on the classic baking soda volcano.
Once they discussed why her presentation was so effective, they started to figure out how to win the top prize.
Besides being an utterly horrid piece of writing (yes, it’s original), this paragraph serves our purpose well. Hidden in the completely mundane writing is our message. By taking the first letter of each word, we recreate the message, 'H E L L O'.
Since we knew how the message was concealed, it was easy to reveal.
This also highlights steganography’s biggest weakness, if you know of the existence of the message you can easily intercept it. The strength of the system is in how much noise is around the actual message and how well the message is hidden within that noise.
What about encryption?
This differs from encryption. In a scenario involving encryption, outsiders (not the sender or recipient(s)) are aware that the message exists, they simply can’t decipher it.
The same example:
M J Q Q T
We’ve 'encrypted' this using a simple shift cipher (which is so easy to break you should never use it outside of this type of example). The ASCII value of each letter was incremented by five ( H = 72 + 5 = 77 = M ) to produce our cipher text. Since it’s such a short message, it’s ridiculously easy to crack by hand but the point is the same.
Encryption doesn’t hide the fact that there’s a message, it just tries to make that message very hard to read.
In the digital world
We’ve seen steganography’s use in the physical world. Let’s a take a look at it’s use in the digital world where it really starts to shine.
It turns out that a lots of very common file formats can safely have additional information stored inside the file without affecting that file’s normal functions.
Take for example, this photo.
There is a subtle difference in the file from the original and the one containing the message but it’s not a difference that you would see or one that a tool would find unless it was specifically built to look for it.
The below image shows where in the file the hidden message is encoded.
Even knowing where to look you won’t find any visual differences. The message is hidden in the areas of the digital file that don’t impact it’s primary content.
Because steganography uses slack space and other areas of these common file formats but doesn’t affect the content itself, it is extremely difficult to detect.
Most security tools we use in the active defence of our organisations do not look for data hidden using steganography.
That’s not to say that it’s impossible to detect messages hidden using these techniques. There are a number of tools that can help in a forensics investigation but they are very time consuming to use and don’t guarantee detection.
Given these constraints, it simply isn’t practical to scan every file entering or leaving an organization for hidden material. This makes steganography a very power technique for the to get data past existing defences.
Fortunately, steganography was really only seen during in-depth investigations. It is rare but not unheard of to come across examples of steganography during in-depth investigations of specifically targeted attacks, collusion, or other multi-party investigations.
That has started to change.
Recently, we’ve seen more and more malware authors are taking advantage of steganography in a number of ways.
It was first noticed with a piece of malware named Duqu. This complex malware sometimes hides encrypted information inside JPEG images it then sends out of an infected network, easily bypassing any content filtering.
Last summer, Brett Stone-Gross at Dell Secureworks discovered that the Lurk campaign took the ZeusVM technique to it’s logical conclusion. This downloader now delivers other malware via steganographic techniques.
More recently, the team at Dell Secureworks analyzed Stegoloader which shows just how rapidly malware authors are incorporating these techniques into their products. This malware uses a suite of counter-forensic techniques to avoid detection and eventually downloads additional functionality hidden in a PNG file.
As more malware authors see tangible benefits from leveraging steganographic techniques, they will quickly become widespread.
Data hidden using only steganography can be extremely difficult to detect. The performance challenges of scanning almost every file for small, non-impacting anomalies are huge. It’s just not practical to check every file coming in and out of an organisation at the depth required.
That has created an opportunity that we have seen malware authors taking advantage of. To date, we’ve seen steganography used to hide data leaving an organisation, covertly send commands to infected machines, and smuggle malware across existing defences.
More examples are being found as this criminals see the very real advantages of this technique.
Defenders and the security industry are racing to catch up. The best current defence is to attempt to prevent infection in the first place.
A strong security practice focusing on actively monitoring, strong access controls to your data, and one that continues to invest in it’s people is the best approach for now.
There should be a more positive note to end this on. Sadly, there isn’t but if you can think of one, let me know via Twitter where I’m @andrewsmhay