The Wonders (and horrors) of Digital Steganography

Steganography. Now there’s a new word.

Well, maybe not. First used in 1499 by German cryptographer Johannes Trithemus, the term actually borrows from ancient Greek, combining the words steganos (concealed, protected, covered) and graphein (writing).

Today, steganography is defined as “the practice of concealing messages or information within other nonsecret text or data.”

Before computers – and in fact before the word was even made up – physical steganography was employed by the Ancient Greeks to send secret messages. As early as 440 BCE, messengers would conceal important information scribed on wooden tablets by covering it with a layer of beeswax that contained a different, nonsecret message. Upon delivery, the beeswax would be peeled away and the true message – perhaps a military maneuver – would be revealed. In other instances, messengers would have the secret message tattooed on their scalp. They would then wait for their hair to grow back to conceal the information, and then simply transmit the message in plain sight. Upon arrival, their head would be shaved.

In both of these ancient examples, and in fact in all instances of steganography, the subterfuge depends upon hiding something secret with something that is not. In this way, steganography differs from cryptography – another term you might have heard thrown around the malware scene (and also one of Grecian origins). While cryptography hides secret information, it does so in an obvious manner; that is to say, when you see it, you know something is going on. Steganography, on the other hand, intentionally conceals its concealment, so as not to arouse suspicion.

Digital Steganography in a Nutshell

Today, digital steganography takes roughly the same approach as the Ancient Greeks: secret things are hidden by other things that aren’t so secret. As an example, consider the following message:

Emsisoft Rocks

If we wanted to cryptographically transmit this message we could instead write:

Dlrhrnes Qnbjr

Concealed by a simple algorithm (each letter becomes the letter that comes before it in the English alphabet) we could now spread this message to others, and only those who knew how to decrypt it could read it.

A one letter shift is really quite simple, though. To conceal our message better we could create a more complex algorithm, by adding another step. For example, after shifting each letter to the letter that comes before it, we could then convert each letter to its numeric equivalent, such that A=01, B=02, C=03, etc. This new algorithm would turn Emsisoft Rocks into two numbers:

0412180818140519 1714021018

Now, there’s an encryption. In this two-step, numeric form, no normal human would ever be able to decrypt our secret message at glance. This is great, except there’s still one big problem: our secret message is now very obviously encrypted! Anyone who is already suspicious of us that intercepts our message will now immediately know that it is written in code and that it is concealing something secret. This alone could provoke the interceptor to investigate the message and crack the code, and if we are really trying to be secretive that is no good.

So, what now?

How about we hide our message with something that doesn’t look like a message at all. How about we write Emsisoft Rocks like this:

mountain-before-648

Confused? Perfect. That’s the whole point.

How Digital Steganography Hides Malware

Think back to the Greek messenger hiding a secret war message on his scalp. The message is right there, under his hair, and yet no one suspects he is carrying it. Now return to the mountain. To the passing glance, it’s just a mountain, and there is nothing suspicious about it all. Only when we begin to peel away the layers is the secret revealed.

Modern day digital media files, like the above-pictured mountain, are actually extremely complex collections of data. You may see a mountain, but what your computer sees is very different.

hex-pixel-before-boxed

mountain-before-w-arrow

Above you can see the hexadecimal machine code behind the scenes of just one pixel of the mountain image. Those of you familiar with graphic design might otherwise recognize this little guy as R-111 G-140 B-172, or hex # 6f8cac.

Now, let’s see what happens when we change that pixel only very slightly, to R-112 G-141 B-173, or hex # 708dad.

mountain-after-648

Can you tell the difference?

Probably not – but your computer can.

hex-pixel-after-boxed

This is the essence of digital steganography.

In the example above, the non-malicious modification of just one image pixel produces what appears to be an identical image; however, as you can see, the machine code responsible for producing the image is different.

Malware authors can employ this technique to conceal malicious code in otherwise normal looking media files like images, without arousing any suspicion.

For example, instead of just one pixel, a malware author could take our mountain image and slightly modify 100 pixels. They could then send a victim a dropper – or some sort of email attachment disguised as an innocuous file. The dropper could include a program designed to install malware from a specific web address. The dropper could also include the seemingly innocent mountain photo. Now, when droppers install malware from a specific web address, that web address is typically hard coded into the dropper’s design; however, this makes droppers more easily detectable by anti-malware programs. So, to avoid detection, the dropper in this example instead references the mountain image and its 100 modified pixels. This referencing is performed by an algorithm – one that instructs the dropper to locate the modified pixels, read their machine code, and then convert that code into a URL address, using another algorithm. Once the URL address is decoded, a connection is formed, files are downloaded, and voila – you’ve got malware.

What Does Digital Steganography Mean for Me?

As convoluted as it may seem, digital steganography for malware applications is not merely speculation. In fact, the URL concealment described above is exactly what has been happening with Lurk. First analyzed at Malware Don’t Need Coffee and then by Dell SecureWorks, Lurk uses digital steganography to hide its URL download address and ultimately hijack infected computers to commit click fraud.

In much simpler scenarios (and in fact as part of Lurk as well), malicious code can simply be appended to the end of a large media file, causing little more than static, or “visual noise.”

noise

Noise like this can actually be the very code that makes a piece of malware run (just displayed in visual map form)! Here, again, it is the machine code at work behind the scenes that is responsible for the maliciousness, while all you see is nothing more than “a glitch” at the end of a video or in the corner of an image.

So… what does all of this mean for you?

Besides being somewhat fascinating (at least we think so ;) digital steganography means that even everyday images encountered on the web are not above suspicion. In fact, the art of steganography – and in many ways the act of creating malware – is all about hiding things where no one would think to look for them.

For users, this calls for vigilance. Letting any new file into your computer is like letting a stranger into your home. Digital steganography shows us that when these strangers appear harmless – or even friendly – the very opposite might well be the case. This doesn’t mean that you have to stop looking at all those cat photos, though. It simply means that you need something that is capable of peeking behind the scenes. Those who use our software know well that it is designed to do just that.

If a program attempts to connect you to a malicious website, Emsisoft stops it with Surf Protection – even if that website is obscured from plain view with steganographic techniques. If a file contains malicious code, Emsisoft blocks that file from executing with File Guard –  even if that code is written in bitmap static. If malware attempts to exploit weaknesses in digital technology, such as a vulnerability in a media player like Adobe Flash, Emsisoft sounds the alarm with Behavior Blocker – even if that vulnerability was previously unknown to the anti-malware community at large. And, if users want to know a bit more about all the crazy, illegitimate ways malware authors employ to try to take money from others – instead of applying their intelligence to something useful – Emsisoft offers support through our forum and blog –  even if the topic just seems like a bunch of Greek.

Have a great ((steganographically-concealed) malware-free) day!

 

 

 

 

 

  • Tempus

    Downloading Wallpapers, must be the favorite image file that malware creators would love to use, regarding the ” steganography” technique, I would guess d(^_^)b

  • Michael Hylton

    That’s a good guess, Tempus. I like your Avatar pic :).

    • Tempus

      Thanks Michael Hylton =)