A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Steganography: The art of hiding stuff in stuff so others don't find your stuff (Hacking Illustrated Series InfoSec Tutorial Videos)

Steganography: The art of hiding stuff in stuff so others don't find your stuff

        This is a presentation I was working on for the malware class I"m enrolled in. For some reason my voice was cracking while recording it, but I guess it was good practice for the live version I"ll do tomorrow. Besides just an introduction to Steganography, I"ll also talk a little about my SnarlBot project that will attempt to use stego in a command and control channel.



Right click and download from:

Text from the slides for the sake of links:

The art of hiding stuff in stuff so others don"t find your stuff
A little about my Botnet Stego C&C project
Some information drawn from following articles:

Exploring Steganography:Seeing the Unseen
With a little from
Lossy Compression Tolerant Steganography
Hide and Seek: An Introduction to Steganography

* Steganography is the practice of hiding data in other data in an effort to keep 3rd parties from knowing that the intended message is even there
* Encryption's ugly step brother
* It has art aspects since human judgment is involved
Isn"t this security though obscurity?
* Sort of
* With Encryption alone, 3rd parties may not be able to read the message, but they know one was sent
* In some cases, just being caught sending a message can bring suspicion, or give information to the 3rd party
- Why is this person hiding something?
- Crypto laws http://rechten.uvt.nl/koops/cryptolaw/ 
- Why all the communication right now?
* Resistant to "Rubber-hose Cryptanalysis"
Thanks to Marcus J. Ranum for that lovely term

About the 1st article
* "Exploring Steganography: Seeing the Unseen" was published in 1998
* Over the last 12 years, bandwidth and storage have skyrocketed
* 24bit images are common now, as are PNGs that use lossless compression
* Still, the article gives a good intro to the subject which is why I chose it over some newer articles
* The article mostly talks about images, but Steganography can be used in many other places

Historical examples
* Greeks and wax covered tablets
* Histiaeus and the shaved head
* Invisible inks in WWII
* Open coded messages (Pershing example)
* Microdots

* Information about pixels

LSB (Least Significant Bit) Encoding
* Can you tell the difference?
Can you tell the difference?

Why lossy formats/re-encoding are problems
Image resizing/recompressing
* Causes changes in palette and bit order
* May be solvable with redundancy
* Hamming Code
* James Shewmaker

Digital Watermarks
* Copyright enforcement
* Redundant pattern encoding to resist data loss during resize/re-encoding
* Change the media enough to kill the watermark, the media degrades beyond the point of usefulness (Think leaked movies)

* Access to the original image
* Statistical analysis
(source material category makes a big difference)
* Odd artifacts

Stego Tools
* Since the article is 12 years old, lets look for newer tools:
* Search Sourceforge
* Steghide (JPEG, BMP, WAV and AU)
* Outguess
* My example code

Other steganography examples
* Truecrypt hidden volumes
* Office 2007 documents as ZIP archives
Putting a file inside of a DOCX, it?s just a ZIP file with some XML, just add you inserted file name into [Content_Types].xml so the DOCX does not report as corrupted.
Tacked on to image (copy /B image.jpg+putty.zip test.jpg)
Slack space
Alternative Data Streams
More on these:
* EXIF or other Metadata
* IP over ICMP or DNS

Text Based Stego
* Most "Web 2.0" apps accept text, not necessarily images
* Text takes up little space
* Harder to encode and be stealthy
* Less bits to hide in
* In some ways harder to code from a logic standpoint

Pershing Example:
Which Character?
The key is knowing what character to pay attention to:
* Apparently neutral"s protest is thoroughly discounted and ignored. Isman hard hit. Blockade issue affects pretext for embargo on by products, ejecting suets and vegetable oils.
* pershingsailsfromnyjunei
* Pershing sails from NY June 1

Unicode Stego
* 65536 positions in UTF16
* Characters that look similar (homoglyphs) are encoded at multiple positions
* Using these, values can be encoded
* Example:
Code Point 65 = A
Code Point 65315 =A

Antonio Alcorn"s Work
CGI can be found at:
* "??llo, ? need s?m? ?ov?? t?xt t? use."
* The word "test" is encoded above

My work on Unicode Stego
* The Latin alphabet is encoded more than once in Unicode, high values used to represent 1s, lows represent 0s (most characters I could just recode as full width Latin by adding 65248)

Snow:White Space Stego
* http://www.darkside.com.au/snow/
* http://fog.misty.com/perry/ccs/snow/jsnowapp/jsnowapp.html 
Other Ideas I"m working on
How about a code book for leet/texting/misspellings speak?

I can has cheese burger? How are you?
i can haz chee$e burg3r? How are you? = 01000001 = A
i can has ch3ese burger? H0w r you? = 01011010 = Z
Red are encoded
Blue characters are ones that could have been encoded, but were not needed
* Encoder and decoder will be tougher program, but I could do it all in low ASCII.
* I would likely have less room to add data.
More ideas/concepts I"ve been playing with
* Simplify the language to conserve space

* Give the user a set of control characters they have to integrate into their writing (Punctuation)
- "test" becomes ",&:!,",&"
- User adds word to the Punctuation to make it make sense:

Hi, Robin & I have been working on botnets:stegofun! Progress is slow, it's taking a long time, it is time consuming & frustrating

- Could encode most common letters as one symbol, but that would break if crypto were used

* Trade off between frequency of character (more data can be hidden) and ease of writing cover text (Vanna White Problem)

Send a Zip file as an Office doc?
* Upload to Google Docs
* Email to an account that the other end checks

SnarlBot Project

* A simple botnet that uses Social Media/Web 2.0 web apps for "blind drops" as part of the command and control channel
* Content at the blind drops use Steganography so it"s not obviously a botnet doing the communicating


This schemes advantages
* The blind drop obfuscates who is controlling the botnet
* Proxies can be used for web traffic to further obfuscate the identity of the bot herder
* Steganography plus encryption makes the channel hard to detect
* Social web sites like Twitter or Facebook are not as likely to be blocked as IRC or P2P
* SSL support for the C&C provided by the web host of the blind drop
* More data has to be sent to get a message though
* The more complicated something becomes, the more bugs it will have
* May have to simplify the C&C commands
- Use single byte command: "a" for attack
- IPv4 addresses can be expressed in 4 bytes
- This make the Steganography less adaptable, but more meaning can be encoded in less bytes

Isn"t this a little black hat?
Other uses?
* Yep, it"s a little black hat, but who"s to say someone is not already doing it?
* This could start research on how it can be detected.
* May have applications for privacy providing darknets like I2P or Tor
Similar Project
* Robin Wood"s KreiosC2

Does not use stego yet, but should be easy to add for someone that knows Ruby
* Other Steganography techniques?
* Usefulness?
* Detection?
* Other uses for research?


Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast