hack of the month
Fooling anti-virus systems David Duke, Cryptic Software Anti-virus (AV) products and other fingerprint-based systems are typical of the applications used to enforce security. AV products are probably the first step that most organizations take to protect their systems and enhance security. Many small to medium organizations rely almost entirely on AV products. Avoiding virus checkers can be as simple as adding a space into a threat. Below are two lines of code, on their own they are not a threat. However, these lines contain the elements used by virus checkers to detect threats. The example shows the code that causes Norton Antivirus to throw a virus exception.
Chr(10) & "WSHShell.Run ""%comspec% /c debug < 2ascii.bin > nul"",0,True" & Chr(13) & Chr(10) & "WSHShell.Run ""%comspec% /c move /y d.exe %windir%\d.exe"",0 ,True" & Chr(13) & However, it is as simple as just adding a space to avoid detection, the following example has been altered by placing two
spaces in front of the ‘debug’ word in line 1 as below. This file now passes undetected by the AV.
Chr(10) & "WSHShell.Run ""%comspec% /c debug < 2ascii.bin > nul"",0,True" & Chr(13) & Chr(10) & "WSHShell.Run ""%comspec% /c move /y d.exe %windir%\d.exe"",0 ,True" & Chr(13) & You can try this yourself, copy the first two lines into a text file and save the file. Don't worry you cannot infect yourself with this example, in fact the virus checking engine is actually throwing a false positive as there is no threat in this file and a .txt file cannot be executed!
Secret Steganography Techniques Revealed Vince Gallo, Inforenz Ltd.
Steganography presents an ongoing challenge to those responsible for forensic analysis of seized data or the inspection of traffic at boundary controls. In this article we review steganographic techniques, especially those that may be less well known, considering their effectiveness and applicability.
4
Hackers are aware of the simple processes that can be used to avoid detection and are writing code that can modify itself ‘on the fly’ to make the threat invisible to the security product. Because they know that they only have to change 1 bit of 1 byte the actual executable can be designed to self-modify on execution and the cycle starts again. However, it’s not just that an attacker can render AV and other fingerprintbased systems ineffective by such simple actions; one must also consider the processes that AV and other fingerprintbased systems require in order to provide protection against new threats. Firstly the new threat has to be discovered, secondly the threat needs to be analysed and a ‘cure’, typically a Hash Key, formulated, thirdly the remedy has to be made available and downloaded to clients. These processes can take hours or sometimes days, during this time systems remain vulnerable whilst the threat spreads at will. AV products and their like do a reasonable job but it is unrealistic to consider them as anything other than basic first line defence.
Purpose and use Steganography literally means covered writing and is often compared with cryptography, the literal meaning of which is hidden writing. Each may accomplish a common goal, that of preventing an adversary from discovering the content of some communication, but the style and use of each are distinct. The terminology is similar also, the terms cryptographer and steganographer refer to those attempting covert communications, while cryptanalyst and steganalyst refer to those attempting to uncover traffic and meaning. Used together these mechanisms
steganography reinforce each other. Steganography adds to the protection by hiding an encrypted message. The information within any commuFigure 1: nication shall be Two- tone termed the message, square but a message may generally comprise any information in any form, be it text, pictorial, executable software, a design, or a database, literally any electronic data that someone wishes to communicate. The purpose of cryptography is to hide any meaning, structure or information contained within the message. An encrypted message may be transmitted in any fashion, as its existence is not important, but privacy of communication is ensured, as the content remains impenetrable. Conversely, the purpose of steganography is to cover the very existence of the message. The important factor in this case is that apparently there is no message, an additional problem to those that monitor traffic or analyse data. Understanding what is possible is therefore of equal value to those who wish or need to identify covert communications, and to those who want covert messages. Firstly, let us consider who it is that might be attempting to forensically analyse traffic or data. A government agency might earn little sympathy if it is monitoring the activities of its citizens, but monitoring for the purpose of counter-espionage is surely a valid duty. Similarly a company must respect the privacy of its employees, but balance that with an obligation to monitor communications for compliance with regulations concerning matters such as money laundering and insider trading. A householder may even seek to monitor traffic. At home I have a household LAN, a broadband connection and children who enjoy the facility of their own computers with permanent Internet connection. Should a responsible parent be able to exercise some degree of supervision?
Users of steganography have an alternative viewpoint. There is no reason for my government to monitor my traffic, and therefore no reason why they should even know that I am communicating. The same is also true of my employer, (and I am sure my children would add “my parents”). I wish to maintain my privacy, for no reason beyond that of being a private individual. The debate becomes even less clear when considering parties other than good citizens and liberal governments. Steganography could facilitate the activities of individual criminals, small conspiracies, and would certainly confound the attempts of law enforcement to control the activities of organized crime. Who could fail to be concerned about its use by terrorists, spies, and political subversives? However we may find it acceptable for such techniques to be used by our ‘agents’ (spies is such a pejorative word) working abroad, and freedom fighters active against despotic dictatorships. The rights and wrongs of the use of cryptography have been debated for quite some time without consensus. Steganography presents similar difficulties and should therefore be included. I offer no answers to this political balance but, whether it is your aim to exploit or detect steganography, the potential use and abuse of these techniques should be considered fully as we proceed to investigate the technology.
Techniques Exploration of this technology will first identify basic techniques, and for each of these one or more examples will be used in order to explain how the mechanism operates. The techniques can be separated into three major categories: • Insignificant data hijack. • Exploitation of redundancy. • Exploitation of structure data.
Insignificant data hijack This is probably the best know mechanism of steganography and operates by replacing existing information within the message. The process of hiding the data relies on
Figure 2: 16K bytes of text hidden within an image ensuring that only data that has no discernable impact on the carrier is replaced. A well-known example of this is to replace the least significant bits of picture data with the message. The replacement has an imperceptible impact on the carrier simply because there is very little picture information carried in these bits. Each picture element within a bitmap file is expressed as three byte values, hence a number between 0 and 255, that determines the intensity of each of the three colours red, green and blue. Changing the least significant bit thus impacts the intensity of one colour by less than 0.5% and that is truly imperceptible. The example shown in Figure 1 is a twotone square where half has red/green/blue values of 173,173,173 and the other has values of 172,172,172; chosen because this is printed in a monochrome and indeed such an image provides the best chance you may have to see any change. Even if I tell you the top and bottom halves differ the change is impossible to see. A more realistic example is shown in Figure 2 where 16K bytes of text have been embedded within a commonly available picture. The range of colours in a photograph, and even the hues that comprise this fabricated texture, provide more than adequate natural variation to cover anything suspicious that would be introduced by the message. There are technical reasons that bitmap pictures are ideal candidates for steganography carriers. The main purpose of the
5
steganography picture is not disrupted by the replacement of some data, there is a large amount of data, hence a large storage capacity, the graphic example is 256 X 256 pixels, three bits can be stored within each yielding a total capacity of 24k bytes. However choice of the carrier is not only driven by its technical suitability. Consider that the purpose of using steganography is to hide the message, a goal that would probably fail if it were placed inside a carrier that was itself highly unlikely to make an appearance. Pictures are however suitable to many channels of communication. Pictures are commonly found on websites, provide good coverage for a single person to deliver messages to either a single destination, or indeed to a wide recipient population. One to one communications quite commonly include photographs, a picture of a family gathering sent between two employees would attract little attention, but perhaps it should were they either side of a socalled Chinese wall within a merchant bank. In this case the picture could be covering the transfer of equity price sensitive information. Other picture file formats are suitable for insignificant data hijack, albeit compressed forms such as JPG files introduce some difficulties. The process of compression relies upon the elimination of redundancy, the very same insignificant data that would have been utilised. Also, data modified within a compressed image results in an extended impact on the rendered image, but even so the effect would not be perceptible. The consequence of both of these factors is simply to reduce the storage capacity of an image file. A few hundred bytes within a 30KB JPG file is nonetheless both achievable, and without doubt, quite useful. As styles of usage change so new candidate carriers occur, and recently there has been a significant increase in the traffic of audio and video files. These are frequently exchanged between individuals using file sharing mechanisms as well as email. Websites also make extensive use of both media forms to enliven their presentation.
6
These files are highly compressed, resulting in the removal off all redundant information as well as large amounts of unimportant information. Nonetheless these are almost ideal steganographic carriers simply because of their size, rarely smaller than 100s of Kbytes, frequently 10s or 100s of MB. Very large messages can be carried within such files with virtually zero impact. Regardless of size there are some files that are wholly unsuitable as carriers, typically files that will fail in their original purpose after even minor modifications. One example of such an object is a signed file, or indeed any with an integrity check, where modification of even a single bit will cause the integrity check to fail. In this case the hidden nature of the attempted steganography will be defeated, the modifications all too evident. Other file types unsuitable to insignificant data hijack are typically those where no data is actually insignificant. Consider the impact of changing a few low order bits here and there within an executable program. Data hijack illustrates another feature of steganography which may determine its suitability in some circumstances, in that the process destroys some of the original data and so the process is not reversible. The message may be extracted from the carrier but the carrier cannot be restored to its original state. This aspect is significant where plausible deniability is desirable, that is where one needs to make all seem as if one had not received a message. If the file cannot be returned to its original state then such disguise is not possible.
Exploitation of redundancy A file contains redundancy if it includes particular data items that are not necessary to the overall information content of the file. Many forms of redundancy may be exploited, but the steganographic techniques may be separated into those that exploit existing redundancy and those that introduce new redundancy in order to exploit it. Existing redundancy can be either deliberately included by the file designers,
or may be an accidental bi-product of its structure. Redundancy is deliberately included in several file types, typically data blocks that are not yet occupied, effectively place-holders. An executable program will have been written so that some data space, (for use when it runs), will cause the equivalent number of bytes to be present in the .EXE file. These bytes may be safely overwritten by a steganographer because the run-time behaviour of the executable code will be to initialise the memory as part of the program start-up. The data initially in this space does not impact the program execution, it is redundant, and therefore available for use as a steganographic carrier. Other opportunities for exploiting redundancy exist within file formats where new versions have superseded older ones, and files contain data blocks simply for backward compatibility. These historical forms will probably never be inspected, as all current software will use the newer format information, hence the older data may be freely modified without fear of impacting the presentation. Some file formats have information that, by virtue of its form imply redundancy. This is not deliberately duplicated data, nor protection against accidental change, rather it is a side effect that the original designer did not consider, but the steganographer may notice and opportunistically utilise. GifShuf is a great example of how implied redundancy can be exploited. GIFF files convey pictures as a series of integers, one per pixel, where each is an index into a table of colours known as the pallet. The pallet table is an array of three byte RGB values that determine the colour to be shown for each pixel referring to that pallet entry. The redundancy lies in the order of the pallet table. For example, the picture fragment shown in Figure 3 results from the order of the pallet table and the associated pixel array. In Figure 4, the pallet order has been modified. However the resulting image is unchanged because the pixel array values have also been modified to compensate. It does not matter what order these are listed in, provided the picture array values are updated accordingly.
steganography
Pallet table 23
6
95
56
127
0
240
0
159
pixel array
Output
2 0 0
… 1
Figure 3: Pallet table, pixel array and output (picture fragment) The information is carried by the pallet order, the location of the lowest value pixel RGB value, then the location of the next lowest RGB value, etc. The data capacity of this mechanism is not particularly large, however a small message can be of high value, consider the text “Buy SFW 4.5m @ 233”. A short message, but a few such messages moved from a trading floor to an outside accomplice could defeat many systems designed to detect and prevent insider trading and net considerable wealth. Such a technique exemplifies a loss-less mechanism of steganography. The reordering of the pallet table does not impair the quality, nor any other detail of the resulting picture. No information is lost when adding the steganographic message to the carrier. Furthermore, this class of techniques permits the original file to be restored. The recipient knows the natural order of a pallet would be ascending, the file can be rebuilt with an ascending pallet table, adjusting the pixel data accordingly, and the resulting file would be identical to the original carrier, the recipient could then plausibly deny ever receiving any message. Redundancy can also be introduced by the steganographer, safe in the assumption that because the extra information is redundant its presence will not be noticed. Language redundancy exists where there
are many ways of saying the same thing by different phrases. “It’s blowing a gale”, “The wind is very strong”, “Beaufort force 8 winds” are all equivalent statements but by using one rather than another we have the opportunity to carry extra meaning. Software to do this is available, unfortunately the only example I found works only in German, a language I do not speak, so I cannot comment on the effectiveness. Further carrier opportunities exist with text, as space between words is not significant, and a single character or two makes no difference to the sense. The difference between one space character and two however provides the means to convey a bit per word gap. Language offers the possibility of introduced redundancy, and illustrates its use, however the principal of redundancy introduction can be exploited in many binary forms.
Structured data The third basic mechanism of steganography is perhaps the most straightforward to exploit, frequently requiring no specialised tools to implement, yet produces an outcome that would pass all but a detailed examination. Almost all files in use are structured in some fashion, as most contain several different types of information. Consider a spreadsheet, it must hold values, formula, and format
information, but must also hold more exotic items such as pictures and macros. Generally such files contain a sequence of data blocks where the first bytes would provide a type value and size. Thus the application trying to read the file would identify the type of information each holds and how much is to be read. A logical view of a structured file may therefore be: FileTypeIdentifier Begin_Block, Block_Type, Block_Size, Data[..], Block_End . . . Begin_Block, Block_Type, Block_Size, Data[..], Block_End FileEndMarker
A wise designer of such a structure will future-proof the specification, knowing that some evolution will occur, and thus instruct application writers to only read data blocks that they ‘know’ about, assuming that later additions would use type definitions beyond the scope of the applications. When encountering such a block the application would simply use the size attribute to decide how much data to skip, and proceed to read the next block. It is here that there is scope for the steganographer. All one needs to do is add a new
7
steganography
Pallet table 56
127
0
240
0
159
23
6
95
pixel array
Output
1 2 2
… 0
Figure 4: Pallet table, pixel array and output (picture fragment) Pallet order has been changed, image remains unchanged becuase pixel array values have also been changed. block to a compound file, using a type definition that is beyond the range used thus far, and therefore all applications will simply ignore the contents, displaying the original file correctly. Many data objects have structure, not only files such as pictures, documents and spreadsheets, but MAPI email messages include structured data holding certain properties. The specification describes custom properties, whereby an application may add unspecified data items to email messages. These were used by the “Bunratty Attack”(an information warfare technique) as a covert communications channel, chosen because no conventional email applications recognized them and therefore did not reveal their content or even the fact that they existed. Perhaps the simplest of all features of a structured file to abuse is the recognition of the end of the file. The structured nature of the file provides the application with a precise definition of how much data must be read in order to render the file. Anything beyond this is simply ignored. ‘Camouflage’ is perhaps the most trivial of steganographic products, in that it simply packs the data into a block of its own design and appends this to the host file. Add something to the end
8
of, e.g a Word document, and it will be ignored. Do try this one at home! At a Windows command prompt, using files of your own choice, type :Copy wrapper.bmp /b + info.txt /b compound.bmp
Then open compound.bmp and Paintbox will just show the picture. If you open it with Notepad however, and skip to the end of the file, you will find the text. Protocol abuse is not normally treated as a technique of steganography, but offers ideal opportunities to move information via channels that are not normally monitored. A non-sinister, but commercially cunning example is the addition of data to a ‘telephone call’. Two examples where I have encountered this obtained free use of a connection to achieve authorization exchanges. One was a credit card validation, performed by placing a call on an ISDN connection, and the other tested access authorization via a cell-phone call. In both cases the authentication credentials were placed in the call qualifying data, this being extra information carried with the call connection request, and delivered to the called destination. The called
device then used the extra information to validate the authentication request, but always returned a connection refused to the network. The connection refusal is explained by a result code, delivered by the network to the caller. The net effect was the network provider collected no revenue as no calls were placed, yet a bi-directional authentication exchange had been completed using the extra data stegographically carried in a failed call request. The moral of the story is to beware of all forms of data; hackers will find and exploit any opportunity, especially the unexpected ones. Thus far I have presented examples to illustrate the three basic techniques of data hijack, exploitation of redundancy, and structured data insertion. Implementations of all the described techniques can be obtained, as can many more that I have insufficient space here to explore. One’s interest in this subject could be from an intention to use steganography. Alternatively it may be based on a need to examine files migrating across a boundary, or attempt forensic examination of seized machines. Whatever the involvement, be aware there are plenty of products to chose from.