What you need to know about Stegware

How steganography is getting weaponized

This is a contributed piece by Dr Simon Wiseman, CTO at Deep Secure

Post-mortems on recent cyberattacks reveal determined attackers are turning to steganography, the covert hiding of data within seemingly innocuous files. It’s a way of encoding a secret message inside another message, called the carrier, with only the desired recipient able to read it. Steganography has long been used to communicate without the authorities finding out, but now Stegware, the weaponization of steganography by cyber attackers, is on the rise. This is bad news for IT professionals using tools that identify unsafe data since steganography is impossible to detect.


How does Stegware work?

Messages are normally encoded by arranging data as a sequence of symbols. The symbols are obvious, even if you don’t know what they mean. However, with steganography the symbols representing the message are unusual and go unnoticed by everyone except the recipient who knows exactly what to look for.

The simplest steganography method is to attach additional ‘secret’ data to the carrier file. For example, if a text script is appended to a JPEG image file, an image viewer will only display the image, not the text. Although the human eye won’t be able to see the hidden script, the extra data attached to the JPEG is unusual and so software can detect it. This is detectable steganography; simple to use, easy to identify.

Breaches keep hitting the headlines… a horrific attack – that most people simply can’t imagine yet – is surely on the horizon. So, what will the ‘mega security breach’ of the future look like?

More complex is encoding the message in an image file’s colour choice. Each pixel’s colour can be slightly tweaked without there being any noticeable change, and even software will see nothing structurally wrong with the image. However, untampered images exhibit statistical properties which change when colours are adjusted, so the probability of a hidden message can be estimated. This is unreliable for defence, but can alert analysts to unusual activity.

An alternative way of using images to hide messages is by swapping colours around, encoding information in their relative order. Invisible to the eye, this preserves the statistics that are disrupted by changing colours. While analytic methods have been developed to detect the swapping of colours to encode information, they are not very reliable. This is “proper” steganography; invisible, easy to encode and practically undetectable.


How is Steganography weaponized?     

Steganography is often weaponized to disguise attack code, hiding it from anti-malware defences. Since the secret message is undetectable, the malware analysis has nothing to work on. Some visible attack code is needed to unpack the secret message, but this looks harmless and so is allowed in. For example, the AdGholas malvertising campaign hid malware by adjusting transparency levels in a PNG image.

Data leaks are another use of steganography. Sensitive information encoded using steganography is invisible to humans and undetectable by Data Leakage Protection (DLP) software. This means leaks can happen over prolonged periods, so the attacker doesn’t have to devise a “smash-and-grab” attack that steals everything before being caught. Few details have been disclosed of such cases and considering the difficulty in detecting the leaks this isn’t surprising. One report claims that video has been used as a carrier.

Steganography is also used to turn social media and public data repositories into stealthy command and control channels. This gives attackers control without using their own servers, making it impossible to shut them down. A good example of this is the use of Twitter to distribute commands hidden, by steganography, inside tweeted images. File sharing services, such as Dropbox, are also used to store hidden malware updates. These services act as “cut-outs” to protect the attacker and steganography makes it impossible to identify unsafe traffic.


What can you do about Stegware?

Unsophisticated steganography can be detected; however it is no harder for attackers to use undetectable approaches and with detection strategies being ineffective, this is the ultimate evasion tool.

To keep networks safe, one approach is keeping social media out of the corporate network using browser sandboxing so users can still access their social media accounts without exposing the system to the dangers. This reduces the scope attackers have to use steganography, but businesses still require a lot of content to be exchanged and here is where attackers gain all the access they need.

Steganography can only be defeated by removing redundant information from content passing in and out of the system. For example, removing unused data and smoothing out the subtle colour differences between pixels. This is a natural extension of Content Threat Removal, an approach that blocks all data and instead builds new safe data to deliver the desired business information.

If you have no evidence that Stegware is being used against you, remember that, because of its ultimate stealth, you wouldn’t see it coming. Don’t try to detect, be sure by removing the threat instead.