Is it possible to create a virus that does not cause any suspicion of its presence? Is there a universal way to evade all existing security software, even if this way will be done open to the public? Is it possible to execute random code on a remote machine without any notification to a user and unnoticed for "artificial intelligence"?

If so, it should be more than the vulnerability corrected by replacing a few bytes of code or insert the additional checks in the code of any program. And such method must exist!

Found method is a set of conditions. Combined perform of these conditions guarantees the successful injection and execution of random code.

First, it is necessary transmit X-code via network in hidden form, for example, encrypted. Next, you can use the popular technology in rootkits — the code is placed exclusively in RAM without saving to hard disk — thus checking of scanner access is not performed. The only shortcoming is that the code is erased when the system is rebooted.

Secondly, if you send an encrypted code, this fact can alert both security software and the experienced user (for example, there is a plugin for the browser Mozilla Firefox, which warn if the script works with scripting string). Therefore, one possible solution is hiding X- data into multimedia containers using methods of steganography.

The idea to hide and send the information unnoticed in any message-container is not new. The ancient Greeks used this method by applying the messages to the wax-coated tablets. There was another method in tattooing with message on the shaved head of messenger. This tattoo is subsequently hidden by regrown hair until next shave. New technologies allowed to use for these purposes invisible ink, microfilms, and, finally, an advanced multimedia (digital images, video and sound).

The main directions of modern steganography are following:
• Embedding information with a view to its concealed transmission;
• Watermarking;
• Fingerprinting;
• Captioning.

Potential areas of application of steganography:
• copy protection;
• authentication;
• hidden annotation of documents;
• hidden connection.

Today, there are many tools for implementation of various steganography methods for multimedia. Here is just a small list of them: Steganos, S-Tools (GIF, JPEG), StegHide (WAV, BMP), Invisible Secrets (JPEG), JPHide, Camouflage, Hiderman.

The simplest way of use steganography is the injection of hidden messages into image format without losing data (BMP, GIF).
In BMP format the image represented in the form of pixels. There is associated a 24-bit RGB color value for each pixel (8 bits for each color: red, green, blue). In this representation each of the 3-colors has 255 shades, herewith close in color values are practically indistinguishable to the human perception.

In physiological terms, we can speak about the threshold of sensitivity of human vision. This feature allows to use not all 24-bit of chromaticity, and only 15, with the exception of 3 least significant bits for each color. In this case, the algorithm of hidden message insertion is based on the change of the image least significant bits (the principle of LSB — Least Significant Bit). These 6-bits can be used to hide the necessary information in the image. Thus, it is possible to hide 384 Kbytes of information in the image with a size of 1MB.

There is a stereotype that the steganography is used only to hide any messages, data, that are undesirable to distribute, but must be safely sent via the open channels without the risk of decrypt. However, it can be successfully used to hide executable code in order to bring the code through the client/server security software to the program-loader (now the downloading of audio-video file from the network is not a suspicious activity). Then the code is extracted from the container directly into RAM and executed. Thus, confirming the possibility of executable code downloading to the user's machine without the knowledge or consent of the user.

Thus, the scheme of X-code execution on the remote machine is briefly described. The simplest implementation of this method includes the following tools:
• loader and container (BMP-file) with the code are on the web-server;
• injection is performed by means of browser (user is required only visit the "malicious" page);
• downloader can be implemented in Adobe ActionScript — the most convenient tool for this task, the more so as it is used in youtube.com (player download from the server required movie, depending on the parameter transferred), vkontakte.ru, internet audio shops, etc.;
• X-code itself can be written in JavaScript;
• steganography tool of X-code in the image can be borrowed from the Internet or written personally.

Let us hide the user’s code in the container image:



Now this code is hidden in the image-container, at that it is virtually impossible to distinguish visually the original image from the image with steganography (the original image is on the left and the image with steganography on the right):



After that, the image is placed on a Web server, and the link to the image is written in the ActionScript with the code for extracting hidden information from the image.
Download the page in the browser and get the results of the code execution:



A simple example used for demonstration, already represent the risk of personal data stealing (login names and passwords, etc.) through a cookie, unauthorized displaying advertisements, the substitution of the window’s contents, sending as a spam (the recent worm, which attacks vkontakte.ru), as well as exploiting vulnerabilities, such as XSS (for example, the injection of own code by sending a message to the forum).

As you can see from the above example, the methods of steganography can be used to hide any code into the multimedia resources of the Internet. Thus, these resources become potentially possible method of confidential data transmission, but also malicious code spreading bypassing antivirus software, firewalls and other security programs.

However, together with steganography the research is conducted in the area of steganalysis. Steganalysis is the science of detecting messages hidden using steganography. The main purpose of this work is confidential data leaks prevention, identification of their source within the company.

Currently, none of the steganalysis’s system is a universal means for determining the presence of steganograms, and especially extracting it from the container. Despite this, there are some decisions that are applied in the corporate networks to protect against data leaks via the e-mail channel. These developments are based on the insertion of the noise into a bitmap of sending image on the basis of LSB. It is enough to install the tool on the mail server, which inverts the least significant bit of each byte to destroy the embedded steganograms.

However, this approach is used only for "lossless" data formats (RAW, BMP, GIF, WAV). As regards all other formats, compressing images using digital signal processing algorithms, this method can not be used because the message can be hidden in the transformation algorithm.

Another weakness of this method is the possibility of destroying the fragile watermarks. In addition the insertion of noise in the image although can remove the steganograms in the container, but this method does not provide any information about the presence of hidden messages and its content.

There is no universal mechanism of steganalysis, which would allow not only detecting the presence of hidden information, but also restoring it from the container despite the urgency of the problem and the interest of the security means.

However, we can advise a few methods to combat the main types of threats: the confidential data leaks and the ability to hide and run the malicious code at a user's computer (in the first case, the outbound traffic should be analyzed, in the second case – inbound traffic):

1. Use a program designed to make a noise in bitmap images (for example, RAW, BMP, GIF, WAV), that are received or sent via e-mail, Web, etc. This method prevents a possible leak or infection, but can not detect the presence of steganograms.

2. In the case of using the lossy compression algorithms (JPEG, MP3, MPEG) need to use the tool that recodes media files, because the steganogram can be embedded in algorithms for processing and compression of digital data container. The excess processing downloaded files can significantly reduce the rate of work. It is unacceptable for the end user.

3. Disable active content in Internet browser will also allow to prevent the hidden code infection (for example, this method of loading a container with embedded JavaScript from ActionScript in Adobe Flash). However, modern Internet technology is impossible without their using.

4. There are a number of methods for a detailed analysis and detection of the presence of steganograms. One of this method is based on the frequency analysis of the signals the container and identify unnatural patterns in their distribution. This approach allows only receive a probability estimate and can not be used to restore the steganograms.

5. There are also a number of desteganography tools designed to recover the hidden information with a known algorithm. The shortcoming of such tools is a narrow specialization and the need to know the algorithm, which is used to hide steganograms. That is not always possible.


Alexander Adamov, Sergey Miroshnichenko
"Design and Test Lab", Ltd. 2009
/specially for www.av-school.com/




Article is imported from user's blog Marina.