Steganography is a way of hiding data in plain sight. With the use of steganography, you can hide data within other data files. Typically you would hide data inside an image, video or audio file.
This practice is commonly used to hide malware inside other files in order to get it onto a victim’s machine. The user would just see or save a harmless image, video or audio file unaware it contains malware. The use of auto-download scripts can help with this.
It’s not just malware though, users can use steganography to sneak data out of the network. The firewall or monitoring tools will see a user sending a harmless picture. This would be the case if you have tight USB controls as well.
Below is a picture of two dogs. Both pictures are identical, but one contains Eicar.
The Eicar file was hidden inside the dog jpeg file using a tool called Steghide.
Steghide can be downloaded here: http://steghide.sourceforge.net/download.php
or through apt: apt-get install steghide
Steghide can be used with the following attributes:
-ef specifies the path of the file that you want to hide.
-cf is the file that the data is embedded into.
-sf is used for the output file. If not used, the original will be overwritten.
-z specifies the compression level, between 1 and 9.
-Z is to not compress
-e specifies the type of encryption. By default it will use 128-bit AES encryption. If you don’t want to encypt you can use ‘e- none’.
-p Set or extraction password.
For this example, we will run the command below. This will hide the EICAR text file inside the dog picture.
Steghide embed -ef [file] -cf [file] -sf [output file] -e none -Z
This will then output the file as stegdog.jpeg
Now you have your file, you can pass it onto your victim. Most security technologies will not detect the EICAR file at this stage as to them it is a nice picture of a dog.
To them, JPEGs aren’t a threat as they are not an executable.
Once the file is on the victims machine, you can extract the file using the same software. Worth noting that Steghide works on both Windows and Linux.
To extract, you can run the following: steghide extract -sf [file] -p [password]
If the content is malicious and the client has an AV, it should detect the threat as it will need to be written to disk. Unless it is a zero day exploit, the attack will most likely be staggered.
- Get the files on the victims machines
- Disable or exploit the security controls
- Extract and execute the hidden file
Remember, it doesn’t need to just be malware. Steganography can also be used to steal data. If you wanted to get data out of your company without security knowing, steganography can be used.
The external monitoring tools and audit trail would only show JPEGs leaving the company. This can then be extracted on a personal device, unknown to the company.
If this is what you are trying, compression is important. If security has a keen eye, they would notice that the files would be passing at unusual sizes. If the data you are extracting is large, it’s best to use audio and video as there are no unusual sizes.
A video being 30mb + would not be unusual.
The other thing to think of is what image, audio or video file your are hiding your data inside. Try to not use one on the internet as someone could compare the files using a reverse google search. If it is personal, only you would have the original file which can’t be compared and inspected.