GT - When Steganography Stops Being Cool - David Sancho

like passing knowledge of what steganography is it's pretty okay so you're going to get bored in the first few slides just say and steganography it goes back to the Romans you know so lots of stuff so when I when I was putting together the presentation I was thinking is like should I tell all the Julius Caesar ciphers or something really really old and boring or go for something more current so I went ahead and bought something more current that you probably are more familiar with this guy rather than Julius Caesar so and the story about this are no it's a funny one right it was back in 2009 and I promise it has to do with steganography bear

with me so I don't know he would he had a very bad argument with some other member of the committee of the California Senate and this guy Damiano they had a big argument and he even insulted Arnold in public he said like it's my ass and things like really nasty for a politician so right after that Tom Ammiano tried to pass a bill it was just an totally normal bill nothing really out of the ordinary what was Arnold's response to that that was a Arnold's are no response let me tell the members of the California State Assembly I'm returning assembly bill 176 without my signature for some time we've been kicking down the can lah blah so it was

just you know just saying no I'm not passing the bill and then the press discovered that if you check the first letter of each you know what was Arnold saying here that's steganography right that's encrypting none encrypting but hiding the message so that is not readily seen right it looks like something else but in fact the message isn't the left hand side right so are no was what happened there all right back to 10 so this was a in fact I have yeah Arnold saying yeah Tom Ammiano so let's take a na grafite it's hiding a message within another message or when we're going to put it in in the context of malware using an unexpected channel in order to

send a message right so we're going to see how the bad guys are using strange channels right like HTTP to send something differently we're going to see plenty of examples of this the most common trick is the least significant bit so what this consists of is it changes ever so slightly like one bit at a time the colors of an image so that it encodes information one bit at a time at the left hand side you see the pure white that's 255 255 255 that's the encoding for pure white then in the center what I've done it's I've shifted it slightly so it's not pure white so it's slightly great so I'm putting it a

little bit a little bit darker darker than white but ever so slightly so it's a 250 for 250 for 250 for now the color it's you can see human eye cannot see the difference right at the right hand side is 252 you can't see the difference so if you start changing the pixels of an image so that you encode one bit at a time just by shifting the color so slightly then you can put information within an image without the human eye being able to tell whether there there's a difference or not for some reason when when the stag and ography in the Digital side of things not in the physical domain but in the in the

virtual domain started to become something like back in the 70s they started using the Playmate of 1972 that's Lena welcome Lena is there's there's also another one which is a monkey but you know this is better than a monkey so for some reason they started using this one this uh by the way i was i was researching to to put this picture and there's a new picture side by side lena back then lena today i'm not showing it I mean playmate 1972 we imagine a woman so this is Lena this beautiful picture shifted shifted slightly to encode a message the left one is the real one the right one has a message if you look at the histogram

you'll see that there's a little bit more spikes a little bit more spikes the human I would never be able to tell whether there's anything happening or not so you can encode messages bad guys are going to take advantage of this and you'll see it in a while and now i'm talking about the bad guys who were the bad guys what are we talking about we you say the bad guys what's the first thing that comes to mind when we talking about the bad guys what do they want sorry cybercriminals right yeah money the box yeah that's what they want that's what they want right what interest do these people have to do hiding stuff you know just you know to

stay and detected for longer so that they can get more data besides these guys there's two more groups of people or main groups of people that are interested in in hiding stuff which is these guys here not necessarily the US only but you know armies people that want to spy so instead of here wanting the box what these guys want is information so they want to stay undetected as long as possible steganography is going to be specially useful to this group and the third group of people who also are attacking in the internet you know bad guys spreading malware around are these guys right hacktivists terrorists called would you will what these guys are after is not money is not data

thereafter the reputation they want to destroy the reputation of the countries they want to smear down and be on top that's what they want you just want to destroy any credibility or trustworthiness that this the infection the infected victims might have with our customers now what interest can these guys have in staying undetected well you know the more data they can accumulate the better because at the end they deepen their their food hole in the in the network so all three all three kinds of guys are interested in steganography and you'll see examples of almost all of them is the hacktivists at least those who think they're using it much and to make things more confusing these three

these three people overlap a lot like a lot you see that some some of these hacktivists they managed to steal a database of information like in Sony in 2011 a whole database of credit card data of Sony customers and then two weeks later somebody start spamming them pauline of the hacktivists right activists were already they already did their job they make the soly look like crap but but but of course that database is worth money so they sell it they sell it to cyber criminals sorry criminal start using that data and then at some point somebody sees ok we have access to Sony so another corporate competitor of Sony might have that data and start

spying on them so it's it's blurry that the edges blue blue or a lot so I'm going to start using by way of example different mowers that do different things with steganography trying to hide stuff so what i divided my my presentation in different categories the first category is going to be trying to hide second stage malware now this is not terribly useful by the way Arnold's gonna tell us yeah hiding the payload so hiding the second stage malware is not super useful why because at the end of the day if you have an image instead of a compressed exit the end result is the same you know I as a virus analyst see that and it's it's a vm p instead of

being a unencrypted blob might as well be encrypted so for me it's not a terribly useful kind of kind of use of steganography but it does exist and i'm going to put a couple of examples like this one the works downloader this is just a very generic downloader it has a BNP and at the end of the VMP and this is the edge of the VMP it has what looks like random data that's not random later that's that's cold it's actually encrypted but it's cold this image comes from i think it's a dell secureworks I was not able to find this thing what I was able to find instead I don't know you're gonna be able to see that low

yeah is this which is not a pretty VMP so it's just it was it's BMP so it it's attached within the XA as a vm p but it actually has no no image so it's just pure encrypted data just an encrypted blob now you might say well this is not really steganography well it is declared as a BMP is just not trying to fool anybody because nobody's going to look into the into the BMP you know it's just embedded into the XA so yeah not terribly useful I tell you now what this stuff the crips tool well actually it goes to this to this prep this is the really interesting part it goes to any

of these places which are you being used to CNC and he downloads another BMP and now this is the real cool stuff right this is the BMP that it really downloads now if you are if you are the wise that is looking this download you see the BNP I think it was a BMP yeah it was a vm p you see this just just white right if you actually look at the picture you'll see how the party in black is just the header so it's just some head of data and after that is eff eff remember that FF is 2155 255 255 which is pure white f e it's one less 254 so you cannot see

the difference they should be a bunch of dots there in gray but the gray is just the difference is so slight that you cannot see that actually in there there is data encoded bit by bit every FF is a one every FP is a zero and you put it all together you make a message you make a message with zach is actually another download place this is a what was encoded inside so it says that's interesting that's more interesting than the first vm p the second one it's something that came really recent yes jun 2011 2015 called stegal loader and they call its take a loader because it uses steganography a lot like a whole

lot it does pretty much the same it does downloads stuff but they're a little bit more elegant they use this picture so this one at least you say ok that's pretty better than the other BMP but again is the same thing you know they use this a lot so if you if you are managing a network and you see a lot of BNP da downloads it's very difficult to say whether those be and peace are encoding something or not it's it's pretty difficult so there's a whole discipline a whole field of trying to see whether a BMP or or a gay for PNG has information encoded and the field is called stag analysis and it is very

difficult to perform stag analysis on the spot by seeing downloaded data it's just very difficult so for all practical purposes it's a BMP it's a real BMP you can check that it is it has the heathers it works so it's pretty difficult to spot my second category the first one was hiding payloads hiding excess having encode the second one is hiding configuration right final is going to be hiding histories the tools of the trade so the example is a Zeus the latest version of Zeus Zeus BM would you look this is a part of the dump in the code you see how it's trying to download a JPEG / prefer / blah blah / something

about jpg why why would it do that it actually downloads this thing now it is something there's there's data inside but this data has at the end of the at the end of the Veda and I think is in the comment section actually there there's a malware config file there's the configuration of the of Zeus if you were familiar with Zeus you know that it has a lion encrypted blob and it decrypts it in memory which makes it quite tricky for us antivirus companies to actually see what's happening there well this version has it on a BMP so it downloads the BMP and at the end that's the encrypted blob that it puts into memory and the Crips so when you do that

well you see this is the encrypted data it's just an encrypted blob and will you try to see it to decrypt you find a normal Zeus configuration file now you see that this particular one it's attacking is it France Spain and Portugal and Brazil but you can see already know this is a regular regular file now my second example is similar but it's interesting in that it infects Android it's an old one from january two thousand twelve and it has it's it's a it's a bad download siren so you infected your you're infected you're screwed and it poses as a poor and application that's why it's pixelated and the the interesting part of this one

is that the configuration it's stored in the icon in that pixelated icon which is yeah not showing that I got so they hid information that again same frame of the same thing right it has a just a regular header header and then after that is it's a marker called txt txt on a bunch of encrypted information now the good thing about android is that you can see the the the decryption routine so you can see me know though how is being decrypted so you see there the data stream stream this is pretty lame I mean it's the the big part here it's X or yeah XO with a with a big string nothing else nothing fancy when you decrypt all

that blob what you see is this which is at the end of the day this is an Android that when you get it poses ass porn when you get infected it starts sending SMS messages just texting some premium number so that's the configuration what number in facts etc it just so happens to be into the BMP into the icons or it's not a BMP it's uh what's a PNG I think interesting really cool yeah you can you can really go to places with this because i cannot see revelry until i analyzed it very deeply what the configuration is in the same cases oops and more so in a in a more complicated complicated different platform than than

windows and my third category it's hiding the CNC communication since hiding a cnc channel this is arnold showing us stopping suppressing communication yeah they told me that i had to leave the mask fat so mortal really interesting one this is really cool because instead of using just a regular HTTP just to get the configuration it uses DNS super cool it makes a DNS not also offer the answer this just the DNS requests and the DNS requests there's a text with this stuff once at the crib set it comes back to this but again this is DNS it never made any HTTP requests so it's very difficult if you are a security device seeing what's happening in a network you're

never going to find out that that particular request has something interesting well for cnc a command right so this is pretty sneaky I mean really really sneaky I I don't think anybody would be able to spot that very easily and the moment that they change this or they create anything similar to this using a prodigal where you wouldn't expect to find this kind of information emotional when it's encrypted then it's very very difficult to find out the spot this one I find I found it very interesting but it doesn't really have a name you know how antivirus companies will funny that way right because there's so many malware samples that we see at the end of the day that if an

automated system doesn't readily spot it and put it automatically into a into a family then we have no idea what it is so you got end up putting it into an agent bucket or whatever very generic kind of name in this case naming was all over the place by all antivirus companies so it was very targeted it's a banker so it tries to infect the user and try to get the banking online credentials but it affected South Korea so i called it myself sk banker south korea naming is all over the place took me a while so this one and what it does what is it what's it it infects the victim it goes to pinterest it goes to a

set of pinterest pins so things like that pretty pretty not for us right this pin is not even that it's a pin from a real user so they're they're pinning this image but in the in the comment section you find things like this the bad guy had left a comment such as that right and in the common is the C&C so they're using Pinterest as a random room place to tell the mall world where the final cnc is going to be in this case it's a bunch of crap and then you can see a b c and b that's an IP address so it just goes to that IP address 7030 910 for 113 / Tom giratina tongue jeez

happens to be I think it's something like status or something but in Chinese so it's not even very strange i know it's okay it's all right and it's not even very suspicious if you're looking at this right first you go to a pin you look pinterest normal jpg and then you go after this it may be anything so it's not not even very suspicious the next example is very similar just that it's using is the name is danica that's pretty recent also it uses youtube it goes to a YouTube place I told youtube video and then the YouTube video has common so the guy at the bad guy could just write a comment that has a format

for a very long number pay an sigh anniversary the preteen right doesn't look like there's anything we are happening there and now the good thing about this one is that this this one's pretty lame also because it's it was written in C sharp C sharp you can decompile it and you can see the code so where you can see the code or you can already see what's happening what's happening with that number it goes there it's x the number and more examples of more comments that's a backup by guy commenting now you can see the code he just picks up that long number and it starts the dividing aid and doing an operation and then at the end of the day

it gets an I think it gets an IP and it adds / w WP dash admin dash content which looks pretty tame and this was the this was their final result of one of those you know so it's pretty pretty easy when it's done in c-sharp because you already have the code same as in Android when you have the code then it's game over cuz you can already see what's happening the latest one I don't have a lot of information on it because it was released by by fire I and was it July 29 that's last week so they released a pretty nice pretty nice white paper and there's not a lot of details in the

white paper so I I wasn't able to locate the samples but that was especially especially who my text you know and it goes to Twitter and it has a vga it has a an algorithm where every day there is a different Twitter user that it's supposed to be tweeting something for for this for this Trojan now if the bad guy doesn't want to communicate today then it doesn't need to register the user but the day that he wants to then he just registered the user and then again it's an algorithm that the the client knows and the bad guy knows so he creates today's username he says need to tweet something like that now that is

pointing that link points to a get hot with an image and then the second part is one on one doctor it's a hashtag like like it was some information actually what the hashtag says is from if you take the 100 first bite from the beginning there's an encrypted blob and to decrypt it that's the password that's what it's saying and again it's a JPEG it's a JPEG hosted on github so you're you have a lot of information there that if you just happen to look at this Twitter user the district was was just created today and just tweeted that he looked like in awkward right nothing happened it actually is setting a random oocyte on github with a lot of information yeah

transform the Russians according to fire I can't verify this mini Duke which is a very well-known russian threat Russian meaning from the Russian government mmm supposedly is using the same exact algorithm with the same exact strategy along with this thing called hammer toss so apparently is the Russians using this so somebody close to the Russian government some the firemen associated to the Russian government is using this why to stay undetected as long as possible so that's this those people actually I remember the first time that I realized this a few years ago was that I had a customer they're pretty big customer and they got a honey pot just to forget a lot of samples right so in

the honey pot this particular honey pot that they acquired they had a pretty cool feature which is when it was infected it records a video of the whole infection now instead of just seeing the pain normal infection when when these people like this we're infecting it you could see that the after that there was a screen and somebody typing and he was somebody because they started typing with mistakes like like you and I I type o backspace backspace backspace net and started to trying to move laterally trying to check stuff so there was a guy so it was kind of like well so it is not automated knowledge this is a malware that enables a bad guy to come in and

start doing stuff so we're not talking about being attacked by my automated scripts we're not talking about robots we're talking about humans our enemy right now is a human that's what I'm showing this because it's somebody who has risen packing as willingly you know it is not a random attack it's just this this attacks right the fourth one the fourth category and this is really unusual and I like it a lot because I think it's a great idea it's a hiding stolen data now you see that very rarely no higher Arnel shows us it's trying to hide something there and this particular one was in Poland and the Polish bank accounts have had a very definite format the format is like

I think it's 20 20 numbers right 20 digits so this particular threat was a targeting polish users so the aim was whenever you would see a Polish bank account number with that particular format it would replace it by another one so in for instance a PDF or or something was was being sent from the computer or to the computer room that was infected then replacing the the bank account whenever there was a payment to be made then it would show that the fake bank account and the money would go to talk about guys instead of to the real ones right it's just aiming at the small small companies you know small companies today they work a lot with PDFs so they

send you an invoice and please make the payment here and then you make the payment you confirm by email very very non techie stuff so what this man guys managed to do it's it's a memory scraper looking for that and replacing bank accounts by a different bank account won't if we get that bank account they don't make it up they make an HTTP request and within the request it's a nonsensical request such as /g 4x6 blah blah blah da txt which doesn't even exist right then it returns a 404 for work which is a it's a fake 404 instead of not found is an are installed which is a new HTTP thing that we have

so is that for oversight not installed blah blah blah and then as part of the response it has that blob so when that what that des côtes du is a the bank account polish bank account that is being used to replace the real ones so everything is happening through HTTP inside in in the return not in the not in the request which is pretty cool right because in the request it's it's a 404 when you when you're looking at if it wasn't have not installed it should be a lot fun but if it was a not found then any device looking at this communication would see just uh okay somebody is trying to look for a page

and it returns a 404 no big deal there's nothing happening there it's actually a lot happening there's exchanging information with this technique you can actually go for an HTTP with in the heathers even you can put their all sorts of stolen information and return a 404 not found so it's pretty cool it's a pretty cool tunic it's really underused I think it has a lot of potential and I would expect that the bad guys smart smarten up and started using this at some point because I think it's pretty inconspicuous my conclusion here it's well steganography when you look at it from the technical perspective is pretty cool this is like the picture of being whole the guy perfect body in the beach

with the woman with the alcohol really cool so I think it's pretty cool right steganography until it's being misused and abused by bad guys because then you find yourself in the other side right you're trying to defend our users against it and then you find yourself in a situation where it's very difficult to discern whether that communication that's happening whether that blob of data that looks like a BMP is it is hiding information or not and it can be very tricky so stag analysis is not a real option in the in the real world because it just takes too long it has a lot of false positives or how do we have to look into it yeah I don't

know it's for me steganography school when it starts being abused and misused it stops being cool and that was my whole point I hope you like this thanks very much if there's any questions yeah

you're thinking after that guy right oh right changer actually when you have full control of everything that's happening you can do things like that i believe it's google and a few more whenever you upload jpg or an avatar as a part of an avatar or something they modify it they resize it so that you never get you know if you're putting stuff inside the server it will never be the same as would you upload it so that's happening already now doing that yeah I think it's pretty calmly exactly yeah so if you manage to put stuff inside there the image that's there's no guarantee in fact it's almost zero sooo percent chance that it's going to stay

as part of the vm result when you have full control of everything like a server HTTP server accepted information then that's viable if you're looking at that as a moving data from work from one place to the next like a firewall just transpose data I'm not sure that would be viable because if you have to resize every single J a JPEG or change every single jpg I don't know if I would be viable a lot I'm not sure it's a possible solution anymore sure B&P is preferred because VMP doesn't have any encoding is just pixel after pixel in terms of you know leontyne map of pixels PNG it's I think it's gift but it has an

open source zip the visit that it uses its open source at the end of the same as gift but it can be used anything but it's a plain zip so it's very easy to change stuff not so with jpg JPEG has an algorithm so that it encodes only one one bit and then the rest it infers so jpg is not used at all but it tends to be either gif PNG or BMP what happens with BNP is that since it's a map of bits it's just humongous it ends up being super big so it's not serious doesn't make sense yeah yeah and it's not worth it it's really not worth it when you can do PNG's because at the end

of the day you're not even aware that this is happening right you get infected and then there's a request for HTTP and it returns with a PNG or whatever so you don't even know what's happening you know you don't care so it's it's not worth their time anymore a it depends but normally every it's 128 so every bite encodes one bit so if it's only a very like 255 colors that's kind of crap right it's a very crappy gift but if you would like say 144 by per pixel that's 16 million colors 16 million 777 two and six or so goes then you lose a lot because it's even got one bit for every four bytes

that's a lot of information that you're you're missing out there but yeah it's up to you i mean steganography is just a tool it's up to you to use it for whatever purpose you want all right thanks very much [Applause]