By Ira Winkler, CISSP
Traditional anti-malware software looks for files with known signatures to detect those that contain malicious software. When a server or email client receives a file, the security software scans for malware. However, if malware can somehow avoid being scanned, it has a chance to cause harm. Steganography is one proven way attackers use to avoid anti-malware solutions.
Steganography is a method for hiding one file (or any content) within another. There are countless ways to do this.
In traditional spy craft, one party would send a normal looking letter to another party that would also include a message written with invisible ink. The ancient Greeks would shave a messenger’s head, write a message on the bald scalp, and wait for the hair to grow back before sending him to the intended recipient. There are other methods for hiding words in text, such as ensuring the second letter of each word formed the secret message. The commonality is hiding a message in plain sight.
Now, steganography has gone digital.
In digital steganography, one file is hidden in another in a way that is undetectable by a common bystander. For example, embedding it into an image file in a way that doesn’t noticeably distort the image (e.g., using a least significant bit method). The receiving party knows of the presence of the hidden file and how to extract it.
A malicious attacker can leverage steganography to deliver an innocently looking malicious payload to the victim’s system, and get it extracted and executed. There are many digital steganography methods as a way of bypassing security controls, and this thesis has one of the best summaries.
Steganography may appear to resemble encryption, but there are key differences. While steganography may hide a file/content, it doesn’t necessarily encrypt it. A hidden file, however, may be encrypted, before it is hidden. This is especially true when the encryption also results in file compression, which in turn makes the file easier to hide and embed.
It is important to note that with encryption by itself, security tools know that the file is there. Hence, the file can be potentially isolated for further examination, before it reaches its intended target. Steganography allows for a malicious file to pass through a variety of screening tools, and then execute by exploiting an application that is not commonly attacked or considered a potential source of malicious activity.
I will provide a live demo of a recent real-world attack that leveraged steganography in Nyotron’s upcoming webinar entitled “Steganography + Malware – a Match Made in Hacker Heaven” on January 15, 2020 at 1 pm EST/10 am PST.
Follow this link to register to attend, and we’ll email you a placeholder for your calendar.