Malware writers turn to ancient craft to hide viruses

By on
Malware writers turn to ancient craft to hide viruses
"Hide And Seek" and "Victim Of Illusion" by Philip Kirkby

Sometimes it pays to look twice. A handful of the most capable malware authors are using an ancient technique to conceal their attacks by embedding the deadly ones and zeros into pictures, audio and video, fooling enterprise security systems and unsuspecting staff.

Virus writers were using the craft to conceal the data critical to their attacks that may otherwise be detected and destroyed by anti-virus.

Images would be altered so slightly that it would be impossible to detect any change with the naked eye, or modern automated security systems.

It seems fitting that hackers have adopted the ancient art of steganography; The technique traces back to the fifth century when Demaratus, then king of Sparta, warned of an immanent Grecian attack by, oddly at the time, writing on a wooden tablet which was then covered with the beeswax normally used to inscribe text.

It has been used ever since by governments, spies and anyone wishing to keep conversations concealed.

Steganography involves the manipulation of images, video and audio to embed hidden code. It was so well refined in the modern era that it was impossible to distinguish a benign image from a duplicate that contained enough attack code to quietly compromise machines.

"Overall, steganography has been used by malware in only a small percentage of cases, or at least, it's only been discovered to have been used in a few [complex] cases," Texas-based computer engineer John Ortiz who been studying steganography since completing a cryptography class as part of a masters' degree, told CRN.

Ortiz gave a presentation at the BlackHat Asia in Singapore where he detailed instances of how silent attacks were unleashed when users viewed innocent jpeg images.

Attack code embedded within images could contact remote command and control servers to download further malware components required in an attack. That code would remain invisible to users and most security defences Ortiz said, and would only be found on close inspection of the image's so-called bit plane.
 A bit plane

A bit plane

"It (steganography) is useful to evade network defences," Ortiz said. "For instance, a network defence system could scan incoming traffic for executable programs. One hidden in an image (or other media such as audio and video) will not be detected, so it is a good way to exchange."

Shady Rat, Alureon and ZeusVM are a few of the iconic attacks that have targeted users and organisations including enterprises and government agencies.

The former attack used booby-trapped pictures of an island, painting or an attractive woman which contained trojan code used to swipe intellectual property from some 70 enterprises and agencies across 14 countries over five years.

"While these commands are clearly visible to a user if they view the HTML code in a text editor, they look completely harmless, and indeed are harmless unless the file is parsed by the trojan on a compromised computer," Symantec researcher Hon Lau said speaking of the Shady Rat attack.

This image contained ZeusVM money-stealing code
Sunset contains money-stealing
ZeusVM code

"[Steganography] may also be useful to disguise command and control data, or larger amounts of data being exfiltrated, since thousands of jpeg files are downloaded when simply browsing the web," he said.Ortiz suggested that while malware was already effective at evading anti-virus, steganography may have given Shady Rat the boost it needed to remain undetected for its lengthy campaign.

"Obscuring the actual data can reduce the chance of detection in more protected networks. Sending encrypted data can be detected itself so sending data in a common file like jpeg may help."

He said systems that attempt to detect malware steganography are highly resource-intensive, unreliable and prone to false-positives.

Ortiz has released and will soon publish a free tool that helps security professionals design and detect steganography techniques for both penetration testing and defence that would outmatch current technology.

The technique continued to be used by governments today with a reported case in 2010 where Moscow allegedly sent messages to its US spies through seemingly begin images hosted on equally innocent-looking websites.

Its use will remain niche, Ortiz predicted, because modern cryptography is sufficient to help most malware writers conceal their attacks. "So, I think it will be used primarily as a toy," he said. "Probably the most practical use I would see is for someone living in a country that 'bans' certain types of speech such as political speech and pornography, or illegal transactions."

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © CRN Australia. All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?