Hidden secrets laid bare
Steganography, the practice of hiding information, has been around for centuries. And in parallel to technological advances, steganography has also evolved and adapted with the advent of computers and the internet.
Digital steganography usually involves hiding data inside innocuous files such as images, videos, and audio.
Today, digital steganography is one of the important components in the toolboxes of spies and malicious hackers, as well as human rights activists and political dissidents.
What is steganography?
Steganography is the use of various methods to hide information from unwanted eyes. In ancient times, steganography was mostly done physically.
The oldest documented case of steganography dates to 500 BC, in which Histiaeus, the ruler of Milteus, tattooed a message on the shaved head of one of his slaves and let the hair grow back. He then sent the slave to the Aristagoras, his son-in-law, who shaved the slave’s head again and revealed the message.
In the centuries that followed, more modern forms of steganography were invented, such as invisible inks. Today, steganography has moved to the digital world.
“Steganography by definition is the hiding of one file within another,” says Ira Winkler, lead security principal at Trustwave.
How does steganography work?
Steganography works by hiding information in a way that doesn’t arouse suspicion. One of the most popular techniques is 'least significant bit (LSB) steganography. In this type of steganography, the information hider embeds the secret information in the least significant bits of a media file.
For instance, in an image file each pixel is comprised of three bytes of data corresponding to the colors red, green, and blue (some image formats allocate an additional fourth byte to transparency, or ‘alpha’).
LSB steganography changes the last bit of each of those bytes to hide one bit of data. So, to hide one megabyte of data using this method, you’ll need an eight-megabyte image file.
Since modifying the last bit of the pixel value doesn’t result in a visually perceptible change to the picture, a person viewing the original and the steganographically modified images won’t be able to tell the difference.
Steganography is the practice of hiding of one file within another
The same scheme can be applied to other digital media (audio and video), where data is hidden in parts of the file that result in the least change to the audible or visual output.
Another less popular steganography technique is the use of word or letter substitution. Here, the sender of the secret message hides the text by distributing it inside a much larger text, placing the words at specific intervals.
While this substitution method is easy to use, it may also make the text look strange and out of place, since the secret words might not fit particularly well into their target sentences.
There are other types of steganography, such as hiding an entire partition on a hard drive, or embedding data in the header section of files and network packets. The effectiveness of these methods depends on how much data they can hide and how easy they are to detect.
Who uses steganography?
Malicious hackers use steganography for a variety of tasks such as hiding malicious payloads and script files. Malware developers often use LSB steganography to hide the code for their malware in images of celebrities and famous songs and execute them with another program after the file is downloaded on the victim’s computer.
“The term ‘Trojan Horse’ is used to describe a dangerous file hidden within a harmless file. Macro attacks are a form of steganography as well,” Trustwave’s Winkler says.
“Steganography will be used by creative hackers whenever there is a need to bypass protections.”
Cybercriminals, however, are not the only actors who use steganography on a daily basis. Spies use the technique to communicate with their command center without arousing suspicion among their hosts.
Tech-savvy human rights activists and dissidents also use steganography when they want to send sensitive information.
Steganography is used by everyone from human rights activists to cybercriminals
Differences between steganography and cryptography
Steganography is often compared to cryptography. While steganography hides information, cryptography focuses on rendering the data unreadable to everyone except its intended recipient. Once a stream of data is encrypted, only a person who has access to its decryption key will be able to unlock it.
But if cryptography provides better protection for secret data, why use steganography at all?
The presence of cryptography reveals that something is hidden, and in many cases, this is enough to get the sender in trouble.
“In a highly monitored country, like say China or Iran or North Korea, cryptographic files can be detected and the very fact you are sending/receiving them could raise suspicion,” says security researcher John Ortiz.
“When they show up and put a gun to your head for the key, even the most secure crypto is worthless.”
Sometimes, steganography and cryptography are used together.
“Steganography and encryption are not actually mutually exclusive,” says Jerome Segura, director of threat intelligence at Malwarebytes. “The former is mainly a way to conceal data within an image file, but that data doesn’t have to be in clear text either.”
Segura and researchers at Malwarebytes have been recently investigating a case where attackers were using image-based steganography to hide encrypted data. Even if someone discovers the hidden data, they will still need to decrypt it to reveal its contents.
When do malicious hackers use steganography?
“Steganography, as any other obfuscation method, is a way the bad actor will use to keep their malicious code hidden for as long as possible,” says Fioravante Souza, threat research manager at Sucuri. “By embedding malicious code inside benign file types, the hackers increase their chances of getting past threat detection tools and security analysts.
“Such a stealth method makes it harder for security products to detect and protect against the threats that use them. Antivirus products do not usually scan for non-executable file headers (such as sound files, images),” says Ophir Harpaz, a security researcher at Guardicore.
In several cases, the attackers used steganography to hide their malware in images uploaded on social media networks and then used a local tool to download them onto the victims’ computers.
But the use of steganography in cyberattacks is not without its hurdles. “The key challenges with steganography in terms of malware or storing data is that the file size increases. For large amounts of data, it becomes easy to spot. But when it’s not, it becomes more troublesome to find,” says Cesar Anjos, an analyst at Sucuri.
Recent examples of steganography
Detecting steganography can be very tricky, but recent examples of steganography detected in malicious attacks include:
- January 2020: Researchers at Malwarebytes reported credit card skimmer code hidden in image files in compromised e-commerce websites.
- January 2020: Researchers at Guardicore Labs discovered a cryptominer that was hidden inside WAV audio files.
- August 2019: Researchers at TrendMicro find a new variant of keylogger and cryptocurrency stealer malware LokiBot which uses steganography to hide its malicious code inside a jpeg file.
- April 2019: a former GE engineer was charged with economic espionage. The employee had encrypted files containing GE’s proprietary information and hidden them in a photo of a sunset.
- December 2018: Malicious actors used steganography to hide malicious code in Twitter memes.
Last updated: February 2020
How to detect steganography
The practice of detecting steganography is called ‘steganalysis’. There are several tools that can detect the presence of hidden data such as StegExpose and StegAlyze. Some analysts use other general analysis tools such as hex viewers to detect anomalies in files.
Finding files that have been modified through steganography continues to remain a challenge, however. For instance, knowing where to start looking for hidden data in the millions of images being uploaded on social media every day is virtually impossible.
“The data looks like/sounds like noise, so it is difficult to distinguish from the existing noise. Or it is in very little data,” Ortiz says. “And there are so many different hiding techniques that you need multiple detection techniques to detect them – there is no one-size-fits-all”
Guardicore’s Harpaz warns: “Threat actors have a decent arsenal of steganography techniques they use as part of their modus operandi – it is not a new trend. As our research shows, it remains in the wild to this day and is not likely to disappear.”
READ MORE What is DDoS? A complete guide