Steganography — ‘The Dark cousin’ of cryptography
Steganography is the technique that hides a secret message within an ordinary, non-secret message to avoid detection and falling in the hands of unwanted individuals.
The word steganography is derived from the Greek words Setganos (hidden or covered) and graph (to write).
Unlike cryptography, which encrypt your data to an unreadable/no sense format which can be understood when an individual has the key to decrypt the gibberish, steganography hides in the plain sight which for an individual with no prior information it looks like a completely normal message/thing.
Steganography existed from 440 BC from Greece, it was used by greeks to send messages they used to shave the head of an individual and then carve the massage on his head and on the receiver side they again shave the individual head to find the carved image. And this technique evolved by time. During the WW2 nazi’s used to use random-looking dots to send secret messages.
Over the years we advanced our computing ability which takes us to part digital steganography which it’s known as Cryptography’s “Dark cousin’ because when we encrypt a message there will be visible/detectable gibberish which in some cases can be broken depending on the computing power but when we take steganography our secret message or our data hides as a legit/proper message that looks normal to our naked eyes and its detection can be hard as sometimes these messages are encrypted and the hidden which makes it even more untraceable as the output will be some gibberish which generally makes no sense.
There are many types of steganography, Image steganography, video steganography, audio steganography, text steganography, email steganography and network steganography. And there are many techniques and algorithms to perform above-mentioned steganography, one of the most known is LSB Least Significant Bit manipulation, to understand LSB we need to know a little bit about how images and the digital media is made by bits i.e 1 and 0 where ‘1’ stands for ‘on’ and ‘0’ stands for ‘off’. When we take an image it is made of a cluster of pixels where each pixel has a specific colour and when generally each pixel has 8 bits containing combinations of ‘0’ and ‘1’.
For RGB (Red, Green and Blue)
Red --> 10110111
Green --> 11011001
Blue --> 10100100
Now lets consider an 8 bit pixel 1 1 1 1 1 1 1 1 when we compute the binary value of the above pixel we have the value of 255
To perform steganography we need to change/manipulate bit in the pixel.
When I try to change the first i.e the one on the left most bit to zero
which turns out to be 0 1 1 1 1 1 1 1 = 127 that is almost 50% drop in the pixel which can be distinguished when we keep the original pixel.
Now I wish to change the last bit i.e the bit on the right most end which is 1 1 1 1 1 1 1 0 = 254 which is only about 0.4% change in the pixel and it becomes very hard to detect as it very much similar to the original pixel.In the above-mentioned piece, we can see when we change the last bit of the pixel there won’t much of difference but when we change the leftmost bit there would be detectable change. Last bit is called the Least Significant Bit and the rightmost bit is called Most Significant Bit. When we perform steganography on digital media we try to change the Least significant bit to hide our secret message. As in when I have my secret message I first convert the message into binary and replace the Last Significant Bit of pixel in an image.
Let us consider a 4 * 4 pixels
11111111 11011011 10001001 11011000
11011011 11111111 11110110 01111100
10001001 11110110 11111111 11110101
11110110 10001001 11011011 01111101
And secret message to be letters 'a b' for the sake of simplicity
which has the binary of 01100001 01100010.
Now we take the Least Significant Bit of the pixel and change the first bit our secret message i.e 0 and so on
Our final 4 * 4 pixels will be modified to:
11111110 11011011 10001001 11011000
11011010 11111110 11110110 01111101
10001000 11110111 11111111 11110100
11110110 10001000 11011011 01111100
And there wont be any significant change in the 4x4 pixles cluster after the steganography is performed.I have a sample of 2 images in which one has gone through LSB steg and has a secret text in it.
Above attached images looks similar to and there aren’t any visible changes that can be noticed but one of the images has a secret message in it. And sometimes these are ‘password’ protected i.e they are encrypted and to make the detection harder as if an individual tried to extract the data using the LSB all they could is some random gibberish which doesn’t raise any suspicion as bits of an image makes no sense in ASCII.
As everything steganography has both good and evil uses. While good use of steganography is secret communication where state governments spy on its people and if your opponent organization wants to know about your trade secrets then voila you can use a cute cat image and then use steganography to hide your top-secret information so that when your adversaries get their hands on your compromised data all they find is a simple cat image (unless your opponents have keen knowledge on steganography until then your trade secrets are safe).
And bad uses of steganography well by now you might have guessed it, terrorists and rebel groups to contact their personals without knowing of the governments and security agencies that try to keep us safe. In one case individuals have used steganography to deliver child pornography as it would be hard to detect by authorities, not only using for communication between individuals nowadays state-sponsored malicious actors i.e government-sponsored hackers are using steganography to hide/evade their malware from anti-virus detection. In one such example APT-37 (Advanced Persistent Threat group this group is believed to be from North Korea) ScarCruft which is a cloud-based Remote Access Trojan known as ROKRAT which uses steg images, User Account Control, anti-virus installers and many more that are advanced packages that can perform espionage on any system. And these packages are first encrypted and then hidden in the images which makes it harder to detect unless we find the original/real image.
*PLEASE DO NOT OPEN BELOW MENTIONED LINKS THESE MIGHT POTENTIALLY COMPROMISE YOUR DEVICE.*
Here are the few links that have been used as part of ScarCruft
http://34.13.42[.]35/uploads/1.jpg
http://34.13.42[.]35/uploads/2.jpg
http://34.13.42[.]35/uploads/qwerty.jpg
http://34.13.42[.]35/uploads/girl.jpg
http://34.13.42[.]35/uploads/girllisten.jpg
https://34.13.42[.]35/uploads/newmode.php
http://acddesigns.com[.]au/demo/red/images/slider-pic-6.jpg
http://kmbr1.nitesbr1[.]org/UserFiles/File/image/index.php
http://kmbr1.nitesbr1[.]org/UserFiles/File/images.png
http://www.stjohns-burscough[.]org/uploads/images.png
http://lotusprintgroup[.]com/images.png
https://planar-progress.000webhostapp[.]com/UserFiles/File/image/image/girl.jpg
https://planar-progress.000webhostapp[.]com/userfiles/file/sliderpic.jpg
http://www.jnts1532[.]cn/phpcms/templates/default/message/bottom.jpg
http://www.rhooters[.]com/bbs/data/m_photo/bottom.jpg
https://buttyfly.000webhostapp[.]com/userfiles/file/sliderpic.jpg
*PLEASE DONT OPEN THE LINKS*Even to this day, only a few anti-viruses have flagged above links as suspicious and it is sad to see AV is not trying to consider the StegWare (Steganography + Malware) detection.
Above are screenshots of scans of these URLs that I provided and only 4–5 antiviruses out of 79 have flagged it as malware.
As these APT(Advanced Persistent Threats) are using steganography along with cryptography so it becomes much harder to detect StegWares. For these reasons, Steganography is called ‘The Dark Cousin’ of cryptography. But when I say they are harder this doesn’t mean they aren’t impossible they are possible but we need high-level reverse engineering algorithms and proper digital media understanding, for example, you doubt an image to have StegWare in it so you decide to compare the hash of the original file and suspicious file when both the images produce different hashes then you proceed to flag the image as a threat and you find the original image just to realize that the one who sent you the image just cropped the image/made changes to the colour tone, then your side by side analysis of both the image hashes would be lead us to nothing, as the image itself has tampered and then went through steg process so in general, it would give us different hash. Then what can you as an individual do to find them if there is any payload or secret message in it? For images and audio files are noise analysis and histogram view. Let us have a look at the histogram view of the cat images that I have put at the start.
As you can see there quite a bit different in between both images histogram I have used a large secret file which made detection a bit easier since the way the graph smoothened as I increased the secret file size. If I were to use a small secret text i.e ‘Hello meet me by 1200 hr’ it would make detection using histogram even harder and there wouldn’t be much of change in the noise level of the image. But sometimes even the smallest of ta change in the histogram or noise level can warn us about possible StegFile.
There are many tools for steganography and even free tools that can do the job as much as a paid one. The tool I more often use is Steghide it an opensource free tool for Command Line Interface. If your a windows user and love using applications with GUI then have a look at the link. And these tools come with the encryption option along with it.
And in a matter of time, we might even get superior steganography techniques that might become even harder to detect. This might be boon or a bane it depends on how we put it to use and much can we control it.
Special Mention:
- @z3roTrust and his articles at z3r0trust.medium.com please do read his master thesis on Digital Steganography as an advanced malware detection evasion technique.
- Kaspersky GReAT 2019 on ScarCruft- link.
