The applications of steganography have moved beyond the scope of terror groups and intelligence agencies. One of the latest and rather depressing applications has been found by cyber criminals who have started embedding critical information into digital images.
According to an official at Dell SecureWorks, some infected customer sites have been attacked by a malware called ‘Lurk’. It attacked the machines when the user clicked on a fraudulent digital image.
Brett Stone-Gross, who works as a researcher at Dell SecureWorks Counter Threat Unit, added that the technique is used for targeted victims, and it is very uncommon to send hidden malware in these cases.
The company’s statement revealed that as many as 350,000 machines were infected by this malware, resulting in a loss of a quarter of a million dollars.
Steganography Is Not New
In old times, Greek emperors would shave a slave’s head and tattoo a secret message on it. Then they would wait for his hair to grow back, and send him over to another emperor with that message. This technique is still used in the digital age, but the tools have been changed.
The arrest of an Al-Qaeda suspect from Berlin in 2011 gave rise to some interesting revelations. He possessed a memory card which contained a password-protected folder containing hidden files. When the German Federal Criminal Police (BKA) finally managed to access the contents of the card, they found a pornographic video named ‘KickAss’.
On further inspection, they found 141 text files hidden inside the video. These files had details of Al-Qaeda’s operations and future plan of action. Three of these files were saved as ‘Report on Operations,’ ‘Lessons Learned,’ and ‘Future Works’.
This method of camouflaging critical files within a video is made possible by the well-known technique of Steganography.
Another incident of Steganography’s application came to the fore after a German foreign intelligence service official was caught in the US on charges of spying. Later on, the German magazine Der Spiegel disclosed that he possessed an encrypted program hidden in another program. A weather app on his computer turned into a secret crypto program when the user opened the New York weather page.
A peculiar malware was discovered by the officials working at the Laboratory of Cryptography and System Security in Budapest, Hungary in 2011.
The said malware infected machines working on Windows platform and sent critical information, especially regarding the industrial control system, to its command center via the Internet. Interestingly, after exactly 36 days of infecting the machine, the malware automatically disappears, leaving no trace of its presence. The name ‘Duqu’ came from the file it generates, which has a prefix ‘DQ’.
A strange feature about this malware was that it was quite similar to the Stuxnet malware, which was specifically generated by a collaboration of Israel and US cyber warfare teams to strike Iran’s nuclear power infrastructure. According to a security team, the purpose behind this malware is the only thing that differentiates it from Stuxnet.
Duqu’s modus operandi was its most interesting part. After collecting the information from the machine, it encrypts the same before embedding it into a JPEG file. The combination of steganography and encryption hides its existence and protects the information.
Duqu’s purpose and its creators are still anonymous. One of the high profile victims of this malware was the US Department of Justice, when its financial details were compromised using steganography. A case involving a child pornography ring in 2002 saw information being exchanged using this technique. Another set of speculations revealed that a New York-based Russian spy ring may have used this to grab critical information.
Most products available in the market for intrusion detection and prevention haven’t been able to catch this malware. This has added to the rapport of Duqu.
Lurk through Adobe Flash
Security researcher Kafeine was the one to disclose Lurk when he revealed that this downloader malware is using iFrames on multiple websites to deepen its roots, using already installed Adobe Flash. Some of its high profile victims included Livestrong and eHow.
However, not all versions of Adobe Flash are prone to this attack. Once the exploit is initiated in a vulnerable version of Adobe Flash, Lurk begins downloading. And for the steganography payload, the download is in the form of a plain white image. This image holds an encrypted URL which begins downloading a second payload.
A similar mode of operation was revealed by Symantec researchers about three years back when they identified a group of attackers behind Operation Shady Rat. This group used steganography to hide its commands.
Malicious commands such as asking the machine to contact the C&C (Command and Control) server were hidden under innocent images ranging from a hat-wearing woman to waterside scenery.
The click-fraud campaign through which Lurk deepened its roots uses digital steganography, which is very difficult to detect. ‘Prevention is better than cure’ stands true for the steganography-based malware. One of the few advices issued by the experts is to keep your software updated.