YOU KNOW ALL too well at this point that all sorts of digital attacks are lurking on the internet. You could encounter ransomware, a virus, or a sketchy phish at any moment. Even creepier, though, some malicious code can actually hide inside other, benign software—and be programmed to jump out when you aren’t expecting it. Hackers are increasingly using this technique, known as steganography, to trick internet users and smuggle malicious payloads past security scanners and firewalls. Unlike cryptography, which works to obscure content so it can’t be understood, steganography’s goal is to hide the fact that content exists at all by embedding it in something else. And since steganography is a concept, not a specific method of clandestine data delivery, it can be used in all sorts of ingenious (and worrying) attacks.
Steganography is an ancient practice. When spies in the Revolutionary War wrote in invisible ink or when Da Vinci embedded secret meaning in a painting that was steganography. This works in the digital world, too, where a file like an image can be stealthily encoded with information. For example, pixel values, brightness, and filter settings for an image are normally changed to affect the image’s aesthetic look. But hackers can also manipulate them based on a secret code with no regard for how the inputs make the image look visually. This technique can be used for ethical reasons, such as to evade censorship or embed messages in Facebook photos. But these methods can also be used nefariously. For security defenders the question is how to tell the difference between an image that’s been modified for legitimate reasons and one that’s been changed to secretly contain malicious information.
“Nothing is the same twice, there’s no pattern to look for, and the steg itself is completely undetectable,” says Simon Wiseman, the chief technology officer of the British network security firm Deep Secure, which is working on steganography defense. “With advanced statistics, if you’re lucky, you might be able to get a hint that something’s strange, but that’s no good as a defense, because the false positive and false negative rate is still enormous. So detection does not work.”
A Wolf in Sheep’s Binary
That doesn’t mean people can’t discover attacks that use steganographic techniques and learn from how they work. These defense techniques, however, address other aspects of the attack, not the steganography itself. For example, financial institutions are increasingly dealing with unauthorized data exfiltration attempts in which a bad actor smuggles data like credit card numbers out past the organization’s scanners by masking the information in unremarkable files. This strategy can also be used to facilitate insider trading. Possible mitigations all have to do with limiting network access, monitoring who is interacting with the network, and restricting file adjustment, or sanitizing data before it leaves the network. These can be effective defense strategies, but none of them directly detects or addresses the steganographic techniques attackers are using.
McAfee Labs’ June threat detection report notes that steganography is being used in more diverse types of attacks than ever. Wiseman suspects that steganographic attacks aren’t so much on the rise as they are being discovered more often. What’s clear is that instead of being reserved for the most sophisticated hacks, steganography now crops up in malvertising, phishing, run-of-the-mill malware distribution, and exploit kits (like a tool called Sundown that is popular with hackers looking to exploit software vulnerabilities). It’s showing up in the bread-and-butter attacks of low-level cyber criminals in addition to advanced operations.
“The cat-and-mouse game between malware developers and security vendors is always on,” says Diwakar Dinkar, a research scientist at McAfee who contributed to the company’s recent threat report. “Steganography in cyber attacks is easy to implement and enormously tough to detect, so cyber criminals are shifting towards this technique.”
This proliferation may partly be due to commoditization of steganographic attacks. If a particular technique is easy to carry out, its inventor can sell instructions to cybercriminals who might not have been able to think of it themselves. In this way, shrewd techniques trickle down. The spread of these methods may also come from necessity, as security defenses improve and there are fewer easy hacks available to cyber criminals. Wiseman has observed criminals using steganography to send commands to malware that is already running on a victim’s computer. For example, the hacker tweets coded commands—something as minor as “Happy birthday, Lisa!! #bestfriendz81”—then the malware scans Twitter for that hashtag and interprets the hidden meaning. Lots of apps automatically check Twitter, so this behavior doesn’t seem unusual to a system scanner. It’s an easy way for an attacker to send instructions remotely without being discovered or leaving a trail that could point back to the malicious command and control server.
“You can’t see the steg in action, but you can see its effects,” Wiseman says. “And now that people are waking up to the fact that it’s out there, the discovery rate is going up.”
For individuals, the way to protect yourself from steganographic attacks is largely to stay vigilant about personal security overall. Whether a phish or a malvertising attack incorporates steganography or not, it still requires you to click on a link or download a file. So if you’re aware of these types of attacks, looking out for them, and securing your accounts with protections like two-factor authentication, you’ll reduce your risk and have defenses in place if you are attacked. But while helpful, these measures don’t address the larger challenge to actually detect steganographic techniques in all of their infinite forms. “While we are thinking about steganography alone, malware authors might come up with a mixture of steganography and some other attack vector in future,” Dinkar says. “We should be ready to see an exponential growth in digital steganography attacks.”
At least we’ve moved beyond the approach to steganography that ancient Greek leader Histiaeus used in 440 BCE: shaving a trusted slave’s head, tattooing a secret message on his scalp, letting his hair grow in, and then sending him off to be shaved again by the message’s recipient. Or maybe those were the real glory days.