hiding in the familiar
play

HIDING IN THE FAMILIAR: STEGANOGRAPHY AND VULNERABILITIES IN POPULAR - PowerPoint PPT Presentation

Oct 02, 2022 •132 likes •606 views

BlackHat Europe 2010, Barcelona Mario Vuksan, Tomislav Pericin & Brian Karney HIDING IN THE FAMILIAR: STEGANOGRAPHY AND VULNERABILITIES IN POPULAR ARCHIVES FORMATS Agenda Introduction to steganography in archives Introduction to

  1. BlackHat Europe 2010, Barcelona Mario Vuksan, Tomislav Pericin & Brian Karney HIDING IN THE FAMILIAR: STEGANOGRAPHY AND VULNERABILITIES IN POPULAR ARCHIVES FORMATS

  2. Agenda  Introduction to steganography in archives  Introduction to file format “malformations”  Steganography implications  Vulnerability implications  Demonstrations  Quick and dirty hex editing  Hide text and file data  Invent our own file format  Introduction to NyxEngine

  3. Steganography “ Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. The word steganography is of Greek origin and means concealed writing. ” Steganography

  4. Steganography History  Ancient Fascination  Rumours & Conspiracies  From Pearl Harbor to Al-Qaida & eBay  2008 arrest  British Muslim, Rangzieb Ahmed used invisible ink to write down Al-Qaida telephone directory  Difference is in the purpose  Malicious Uses  Private communication for illicit purposes, so-called Stego  Legitimate Uses  Watermarking, DRM, Movies (CAP – Coded Anti-Piracy), Medical Images Tracking

  5. Malicious Angle on Stego  Types  Messages  Images  Media Files  Open source projects  600+ different tools  Private/commissioned tools  Obscurity is power  Detection  StegoTool discovery  Brute Force

  6. Reality  Why can’t we find any good stories about stego in the wild?  It could be due to the fact it really is not that prevalent in the wild  It could be that analysts are not really looking so they never find it  That most media based approaches have many weakness and make it hard to hide large amounts of data.  That the best method to identify stego is to find the tools based off of Hashes

  7. New Paradigms for Forensics  Traditional Steganography  Typical stego is thought of embedding data into media files (audio files, JPG, BMP, GIF, PNG )  New paradigm for Stego: Shift away from media  to archive files (zip,cab..)  other approaches such as SFS (Stego File System)  Other novel approaches

  8. Investigating Stego in Archives  Why it is relevant from an investigative perspective?  Easier way to hide larger payloads in plain sight  Not easy to identify using existing methods  blind anomaly-based approach  image analysis using image filters  audio analyzer  Signature analysis (substitution)  Using hashes to identify tools is pointless  Makes you always question what is inside the archive

  9. Archive formats  Most common file formats found in every Microsoft Windows, Unix and Mac OS system Windows Unix File formats are not binded to operating system

  10. ZIP file format  Most common archive file format in use today  The format was originally created in 1986 by Phil Katz for PKZIP  Format is fully documented by PKWARE (32k line text file)  The PKZIP format is now supported by many software utilities :  Microsoft Windows has included built-in ZIP support  WinZIP (most popular ZIP archiver program) – www.winzip.com  PowerArchiver - www.powerarchiver.com  WinRAR – www.rarlab.com  7ZIP - www.7-zip.org  Format supports:  Error recovery, multi-disk spanning, encryption and SFX  Multiple compression algorithms in use (DEFLATE)

  11. RAR file format  Very popular archive file format  The format was as developed by Eugene Roshal  Format is partially documented by developer (TechNote)  The RAR format is now supported by many software utilities :  RAR format ships with a free decompressor library (SDK)  WinRAR – www.rarlab.com  WinZIP – www.winzip.com  PowerArchiver - www.powerarchiver.com  7ZIP - www.7-zip.org  Format supports:  Error recovery, multi-disk spanning, encryption and SFX  Compression algorithms based on LZ and PPMd

  12. CAB file format  Common installer file format (rarely used by users)  CAB is the Microsoft Windows native compressed archive format  Format is fully documented by Microsoft (20 page PDF)  The cabinet format is now supported by many software utilities :  Microsoft Windows has included built-in CAB support  PowerArchiver (can compress) - www.powerarchiver.com  WinZIP – www.winzip.com  WinRAR – www.rarlab.com  7ZIP - www.7-zip.org  Format supports:  Multi-disk spanning, digital signing and SFX  Uses LZX, DEFLATE, Quantum and MsZIP compression

  13. 7Zip file format  Very common archive file format used today  The format was created in 2000 and is developed by Igor Pavlov  Format processor is free and open source (LGPL license)  Format is fully documented by developer (series of text files)  The 7Zip format is now supported by many software utilities :  7ZIP - www.7-zip.org  WinZIP – www.winzip.com  PowerArchiver - www.powerarchiver.com  WinRAR – www.rarlab.com  Format supports:  Multi-disk spanning, encryption and SFX

  14. GZip file format  Most common archive file format in use today (on Unix)  Gzip was created by Jean-Loup Gailly and Mark Adler in 1992  Format is fully documented in RFC 1952 (few pages from 1996)  The Gzip format is now supported by many software utilities :  WinZIP (most popular ZIP archiver program) – www.winzip.com  PowerArchiver - www.powerarchiver.com  WinRAR – www.rarlab.com  7ZIP - www.7-zip.org  Format supports:  Single file compression (commonly used with TAR)  Uses DEFLATE compression algorithm

  15. File format malformations  All files present on any system are binary files Hex Editor  Malformation goals:  Steganography  Hide file(s) or any other message from view  Steganography process must be reversible  Vulnerability exploiting  Don’t hide anything but break archive processors  Fuzzing doesn’t apply to this scenario

  16. File format malformations  Malformation is achieved by:  In-depth knowledge of file format specification  Loose use of file format specification  Usage of rarely used file fields  “Weird” file hybrid method  Try-and-error method  Steganography is achieved by:  All of the above  Injecting data

  17. Previous work…  Archive malformation tests  Last set of tests performed in 2004 by iDefense  Implications:  “The vulnerability was caused by the fact that some archive compression/decompression software (including WinZip) incorrectly handles compressed files with deliberately damaged header fields, thus, in-fact, allowing creation of the damaged archive files, that could be automatically repaired on the victims computer without notifying the user.” - ESET

  18. ReversingLabs|Testing  ReversingLabs archive inspection tests: File format identification 1.  Optimization: Fastest and most accurate methods File format validation 2.  Package validation: Archive data corruption  Vulnerabilities Steganography 3.  Interesting data detection  Data s elf-destruction?

  19. ReversingLabs|Results  ReversingLabs archive inspection test results:  Steganography standpoint:  Multiple ways to hide file(s) and data in all formats  Vulnerability standpoint:  High probability of malware detection evasion  Anti-Malware scanners  15 reported vulnerabilities (more pending)  Gateway scanners  IPS appliances Low impact on protected endpoints

  20. Archive steganography|ZIP  Steganography is achieved by:  Compressed file name modification (NULL byte)  Changes to internal ZIP structures  Number of packed files decrementing  Data camouflage by extra fields utilization  Moving the central directory  Injecting data

  21. Archive steganography|ZIP  Steganography implications:  Data can be hidden in ZIP archives  Data can also be hidden in OOXML file format  Data self-destruction:  Steganography data can be removed by user actions

  22. Archive steganography|ZIP  Steganography implementations:  Zipped Steganography by Corinna John (CPOL)  Can hide multiple files which are stored before central dir  Can encrypt the hidden files with a password  ZJMask by Vincent Chu (freeware)  Can hide only one file and it is pre-pended to the archive  Can encrypt the hidden file with a password

  24. Archive vulnerabilities|ZIP  Discovered vulnerabilities:  RLC_VSA_001 – Extensive header modification  Vulnerability:  Reversible steganography implementation  Central ZIP directory fields used to store information  Intentionally damaged local ZIP directory  Replaced file name first letter with zero  Implication:  Some scanners stopped scanning on hidden file

  25. Archive vulnerabilities|ZIP  Discovered vulnerabilities:  RLC_VSA_002 – Password only for the first file  Implication:  Some scanners stopped scanning at that point assuming that the whole archive was password protected

  26. Archive vulnerabilities|ZIP  Discovered vulnerabilities:  RLC_VSA_006 – ZIP appended to ZIP SFX  Vulnerability:  File is compressed and converted to ZIP SFX  Another ZIP file is appended and aligned to it  Implication:  Some scanners inspected only appended file

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HIDING IN THE FAMILIAR: STEGANOGRAPHY AND VULNERABILITIES IN POPULAR ARCHIVES FORMATS Agenda

HIDING IN THE FAMILIAR: STEGANOGRAPHY AND VULNERABILITIES IN POPULAR ARCHIVES FORMATS Agenda

BlackHat Europe 2010, Barcelona BlackHat Europe 2010, Barcelona Mario Vuksan, Tomislav Pericin & Brian Karney HIDING IN THE FAMILIAR: STEGANOGRAPHY AND VULNERABILITIES IN POPULAR ARCHIVES FORMATS Agenda Introduction to steganography in

696 views • 43 slides
Information hiding Information hiding Notice how a user of a service being provided by an

Information hiding Information hiding Notice how a user of a service being provided by an

Information hiding Information hiding Notice how a user of a service being provided by an object, need only know the name of the messages that the object will accept. They need not have any idea how the actions performed in response to

474 views • 34 slides
Objectives become familiar with the idea of recursion learn to use recursion as a

Objectives become familiar with the idea of recursion learn to use recursion as a

Objectives become familiar with the idea of recursion learn to use recursion as a programming tool Recursion become familiar with the binary search algorithm as an example of recursion Chapter 11 become familiar with the merge

616 views • 18 slides
Survey Results Roz Roseboro, Senior Analyst 1 How familiar are you with the OPNFV project? 28%

Survey Results Roz Roseboro, Senior Analyst 1 How familiar are you with the OPNFV project? 28%

Survey Results Roz Roseboro, Senior Analyst 1 How familiar are you with the OPNFV project? 28% 72% Very familiar Somewhat familiar Source: Heavy Reading survey, October 2015, n=218 What type of company do you work for? Fixed-line telecom

416 views • 27 slides
MAKING THE STRANGE, FAMILIAR AND THE FAMILIAR, STRANGE: THE ROLE OF ANTHROPOLOGY IN COMMUNITY

MAKING THE STRANGE, FAMILIAR AND THE FAMILIAR, STRANGE: THE ROLE OF ANTHROPOLOGY IN COMMUNITY

MAKING THE STRANGE, FAMILIAR AND THE FAMILIAR, STRANGE: THE ROLE OF ANTHROPOLOGY IN COMMUNITY COLLEGE INTERNATIONAL STUDY EXCHANGE Saturday, April 14 th , 2018 for SACC San Diego Regional Conference at San Diego Miramar College By Arianne M.

90 views • 8 slides
LMS5xx Familiar Housing : LMS500 looks like the familiar S3000 safety scanner : But -- the

LMS5xx Familiar Housing : LMS500 looks like the familiar S3000 safety scanner : But -- the

: LMS5xx More than meets the eye! Auto Identification LMS5xx Familiar Housing : LMS500 looks like the familiar S3000 safety scanner : But -- the housing is only shared component! : LMS500 - Faster rotating mirror - More powerful laser

384 views • 15 slides
POKING HOLES IN INFORMATION HIDING Angelos Oikonomopoulos Elias Athanasopoulos Herbert Bos

POKING HOLES IN INFORMATION HIDING Angelos Oikonomopoulos Elias Athanasopoulos Herbert Bos

POKING HOLES IN INFORMATION HIDING Angelos Oikonomopoulos Elias Athanasopoulos Herbert Bos Cristiano Giuffrida Vrije Universiteit Amsterdam Teaser Break ideal information hiding in seconds Few probes, typically no crashes

854 views • 33 slides
David Lorge Parnas When the first papers on information Hiding were published (1970-72) ,

David Lorge Parnas When the first papers on information Hiding were published (1970-72) ,

Middle Road Software, Inc. How Precise Documentation allows Information Hiding to Reduce Software Complexity and Increase its Agility" David Lorge Parnas When the first papers on information Hiding were published (1970-72) , reaction

845 views • 47 slides
So, how many are familiar with IRC?

So, how many are familiar with IRC?

So, how many are familiar with IRC? How about ICQ? Presence: The ability to see when your friends (or whoever is on

485 views • 7 slides
Forensic Data Hiding Optimized for JPEG 2000 Dieter Bardyn, Johann A. Briffa, Ann Dooms and Peter

Forensic Data Hiding Optimized for JPEG 2000 Dieter Bardyn, Johann A. Briffa, Ann Dooms and Peter

Forensic Data Hiding Optimized for JPEG 2000 Dieter Bardyn, Johann A. Briffa, Ann Dooms and Peter Schelkens May 18, 2011 Overview Image adaptive data hiding Overview Image adaptive data hiding Overview Image adaptive data hiding

778 views • 60 slides
IBM Assumptions Audience is familiar with Selenium IDE or other automation tools.

IBM Assumptions Audience is familiar with Selenium IDE or other automation tools.

Srilu ilu Pi Pinjal jala a ( Srid idevi ) IBM Assumptions Audience is familiar with Selenium IDE or other automation tools. Familiar with Record and Playback and Analyzing the results of Playback. I am positive that you can take

638 views • 32 slides
Exercise Goals Get you familiar with the tools we use for configuring, testing and analyzing

Exercise Goals Get you familiar with the tools we use for configuring, testing and analyzing

Exercise Goals Get you familiar with the tools we use for configuring, testing and analyzing the MSR Get you familiar with building and running an MSR MSR Tutorial Not worry about a lot of MSR internal details Group Exercises

447 views • 9 slides
You never know what is hiding in plain sight. Consider what was hanging above the hotplate in the

You never know what is hiding in plain sight. Consider what was hanging above the hotplate in the

Feast of the Presentation of the Lord Lumen ad revelationem gentium February 1-2, 2020 Readings: Malachi 3:1-4; Hebrews 2:14-18; Luke 2:22-40 You never know what is hiding in plain sight. Consider what was hanging above the hotplate in the

510 views • 3 slides
1 Objectives Be familiar with background information and Health Effects. Have a General

1 Objectives Be familiar with background information and Health Effects. Have a General

1 Objectives Be familiar with background information and Health Effects. Have a General Understanding of Sampling Protocols and Interpretation of Lab Results. Be familiar with Regulatory Terms and Definitions. Objectives(continued)

603 views • 42 slides
Dig In: Get Familiar with the Code to Be a Better

Dig In: Get Familiar with the Code to Be a Better

W11 Test Techniques 2019-05-01 13:30 Dig In: Get Familiar with the Code to Be a Better Tester Presented by:

574 views • 30 slides
A Test Bed for Data Hiding in Financial Transactions Dylan Leigh Supervisor: Dr Ron van Schyndel

A Test Bed for Data Hiding in Financial Transactions Dylan Leigh Supervisor: Dr Ron van Schyndel

A Test Bed for Data Hiding in Financial Transactions Dylan Leigh Supervisor: Dr Ron van Schyndel The aim of this project is to develop a framework to allow experiments with data hiding in financial transactions, and for detecting the use of

363 views • 11 slides
V is for Algorithmic Paradigms Huffman Compression Virtual Memory Part 1 of 4 When

V is for Algorithmic Paradigms Huffman Compression Virtual Memory Part 1 of 4 When

Compsci 201 V is for Algorithmic Paradigms Huffman Compression Virtual Memory Part 1 of 4 When 4Gb becomes the cloud Virtual Reality IRL isn't cutting it? Susan Rodger April 15, 2020 4/15/2020 Compsci 201, Spring 2020 1

250 views • 13 slides
Functional Mock-up Interface Thierry S. Nouidui and Michael Wetter Simulation Research Group

Functional Mock-up Interface Thierry S. Nouidui and Michael Wetter Simulation Research Group

Functional Mock-up Interface Thierry S. Nouidui and Michael Wetter Simulation Research Group July 22, 2015 1 Overview The purpose is to 1. understand the Functional Mock-up Interface (FMI) and Functional Mock-up Unit (FMU) 2. learn how to

701 views • 15 slides
DupHunter : Flexible High-Performance Deduplication for Docker Registries Nannan Zhao , Hadeel

DupHunter : Flexible High-Performance Deduplication for Docker Registries Nannan Zhao , Hadeel

DupHunter : Flexible High-Performance Deduplication for Docker Registries Nannan Zhao , Hadeel Albahar, Subil Abraham, Keren Chen, Vasily Tarasov, Dimitrios Skourtis, Lukas Rupprecht, Ali Anwar, and Ali R. Butt Containers are ubiquitous OS

1.61k views • 76 slides
Office Hours: COVID-19 Planning and Response May 15, 2020 Housekeeping A recording of

Office Hours: COVID-19 Planning and Response May 15, 2020 Housekeeping A recording of

Office Hours: COVID-19 Planning and Response May 15, 2020 Housekeeping A recording of todays session, along with the slide deck and a copy of the Chat and Q&A content will be posted to the HUD Exchange within 2-3 business days

688 views • 34 slides
HaLoop: Efficient Iterative Data Processing On Large Scale Clusters Yingyi Bu, UC Irvine Horizon

HaLoop: Efficient Iterative Data Processing On Large Scale Clusters Yingyi Bu, UC Irvine Horizon

HaLoop: Efficient Iterative Data Processing On Large Scale Clusters Yingyi Bu, UC Irvine Horizon http://clue.cs.washington.edu/ Bill Howe, UW Magda Balazinska, UW Michael Ernst, UW Award IIS 0844572 Cluster Exploratory (CluE) QuickTime

579 views • 41 slides
Reverse Engineering Paul deGrandis Applications Software Maintenance Source Code and

Reverse Engineering Paul deGrandis Applications Software Maintenance Source Code and

Reverse Engineering Paul deGrandis Applications Software Maintenance Source Code and Documentation Engineering Virus Analysis Malware Virus Needs a vector for propagation Worm No vector needed Can spread by

320 views • 21 slides
OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions

OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions

OpenBox: A Software-Defined Framework for Developing, Deploying, and Managing Network Functions Yotam Harchol The Hebrew University of Jerusalem Joint work with Anat Bremler-Barr and David Hay THE HEBREW This research was supported by the

467 views • 24 slides
Recorder 2.0: Efficient Parallel I/O Tracing and Analysis Chen Wang, Jinghan Sun and Marc Snir

Recorder 2.0: Efficient Parallel I/O Tracing and Analysis Chen Wang, Jinghan Sun and Marc Snir

Recorder 2.0: Efficient Parallel I/O Tracing and Analysis Chen Wang, Jinghan Sun and Marc Snir Kathryn Mohror and Elsa Gonsiorowski Department of Computer Science Center for Applied Scientific Computing University of Illinois at

307 views • 11 slides

More recommend