Back in 2011, researchers at the Laboratory of Cryptography and System Security in Budapest, Hungary, discovered an unusual form of malicious software. This malware embeds itself in Microsoft Windows machines, gathers information particularly about industrial control systems and then sends it over the Internet to its command and control centre. After 36 days, the malware automatically removes itself, making it particularly hard to find.
They called this malware Duqu because it creates files with the prefix “~DQ”.
The software was unusual in a number of ways. Firstly, security researchers noticed that Duqu has a remarkable resemblance to the Stuxnet malware allegedly developed by US and Israeli cyber warfare teams to attack Iran’s nuclear capabilities. One security team said it was nearly identical to Stuxnet but with the completely different purpose of gathering information rather than attacking.
Most intriguing, though, is the way Duqu transmits information back to its control centre. It first encrypts this information and then embeds it in a JPEG file so that it looks like an innocent picture, a practice known as steganography. While encryption protects information, steganography hides the existence of a message in the first place.
Researchers are still studying Duqu to work out exactly its purpose and understand who created it. But the fact that this malware uses steganography to send information over the Internet is part of a worrying trend. In 2008, the US Department of Justice was a victim of steganography when sensitive financial details were allegedly leaked hidden inside JPEG images. In 2002, a child pornography ring was found to be exchanging information using steganography. And a Russian spy ring discovered in New York is known to have used steganography to send information back to its masters.
That raises a number of important questions. Just how widespread is Internet-based steganography, what kind of techniques does it exploit, and how can it be combated?
Today, we get a partial answer thanks to the work of Steffen Wendzel at the cyber defence research group at the Fraunhofer Institute for Communication, Information Processing and Ergonomics in Bonn, Germany, and a few friends. These guys give an overview of the way malware hides secret information within ordinary network transmissions and show that the number of different methods has increased dramatically in recent years.
Their particular focus is on network steganography– the hiding of information within ordinary network transmissions rather than on USB sticks or in physical images and so on. They point out that that network steganography is particularly attractive because there is no limit in principle to the amount of information that can be sent, unlike on a USB stick, for example.
What’s more, the opportunities to hide information in network transmissions have been growing at a rapid pace. In particular, a number of approaches have targeted IP telephony programs such as Skype, which have become increasingly popular in recent years.
In the past, network steganographers have exploited the TCP/IP protocols which have headers that contain information for routing data around the Internet. These headers also have unused fields that can be used to carry hidden information relatively easily.
Wendzel and co say that in recent years, the focus of attack has changed towards higher layer applications and services such as Skype, Bit Torrent and Google search and towards new network environments such as cloud computing. “Recently, we have experienced a change in the hidden data carrier selection,” they say.
For example, one approach called transcoding steganography or TranSteg, is to compress speech data so that it takes up less space and to use the space this frees up to carry covert data.
Another attack on speech data is to identify the data packets associated with the silence between words. These can then be packed with covert data.
An alternative approach is to attack Google searches, which bring up a list of the 10 most popular related search phrases as the user types. One attack intercepts the suggestions from Google’s servers and adds a unique word to the end of each of the 10 suggested phrases. The receiver simply extracts these added words and converts them into a message using a previously shared lookup table.
Perhaps the most worrying trend is the growing capability of smart phones, which today have capabilities that were available only on desktops and laptops in the recent past. Smart phones offer a panoply of steganographic possibilities because of their ability to record and send audio, video, still images as well as text files of various different kinds. What’s more, they are obviously mobile and can automatically connect to a variety of different networks.
Most frightening of all, these devices are uniquely vulnerable. “The security layers used in mobile OSs turn out to be barely adequate,” say Wendzel and co.
One form of malware called SoundComber captures personal data such as the digits entered into a smart phone keypad during a phone call and then transmits it using any one of a number of different methods such as predefined patterns of vibration, by changes in the volume level of the ring tone, by locking and unlocking the screen and so on.
All this represents a significant threat. “More than hundred techniques remain that transfer secret data using meta information, such as header elements or the timing of network packets,” say Wendzel and co.
The problem, of course, is to spot computers infected with steganographic malware either by directly searching for the malware itself or by looking for the tell-tale signs of steganography in the data they transmit.
That’s easier said than done. Anti-malware software generally looks for a predefined set of files that are known to be problematic. There is also software that offers data leakage protection which normalises the traffic being broadcast in the hope that this prevents network steganography. Other systems use machine learning to detect the tell-tale signs of steganography.
However, none of these approaches is perfect or anywhere near it. “Countermeasures cannot address all of these available hiding techniques simultaneously due to the complexity and diversity of protocols and services,” say Wendzel and co.
They point out that before a countermeasure that does do this can be built, researchers will need to come up with a new set of fundamental approaches to counter the newly evolving forms of steganography.
One thing is for sure: the detection and prevention of network steganography is set to become increasingly challenging as the threat from malware such as Duqu spreads. Be warned!
Ref: arxiv.org/abs/1407.2029 Hidden and Uncontrolled – On the Emergence of Network Steganographic Threats