Since the beginning of time, men have sought ways to secretly convey messages.
Perhaps, none of these tools or methods have remained in use for as long as steganography.
Surprisingly, it has morphed with technology since medieval times and is still a powerful tool.
So, what is Steganography?
Steganography is the method for hiding some kind of communication – be it a file, an image, a video, or an audio file – inside of another file. These harmless looking files conceal valuable data without any noticeable degradation of the host files’ quality.
That’s the short version.
Now, let’s take a deeper look into steganography, specifically looking at image steganography.
There are several methods for digital steganography.
However, to understand them, you first need a basic understanding of how images are composed.
Images are made up of pixels right?
And those pixels are made up of bits.
Typically, these pixels are made up of 1 byte (8bits) for black and white images and 3 bytes (24 bits) for color images.
Now for computers, those bits have a binary digit value.
0 or 1
This brings us to the first method of steganography:
Least Significant Bit Method
Least Significant Bit (LSB) steganography takes advantage of the bits in binary.
This method of steganography works because of the bit structure of images.
If you change the last bit in the binary, no visible change is noticed.
That’s because the bit in the last place doesn’t have that much weight compared to everything else.
Here’s what I mean:
If you had 78,652,165 (8 places worth) of marbles, would you notice if I added or took one?
LSB steganography, therefore can change that last bit to be the message that is hidden.
Sometimes, if the hidden message is very large, the last two bits will be taken for the message.
That, however, can lead to image degradation.
Let’s look at an example.
We want to encode this message via steganography:
And the first byte of the image pixel is:
And we’re going to be using the two least significant bits.
Nothing needs to change, right?
Ok, the next part of the message – 11.
The next byte in the image is
In this case, we only have to change one bit.
Not even much change to the image.
We could continue, but you get the point right?
Changing the least significant bit or two has little effect on the image.
However, because it’s such a common method, researchers have begun developing a number of tools to detect the use of LSB steganography.
Thus, another form of steganography was developed:
JPEG Discrete Cosine Transform Steganography
This method of steganography is a fair bit more complex that LSB.
I’ll make it super simple for you.
Let’s start with an understanding of Discrete Cosine Transform in image compression.
So, the cosine method of image representation uses cosine waves to represent images.
We can take two cosine waves and merge them together also.
This is what happens when an image is compressed.
But we don’t want a single weight of compression all the time do we?
In Photoshop, for an example, you can select what level of compression you want.
That means we can select the weight that each cosine wave has when we merge them.
One may be more and the other less.
Now, there are 64 basic cosine combinations that make up every image.
If you take a block of your image
Say 8 pixels by 8 pixels, you can determine the “weight” that each pixel gives to the overall image.
That weight is the coefficient
To be super simple, we’ll skip all the technicalities of calculating that coefficient.
However, what you need to know is that the blocks with lesser influence on the main image are bits that can get the hidden message added to them.
And overall, this method of steganography causes much less degradation to the image.
It’s a known fact:
Cybersecurity and cybercrime is a constant game of cat and mouse.
And there doesn’t appear to be any end in sight to that.
Attackers’ use of steganography is a perfect example of this.
A typical cyber attack would work something like this:
The attackers gain a foothold on a network.
They then pivot that foothold and seek to gain access to more valuable assets.
Once they find the data they want, they begin exfiltration.
Usually, this is to a command and control server of some form.
The problem is that security analysts and systems can usually detect this kind of behavior if alerts are properly configured.
To get around this, cyber criminals have begun making use of steganography a lot more recently.
Kaspersky Labs has caught several attacks in the past few years where attackers were using steganography to exfiltrate data clandestinely.
We don’t have the tools to detect these kinds of attacks.
There has also been an increase in the use of steganography to hide and distribute malware.
In fact, numerous attacks in the past few years have hidden malicious code inside of images.
The Stegoloader malware is a sophisticated piece of malware that hides its payload in images.
When the malware is first deployed, only the main module is installed.
It then runs several tests to be sure that it is not in a sandbox or analysis environment.
If so, it terminates itself.
Otherwise, it begins the process of downloading and installing more modules.
And this is where stego comes in.
The first module that is downloaded comes in an image.
Researchers at Dell’s SecureWorks found that this image which came from a valid hosting provider had the malware hidden in the least significant bits.
The malware continues to download modules and report to the command and control server as needed.
And this is only one example of several of the last few years where attackers have used images to ferry malicious payloads.
Kind of scary when we don’t really have systems capable of recognizing it, right?
As you can see, cybercriminals are smart and adaptive individuals.
Researchers work on developing tools and systems to identify attack methods, and attackers are forced to adapt and develop new methods of attack.
Steganography is one of those attack methods that security researchers are working to conquer.
Unfortunately, they haven’t yet.
Thus, attackers are adapting and using it to their advantage.
Hopefully, in the future, this will change.
For now, steganography remains a powerful method of concealing messages and data.