Fighting steganography detection
(benign viri as defence against sniffing)
noanon
Reverser's Anonymity Academy

by Fabian Hansmann

(04 January 1997, slightly edited by reverser+)


Courtesy of reverser's page of reverse engineering
Well, for once I'm hosting an essay of a person that does not use handles nor avatars nor nicknames: Fabian Hansmann, the Author of Steganos, one of the most interesting Stenographical applications on the scene. His idea of using a benign virus in order to spread noise is interesting, yet not new (some +masters have already prepared long ago a 'benign' cracking virus -antibil7.com- that registers Micro$oft's timelimited targets WITHOUT NOTICING the owner of the PCs where these targets are found :-)
So Fabian's idea can be implemented, moreover we will of course begin ourselves, during 1998, to 'deepen' (in a reversing sense) our knowledge of the whole steganographical existing bazaar... and I'm happy that we'll work hand in hand with steganographical experts (and nette Leute) like Fabian (and maybe other Authors as well as it seems)

Fighting steganography detection by Fabian Hansmann
During the last years steganography was well known among academic people and hackers only. Meanwhile - especially in 1997 - the situation changed: steganography software started to enter the mass market e.g. via freeware and shareware. Computer magazines discovered this interesting topic. People trust Steganographic systems since they just do not see or hear any difference between a file carrying information and one that does not. Computer based steganography implementations are a very new technology which has never passed a dialectic process comparable to the one which encryption has passed. Nobody knows whether secret services have already developed steganography scanners which are searching the net for images or sounds containing hidden data in the very same moment you are reading this article. Cryptographic methods became very good in the last decades since algorithms which had been secret during the years before were analyzed by the academic community. One of the newer cryptography goals for instance is the public key system, which was -officially - invented in the seventies of this century. However the ideas used in 'modern' steganography programs are partly ancient - some ideas are described in books of the 17th century [1]. As mentioned above mass media started to write about steganography, but the articles written about it are on a level far below the cryptography literature. There doesn't even exist any speculation about the existence of stego-detectors. Comparisons of existing steganography products in most cases are limited to the supported carrier-files and the quality of the user interface. In more serious articles the used encryption is discussed, but I didn't read any article with helpful information about the most essential point: the algorithm's resistance against detection. I searched for information about the detection of carrier-files and asked many people -programmers, hackers and academics - if they have got knowledge about usable results but it seems that scientific research is concentrating on watermarking-techniques at the moment. There are only a few books about the type of steganography we are interested in. The people I asked said they would start by checking out the noise-theory -but this is a complex topic. A simple trick to find out whether a file is encrypted is trying to compress it - of course compressed files are also 'detected' this way. Programmers know this fact -when you implement a compression algorithm in an encryption program you must compress the data before(!) you encrypt it [2]. I think one could modify a known compression algorithm to check a potential carrier-file for simple steganographic algorithms. If the steganography program hides data in a file without filling the rest of the carrier-file with random data one could do some fuzzy logic and compare the results of the spectral analysis for different parts of the potential carrier-file and guess whether the file carries hidden information or not. If you compress two bitmap files, the original and the same file used as a carrier-file by using a standard compression software - for example pkzip - the original picture can be compressed better. A good example is the pair of pictures on Reverser's Steganography Page [3]. He labelled purposedly the two files in the wrong way, but the truth was relatively obvious since the compressed carrier-file is in most cases bigger than the compressed original. Of course in 'real life reversing' nobody has the original version of a carrier-file if this has been well chosen. Since we just don't know how steganography scanners - if they exist - work, a pretty unorthodox method to irritate such scanners without the need of knowing how they are working came into my mind: faked carrier-files which contain non sensitive data. A good possibility for creating and spreading such files would be a computer virus which replaces everywhere the least significant bits ('LSB') of sound and image files by pseydo random (and self-reproduces itself of course). The LSBs will look like encrypted data. This is very interesting in countries which have cryptography restrictions. Think about France for instance! Nobody can tell if sensitive information has been hidden in a file or if you'll find there after a long work just some crap. Nobody can prove if you use steganography (and you are the criminal) or if you have been infected by a nasty virus (and you are the victim). The consequences of a virus like that would be a well spreaded steganography noise (I will call this from now on 'stego-noise') on Personal Computers all over the world and on the Internet. Imagine the scenario: even supporters of the anti-crypto-campaigns and members of the law-enforcement agencies would increase the stego-noise and confuse scanners by false alarms without even recognizing that their computer systems have been infected. After some weeks or months, when a high level of stego-noise has been established by the virus, this could deinstall itself - probably before it has been detected and without having damaged the system. We know that the heuristic virus scanners sold nowadays are far from being perfect. With some well-known tricks we can write a selfencrypting virus (a 'benign' one of the sort discussed above, that is) of a kind which won't be detected too fast. This virus would confuse a steganography detection - even a perfect detection. But one must keep in mind that even non-destructive viruses can damage the system, because of unforeseen bugs and unexpected environments - that's definitely not what we want to achieve! Creating extra noise is not a very elegant way. The idea behind our science, steganography, is hiding information inside noise which already exists - for example in the chaotic background noise of a recorded sample. I think the best solution to defend us against steganography detectors is attacking existing steganography algorithms, which is a highly interesting project, and improving at the same time the existing steganography programs. The possibility to detect carrier-files does not break the cryptographic barrier, but that's a different topic and comparatively well discussed. The Contraband [4] cracker 'anti-contraband' [5], for example, extracts a hidden file out of a carrier-file when you use it. This only works for steganography programs using a bad cryptography algorithm or implementation, badly chosen passwords, or if massive brute force is available. Even if you are able to crack a single file you can't use this method if you do not know which file contains the hidden information you are after. If nobody has written a steganography detector yet people will do it as soon as cracking steganography algorithms becomes more interesting - because of financial/commercial reasons for instance. They probably will succeed... yet we will always be ahead of any commercial oriented mind :-) References: [1] Gaspari Schotti, "Schola steganographica", 1680, http://www.cl.cam.ac.uk/~fapp2/watermarking/steganographica/ [2] Bruce Schneier, "Applied Cryptography" (Chapter 10.7), 1996, Wiley [3] Reverser, "Reverser's Steganography Page", 1997, http://207.30.50.126/fravia/stego.htm [4] Hens Zimmerman and Julius Thyssen, "Contraband", 1997, http://www.xs4all.nl/~jult/4u/contrabd.exe [5] Massimiliano, "anti-contraband", 1997, http://207.30.50.126/fravia/uncontra.zip Written in 1997/1998 by Fabian Hansmann, author of the steganography program Steganos for DOS and coauthor of Steganos for Windows 95 (http://www.steganography.com ) EMail: fabian@demcom.com

_ _ _ _ _ _ _ _ _ _ noanon
Back to the Advanced Stego page ___Back to the Stego 'normal' page
redhomepage redlinks red+ORC redstudents' essays redcounter measures
redantismut CGI tricks redacademy database redtools redjavascript tricks
redcocktails redsearch_forms redmail_reverser
redIs software reverse engineering illegal?

redreverser December 1997 ~ January 1998