Blog
The Beginners Guide – Preventing the Invisible Malware How Steganography Works (Part-1)
By BUFFERZONE Team, 20/07/2023
Target: Consumers
Tags: Content Disarm and Reconstruction (CDR), Malware, Images, Steganography, Zero-Trust
Throughout this blog series, we will delve into the following topics: understanding steganography (part 1), exploring steganalysis and enhancing prevention techniques (part 2), and unraveling the process of disarming and reversing malicious malware concealed within image metadata (part 3).
Image steganography is a technique that can hide evasive code in plain sight, such as within an image file. The practice of concealing messages or information within another non-secret text or data, referred to as the “carrier,” allows malicious actors to compromise devices just by hosting an image on a website or sending an image via email [1].
This process becomes particularly effective as digital images are merely streams of bytes, like any other file. As a result, they become an excellent medium for concealing secret text and other data. When people open a picture on a device, they seldom look beyond the visual presentation displayed to see what lies hidden inside the image file format [1].
One simple method of image steganography is appending a string to the end of the file or inside the image metadata information. This action does not prevent the image from being displayed normally nor change its visual appearance. For example, appending “hello world” to the end of the file does not alter the image, but the output from the hex dump shows the extra bytes added. A program can easily read the plain text string [1].
In more complex methods, malware can be injected into digital photos that appear to be perfectly normal, a process known as steganography. The technique takes advantage of the hidden data that comes with an image, which is not necessarily translated into pixels on your screen. Malware code can be embedded in an image in many ways, including attaching it to the end of a file, tweaking individual bits of the code, or changing the metadata associated with the file [1].
However, injecting malware into an image is not as simple as it may first seem. There are two main challenges:
- Image Distribution: Steganography in digital media often requires subtly manipulating the image’s pixels or metadata to encode the malicious code. This manipulation is not visually perceptible to the human eye but can cause havoc when decoded by the machine. Yet, this process becomes even more challenging when sharing these manipulated media files via social media networks. These platforms often resize, recompress, strip metadata, and sometimes crop or color-correct images. These manipulations restructure the image and may disarm the attack, challenging the attackers [1].
- Execution: Although image files carry malware, they cannot automatically infect the system when opened. The exploitation occurs when there is a software vulnerability that the hidden malicious code can exploit, or the user enables an embedded macro that triggers the malware. For example, please review our previous blog about
Therefore, while image steganography serves as a potential medium for malware delivery, the complexity of execution and the need for certain user actions or system vulnerabilities make it challenging as an attack vector; however, from recent attacks, we see malware steganography on the rise [2].
How Steganography Attack Works:
Steganography is the process of concealing secret information within an ordinary, non-secret file or message to avoid detection. The two most common image steganography methods are the Least Significant Bit (LSB) method and the method based on style transfer.
- Least Significant Bit (LSB) Method
The Least Significant Bit (LSB) method is the most common and simplest form of image steganography. This method involves altering the least significant bit of the pixel values in a digital image. In this process, the cover image is selected, and the least significant bits of the pixel values are replaced with the bits from the secret data.
The basic idea behind the LSB method is that changes to the least significant bits of the pixel values will have a minimal effect on the color and appearance of the image. This makes the alterations to the image hard to detect for the human eye.
The LSB method can be used with diverse types of images, including grayscale, colored, and true color images. The data size that can be hidden using this method depends on the size and the type of the image. For further reading about state-of-the-art LSB steganography attacks please find this paper by Liu et al [3].
- Image Steganography based on Style Transfer
Recently, a novel approach to image steganography has been proposed which makes use of neural networks and style transfer techniques. Style transfer is a process that manipulates a digital image or video to adopt the visual style of another image.
In this method, the secret message is embedded into the cover image while the image’s style is being transformed. The secret information is integrated into the latent representation of the cover image to generate the steganography images. The steganography images generated this way are indistinguishable from normal stylized images. This method leverages the power of neural networks and takes advantage of the complex transformations involved in style transfer to hide the secret message [4].
The two methods have their advantages and disadvantages. The LSB method is simple and easy to implement but can be vulnerable to steganalysis techniques if not done properly. On the other hand, the style transfer-based method can provide high security, but it requires more computational resources and a deeper understanding of neural networks and style transfer techniques.
Summary
To sum up, image steganography serves as a valuable and invisible asset for threat actors for ensuring secure and concealed communication or hiding malicious code. Given the progress made in technology and the emergence of advanced techniques such as style transfer-based steganography, the future of image steganography appears promising and remains an essential field of study [4] and it use by threat actors is on the rise.
In our upcoming blog post, we will explore the concept of steganalysis (the detection of steganography) and its inherent limitations. Furthermore, we will present Content Disarm and Reconstruction as a potential solution to overcome these limitations.
References
[1] Ran Dubin Image steganography (TODO – add link)
[2] Security Boulevard, Steganography in Cybersecurity: A Growing Attack Vector
https://securityboulevard.com/2022/05/steganography-in-cybersecurity-a-growing-attack-vector/
[3] J. Liu et al., “Recent Advances of Image Steganography with Generative Adversarial Networks,” in IEEE Access, vol. 8, pp. 60575-60597, 2020, doi: 10.1109/ACCESS.2020.2983175.
[4] Hu, Donghui, et al. “Image Steganography based on Style Transfer.” arXiv preprint arXiv:2203.04500 (2022).
[5] https://arxiv.org/pdf/2307.14057.pdf