Target: Consumers

Tags:  Content Disarm and Reconstruction (CDR), Malware, Images, Steganography, Zero-Trust

In our initial blog post, we explored the technique employed by malware authors to hide malicious code within images, known as steganography. In this blog, we will focus on advanced detection tools designed named steganalysis. We will delve into the limitations of these tools and explore how the innovative approach of zero-trust Content Disarm and Reconstruction (CDR) prevention can address these challenges. Our upcoming blog (Part-3) will provide insights into reverse engineering evasive malware discovered within images.

Steganalysis refers to the field of study and techniques used to detect the presence of hidden information within digital media, such as images, audio files, or videos, that has been concealed through steganography. Steganography involves the covert embedding of data within a carrier medium, making it imperceptible to casual observers. Steganalysis aims to uncover and analyze the hidden data, identify the steganographic algorithms or methods used, and determine if a given media file contains hidden information. It involves the application of statistical analysis, signal processing, machine learning, and other computational methods to reveal the presence of steganography and distinguish between innocent media and steganographic content. Steganalysis plays a crucial role in digital forensics, security, and counterintelligence, providing means to detect covert communication and potential malicious activities.

Steganalysis Methods

Muralidharan et al [1] provided detailed survey about state-of-the-art image steganalysis. We can divide steganalysis two three categories:

1. Statistical Analysis: Statistical analysis is a fundamental approach in steganalysis. It involves analyzing the statistical properties of images to detect hidden information. Common techniques include histogram analysis, spatial domain analysis, and frequency domain analysis [4].
2. Machine Learning-Based Methods: With the advent of machine learning algorithms, steganalysis has witnessed significant advancements. Various machine learning models, such as support vector machines (SVM), artificial neural networks (ANN), and deep learning architectures, have been applied to steganalysis tasks. These models learn from a vast amount of data and can detect subtle patterns indicative of steganography.
3. Rich Model Features: Steganalysis methods can leverage rich model features to enhance detection accuracy. These features encompass higher-level image characteristics, such as texture, color, and spatial relationships. By extracting and analyzing these features, steganalysis algorithms can effectively distinguish between regular and steganographic images.

However, steganalysis is far from being perfect and the following limitations exists:

1. Single Dataset Limitation: Many steganalysis methods are created, tested, and utilized only on a single dataset [1]. This can lead to a lack of versatility, potentially limiting the effectiveness of these methods when faced with different datasets. The methods might fail to generalize well across diverse scenarios and image collections, which may affect their real-world applicability.
2. Specificity of Targeted Steganography Schemes: The paper [1] points out that many steganalysis methods seem to target only specific steganography schemes. This means that while they might be effective in detecting and analyzing certain steganographic methods, they might be inefficient or entirely ineffective against others. This narrow focus might limit the overall effectiveness of such steganalysis methods.
3. Difficulty with Advanced Steganography Methods: The paper [1] highlights that some steganography techniques, such as coverless and Generative Adversarial Networks (GAN) based steganography, are not adequately countered by current steganalysis methods. These more advanced methods present a significant challenge for steganalysis, indicating that the field may struggle to keep pace with the evolution of steganography techniques.
4. High Embedding Rates: Steganography techniques that employ a high embedding rate can pose challenges for steganalysis. When a large amount of data is hidden within an image, it becomes more difficult to detect the presence of hidden information. Steganalysis algorithms may struggle to differentiate between legitimate image noise and the embedded data. Especially if the original image is unknown.
5. Adaptive Steganography: Adaptive steganography techniques dynamically adjust the embedding process based on specific image characteristics. These methods can evade traditional steganalysis methods by exploiting vulnerabilities in the detection algorithms. As a result, detecting adaptive steganography becomes a daunting task for steganalysis systems.
6. Low-Bit Attacks: Attackers employing low-bit steganography techniques embed a minimal amount of data into the cover image. This method aims to stay below the detection threshold of steganalysis algorithms, making the hidden information less noticeable. Steganalysis methods optimized for higher embedding rates may fail to detect such subtle alterations, rendering them ineffective against low-bit attacks.

Steganalysis is a trust-based detection solution and based on the drawbacks evasive malware can bypass steganalysis. As a result, a zero-trust prevention based on CDR is needed.

How Image Content Disarm and Reconstruction Works?

A recent study [2] examines an alternative approach for neutralizing steganography and malware attacks within images. Our method shares similarities and relies on transcoding.

Image transcoding involves converting an image file from one format to another, which may entail modifying the resolution, color depth, and format of the image data. In the broader context of digital media, transcoding refers to the direct conversion of encoding between different formats [2].

Transcoding is typically performed when the target device lacks support for the original image format or has limited storage capacity, necessitating a reduction in file size [2]. For instance, a high-resolution JPEG file might be transcoded into a lower resolution PNG file for improved website loading speed due to its smaller file size.

The process of image transcoding consists of two steps. Initially, the original data is decoded into an intermediate uncompressed format, after which it is encoded into the desired target format. This transcoding process can be either lossy or lossless. In lossy transcoding, certain information is lost during the conversion, resulting in a potential degradation of image quality. This method is commonly employed when the target device has limited storage capacity. Conversely, lossless transcoding retains all information and preserves image quality [2]. Typically, scaling modifications are utilized during transcoding.

It is important to note that transcoding differs from compression and trans-muxing/rewrapping. Compression involves reducing file size without altering the format, while trans-muxing/rewrapping changes the container format while keeping the data intact [2].

In summary, image transcoding plays a vital role in modern digital workflows by facilitating the conversion of images to the most suitable format for their intended use. It enables consistent viewing of image content across a diverse range of devices with varying capabilities and constraints [2].

Image Content Disarm and Reconstruction (CDR) employs transcoding and scaling techniques to fortify image files against evasive steganography and concealed metadata. This approach generates a new image file with a different format, devoid of metadata and extraneous information. The transcoded file can later be converted back to the original format. Transcoding has been proven as a secure measure against malware attacks [2].

Summary

The prevalence of steganography attacks is escalating [3], and present detection methodologies exhibit notable limitations. Consequently, Content Disarm and Reconstruction (CDR) emerges as a dependable solution, assuring absolute security without substantial visual alterations [1]. Therefore, integrating CDR into your security infrastructure merits consideration.

Pictorially, the images below represent a ‘before’ and ‘after’ application of CDR, with the former on the right and the latter on the left. It is discernible that there are no visual discrepancies perceptible to the naked eye.

To encapsulate, adopting a zero-trust approach to file prevention demonstrates remarkable efficiency and efficacy in countering elusive threats that traditional detection methods may overlook.

In the next blog we will reverse engineer malicious images.

References

[1] Muralidharan, T., Cohen, A., Cohen, A., & Nissim, N. (2022). The infinite race between steganography and steganalysis in images. Signal Processing, 108711.‏

[2] Eli Belkind and Ran Dubin and Amit Dvir, Open Image Content Disarm and Reconstruction}, 2023, https://arxiv.org/abs/2307.14057ץ

[3] Security Boulevard, Steganography in Cybersecurity: A Growing Attack Vector,

https://securityboulevard.com/2022/05/steganography-in-cybersecurity-a-growing-attack-vector/

[4] Muralidharan, Trivikram, et al. “The infinite race between steganography and steganalysis in images.” Signal Processing (2022): 108711.‏

Target: Consumers

Tags:  Content Disarm and Reconstruction (CDR), Malware, Images, Steganography, Zero-Trust

Throughout this blog series, we will delve into the following topics: understanding steganography (part 1), exploring steganalysis and enhancing prevention techniques (part 2), and unraveling the process of disarming and reversing malicious malware concealed within image metadata (part 3).

Image steganography is a technique that can hide evasive code in plain sight, such as within an image file. The practice of concealing messages or information within another non-secret text or data, referred to as the “carrier,” allows malicious actors to compromise devices just by hosting an image on a website or sending an image via email [1].

This process becomes particularly effective as digital images are merely streams of bytes, like any other file. As a result, they become an excellent medium for concealing secret text and other data. When people open a picture on a device, they seldom look beyond the visual presentation displayed to see what lies hidden inside the image file format [1].

One simple method of image steganography is appending a string to the end of the file or inside the image metadata information. This action does not prevent the image from being displayed normally nor change its visual appearance. For example, appending “hello world” to the end of the file does not alter the image, but the output from the hex dump shows the extra bytes added. A program can easily read the plain text string [1].

In more complex methods, malware can be injected into digital photos that appear to be perfectly normal, a process known as steganography. The technique takes advantage of the hidden data that comes with an image, which is not necessarily translated into pixels on your screen. Malware code can be embedded in an image in many ways, including attaching it to the end of a file, tweaking individual bits of the code, or changing the metadata associated with the file [1].

However, injecting malware into an image is not as simple as it may first seem. There are two main challenges:

• Image Distribution: Steganography in digital media often requires subtly manipulating the image’s pixels or metadata to encode the malicious code. This manipulation is not visually perceptible to the human eye but can cause havoc when decoded by the machine. Yet, this process becomes even more challenging when sharing these manipulated media files via social media networks. These platforms often resize, recompress, strip metadata, and sometimes crop or color-correct images. These manipulations restructure the image and may disarm the attack, challenging the attackers [1].

• Execution: Although image files carry malware, they cannot automatically infect the system when opened. The exploitation occurs when there is a software vulnerability that the hidden malicious code can exploit, or the user enables an embedded macro that triggers the malware. For example, please review our previous blog about

Therefore, while image steganography serves as a potential medium for malware delivery, the complexity of execution and the need for certain user actions or system vulnerabilities make it challenging as an attack vector; however, from recent attacks, we see malware steganography on the rise [2].

How Steganography Attack Works:

Steganography is the process of concealing secret information within an ordinary, non-secret file or message to avoid detection. The two most common image steganography methods are the Least Significant Bit (LSB) method and the method based on style transfer.

1. Least Significant Bit (LSB) Method

The Least Significant Bit (LSB) method is the most common and simplest form of image steganography. This method involves altering the least significant bit of the pixel values in a digital image. In this process, the cover image is selected, and the least significant bits of the pixel values are replaced with the bits from the secret data.

The basic idea behind the LSB method is that changes to the least significant bits of the pixel values will have a minimal effect on the color and appearance of the image. This makes the alterations to the image hard to detect for the human eye.

The LSB method can be used with diverse types of images, including grayscale, colored, and true color images. The data size that can be hidden using this method depends on the size and the type of the image. For further reading about state-of-the-art LSB steganography attacks please find this paper by Liu et al [3].

2. Image Steganography based on Style Transfer

Recently, a novel approach to image steganography has been proposed which makes use of neural networks and style transfer techniques. Style transfer is a process that manipulates a digital image or video to adopt the visual style of another image.

In this method, the secret message is embedded into the cover image while the image’s style is being transformed. The secret information is integrated into the latent representation of the cover image to generate the steganography images. The steganography images generated this way are indistinguishable from normal stylized images. This method leverages the power of neural networks and takes advantage of the complex transformations involved in style transfer to hide the secret message [4].

The two methods have their advantages and disadvantages. The LSB method is simple and easy to implement but can be vulnerable to steganalysis techniques if not done properly. On the other hand, the style transfer-based method can provide high security, but it requires more computational resources and a deeper understanding of neural networks and style transfer techniques.

Summary

To sum up, image steganography serves as a valuable and invisible asset for threat actors for ensuring secure and concealed communication or hiding malicious code. Given the progress made in technology and the emergence of advanced techniques such as style transfer-based steganography, the future of image steganography appears promising and remains an essential field of study [4] and it use by threat actors is on the rise.

In our upcoming blog post, we will explore the concept of steganalysis (the detection of steganography) and its inherent limitations. Furthermore, we will present Content Disarm and Reconstruction as a potential solution to overcome these limitations.

References

[1] Ran Dubin Image steganography (TODO – add link)

[2] Security Boulevard, Steganography in Cybersecurity: A Growing Attack Vector

https://securityboulevard.com/2022/05/steganography-in-cybersecurity-a-growing-attack-vector/

[3] J. Liu et al., “Recent Advances of Image Steganography with Generative Adversarial Networks,” in IEEE Access, vol. 8, pp. 60575-60597, 2020, doi: 10.1109/ACCESS.2020.2983175.

[4] Hu, Donghui, et al. “Image Steganography based on Style Transfer.” arXiv preprint arXiv:2203.04500 (2022).

[5] https://arxiv.org/pdf/2307.14057.pdf‏