Security Basics mailing list archives
RE: stego and executable files
From: "Seva Batkin" <sbatkin () telus net>
Date: Sat, 16 Aug 2003 19:43:55 -0700
I am not sure if this is quite what Rockit was asking. Hiding information in JPEG or any other files is relatively easy and has been done for a long time, it also requires a decoding application on the other end. Hiding executables in the JPEG implies that whatever you use to read the file such as Outlook Express, Eudora, Netscape, whatever, will automatically run the Trojan contained in the image. How is this possible? Seva -----Original Message----- From: Tomas Wolf [mailto:tomas () skip cz] Sent: August 16, 2003 2:46 PM To: Rockit Cc: security-basics () securityfocus com Subject: Re: stego and executable files Hello, I have researched a little around steganography and the whole idea behind this is somehow simple. I would like to note that it doesn't matter what kind of data one hides inside another data. The bottom line is to find media with a supportive structure. I would like to demostrate on JPG and BMP picture formates, but this general idea could be applied on any data formats. Steganography tries to deny the existence of the hiden data, therefore in digital environment, the host must be formated in a way, that if we add the data into another file, the original shoud look, taste, sound, and feel as the one with embended data. Now to the structure of BMP files. I'll do this from the top of my head, so please the exact numbers are just for ilustration. The structure is give and it has a lot of data. First is the first header, which identifies the filetype, lenght and color depth. Second header is giving us lenght in bytes, hight, wideness, number of collors used (RGB)... Then comes the most important part, (from steganographical point of view) color table. In BMP if the color depth is 8 bits then the palette (color table) has 8x256 colors. Each color is 4 bytes (Red, Green, Blue, Reserved), the values of each base-color gives us RGB value, by other word -- i.e. R=255, G=255, B=255 --> then the color = BLACK. Now the best BMP pictures to hide file in is one that is grayscale only (or black and white), but is still saved as 8bit. Than we have many values in the color palette that can be changed without having ANY impact on the picture itself; therefore there is no visual way of discovering hiden data. Each stego program probably uses different technique of hiding data, but the changes to the file is usually flipping values of R, G, B, or Reserved, by one. I must note that "Reserverd" value is almost always zero(0) in the original - at least in all cases I've seen. Now JPG has structure more suitable for storage, since it doesn't manage colors the same way as BMP. It compress certain colors into a palette that was defined by the user (or program). Therefore a lot of colorfull details can dissapear when converting some TIFF into JPG, since some of the colors are matched to the "closest" one. This way there is no much space to waste, when the color table is fixed and program decides what will be substituted for what... But that is pretty much all I have on JPGs :-) And now we can apply this to any kind of suitable media. If (just an example) I knew that AVI format has somehow wasteful (or shall I say rich?) file architecture and knew the structure, I would be able to append some data to it, without destroying, or corrupting the file (of course MD5 will change). I hope it was of some help... And if not, or it is too confusing, let me know... I'll be more than happy to answer whatever will be in my knowledge range... Good luck -- Tomas
I have just had what I believe is my first encounter with a .jpg stego embedded executable file. I know that there has been success embedding stego executables in .mp3 and .avi files, but was unawares that someone had developed a way to do .jpgs...... Can someone please provide detailed info on this ?? (and yes, I've googled) Thanks in advance. Rockit ===== www.interz0ne.com __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
---------------------------------------------------------------------------
----------------------------------------------------------------------------
--------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- stego and executable files Rockit (Aug 15)
- <Possible follow-ups>
- RE: stego and executable files Rockit (Aug 16)
- re: stego and executable files Travis D . Ronat (Aug 16)
- Re: stego and executable files Tomas Wolf (Aug 16)
- RE: stego and executable files Seva Batkin (Aug 18)
- RE: stego and executable files Tomas Wolf (Aug 18)