RE: stego and executable files

["Seva Batkin" <sbatkin () telus net>]

I am not sure if this is quite what Rockit was asking. Hiding information in
JPEG or any other files is relatively easy and has been done for a long
time, it also requires a decoding application on the other end.

Hiding executables in the JPEG implies that whatever you use to read the
file such as Outlook Express, Eudora, Netscape, whatever, will automatically
run the Trojan contained in the image.

How is this possible?

Seva


-----Original Message-----
From: Tomas Wolf [mailto:tomas () skip cz] 
Sent: August 16, 2003 2:46 PM
To: Rockit
Cc: security-basics () securityfocus com
Subject: Re: stego and executable files

Hello,

 I have researched a little around steganography and the whole idea behind
this is somehow simple. I would like to note that it doesn't matter what
kind of data one hides inside another data.
 The bottom line is to find media with a supportive structure. I would like
to demostrate on JPG and BMP picture formates, but this general idea could
be applied on any data formats.

 Steganography tries to deny the existence of the hiden data, therefore in
digital environment, the host must be formated in a way, that if we add the
data into another file, the original shoud look, taste, sound, and feel as
the one with embended data.
 Now to the structure of BMP files. I'll do this from the top of my head, so
please the exact numbers are just for ilustration. The structure is give and
it has a lot of data. First is the first header, which identifies the
filetype, lenght and color depth. Second header is giving us lenght in
bytes, hight, wideness, number of collors used (RGB)... Then comes the most
important part, (from steganographical point of view) color table. In BMP if
the color depth is 8 bits then the palette (color table) has 8x256 colors.
Each color is 4 bytes (Red, Green, Blue, Reserved), the values of each
base-color gives us RGB value, by other word -- i.e. R=255, G=255, B=255 -->
then the color = BLACK. Now the best BMP pictures to hide file in is one
that is grayscale only (or black and white), but is still saved as 8bit.
Than we have many values in the color palette that can be changed without
having ANY impact on the picture itself; therefore there is no visual way of
discovering hiden data. Each stego program probably uses different technique
of hiding data, but the changes to the file is usually flipping values of R,
G, B, or Reserved, by one. I must note that "Reserverd" value is almost
always zero(0) in the original - at least in all cases I've seen.

 Now JPG has structure more suitable for storage, since it doesn't manage
colors the same way as BMP. It compress certain colors into a palette that
was defined by the user (or program). Therefore a lot of colorfull details
can dissapear when converting some TIFF into JPG, since some of the colors
are matched to the "closest" one. This way there is no much space to waste,
when the color table is fixed and program decides what will be substituted
for what... But that is pretty much all I have on JPGs :-)

 And now we can apply this to any kind of suitable media. If (just an
example) I knew that AVI format has somehow wasteful (or shall I say rich?)
file architecture and knew the structure, I would be able to append some
data to it, without destroying, or corrupting the file (of course MD5 will
change).

 I hope it was of some help... And if not, or it is too confusing, let me
know... I'll be more than happy to answer whatever will be in my knowledge
range...

 Good luck -- Tomas

> I have just had what I believe is my first encounter with
> a .jpg stego embedded executable file.
> I know that there has been success embedding stego executables
> in .mp3 and .avi files, but was unawares that someone had developed
> a way to do .jpgs......
> Can someone please provide detailed info on this ??
> (and yes, I've googled)
> Thanks in advance.
>
> Rockit
>
> =====
> www.interz0ne.com
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.
> http://search.yahoo.com
---------------------------------------------------------------------------
>
----------------------------------------------------------------------------
>


---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------