Steghide

June 16, 2010 at 8:12 am (Encryption, Security, Steganography)

Hey,

I have been playing around with a Steganography program called: steghide. It is pretty neat. It allows you to encrypt a piece of data and hide it an image, the formats that it supports are: JPEG, BMP, WAV and AU file formats. It works using Graph Theory approach to Steganography. Here is an explanation of how it works extracted from the man page (please see “man steghide” for more information):

At first, the secret data is compressed and encrypted. Then a sequence of positions of pixels in the cover file is created based on a pseudo-random number generator initialized with the passphrase (the secret data will be embedded in the pixels at these positions). Of these positions those that do not need to be changed (because they already contain the correct value by chance) are sorted out. Then a graph-theoretic matching algorithm finds pairs of positions such that exchanging their values has the effect of embedding the corresponding part of the secret data. If the algorithm cannot find any more such pairs all exchanges are actually performed. The pixels at the remaining positions (the positions that are not part of such a pair) are also modified to contain the embedded data (but this is done by overwriting them, not by exchanging them with other pixels). The fact that (most of) the embedding is done by exchanging pixel values implies that the first-order statistics (i.e. the number of times a color occurs in the picture) is not changed. For audio files the algorithm is the same, except that audio samples are used instead of pixels.

Here is an example of using steghide to hide a text file:


[Wed Jun 16 09:00:30]
[zoidberg@/dev/null:~/steg ] $ echo "Secret data..." > secret.txt

[Wed Jun 16 09:00:33]
[zoidberg@/dev/null:~/steg ] $ ls -l
total 24
-rw-r--r-- 1 zoidberg zoidberg 19604 2010-06-16 08:59 picture.jpg
-rw-r--r-- 1 zoidberg zoidberg 15 2010-06-16 09:00 secret.txt

[Wed Jun 16 09:00:35]
[zoidberg@/dev/null:~/steg ] $ file picture.jpg secret.txt
picture.jpg: JPEG image data, JFIF standard 1.01
secret.txt: ASCII text

[Wed Jun 16 09:00:41]
[zoidberg@/dev/null:~/steg ] $ steghide embed -cf picture.jpg -ef secret.txt
Enter passphrase:
Re-Enter passphrase:
embedding "secret.txt" in "picture.jpg"... done

[Wed Jun 16 09:01:16]
[zoidberg@/dev/null:~/steg ] $ rm secret.txt

[Wed Jun 16 09:01:20]
[zoidberg@/dev/null:~/steg ] $ ls -l
total 16
-rw-r--r-- 1 zoidberg zoidberg 13289 2010-06-16 09:01 picture.jpg

[Wed Jun 16 09:01:21]
[zoidberg@/dev/null:~/steg ] $ file picture.jpg
picture.jpg: JPEG image data, JFIF standard 1.01

[Wed Jun 16 09:01:25]
[zoidberg@/dev/null:~/steg ] $ steghide extract -sf picture.jpg
Enter passphrase:
wrote extracted data to "secret.txt".

[Wed Jun 16 09:01:56]
[zoidberg@/dev/null:~/steg ] $ ls -l
total 20
-rw-r--r-- 1 zoidberg zoidberg 13289 2010-06-16 09:01 picture.jpg
-rw-r--r-- 1 zoidberg zoidberg 15 2010-06-16 09:01 secret.txt

[Wed Jun 16 09:02:00]
[zoidberg@/dev/null:~/steg ] $ cat secret.txt
Secret data...

[Wed Jun 16 09:02:01]
[zoidberg@/dev/null:~/steg ] $


As you can see very simple program to use, really cool technique. I have played around with this and am able to bypass content control filters as well as anti virus systems. For example, a company that uses content control systems (like MessageLabs / Symantec Hosted Services) where you can define rules to govern what type of content can enter and leave an organizations mail server. Using this technique you can for instance hide a text file full of credit card numbers or any other data that content control usually picks up and get it through without being caught. Also you can hide malware/virus within the image and this too will bypass most AV vendors systems, I checked on Virus Total and it bypasses every vendor there. For you to make use of the latter I guess you would need to figure out a way to execute the virus within the image for it to be malicious, however being able to bypass content control is dangerous enough.

Permalink 1 Comment