The complicated mess of code in image, voice, video and even electrocardiogram data provide the perfect carrier for hidden messages. At the Network Security Group at Warsaw University of Technology, in Poland, Wojciech Mazurczyk disguises data the same way cybercriminals do in order to beat them at their own game.
Hackers use the information disguising technique known as steganography to infiltrate computer systems. The technique has since evolved from tattoos to invisible inked letters to flurries of data packets. By altering small bits of data in a file such a JPEG or in packets of voice data, they can send secret information and viruses.
In an IEEE Security & Privacy report, Mazurczyk and Luca Caviglione, a National Research Council of Italy telecommunications specialist, identified three major steganography techniques hackers have used to hide the most recent and prolific malware: local channel, digital file, and network steganography.
“We are seeing trends among malware developers who are intrinsically using information hiding technique to make malware harder and harder to detect,” Mazurczyk says.
In 2014, antivirus research firm AV-TEST reported that there are about 130 million new forms of malware. This is a 63 percent increase from 2013. What’s more, one of the leading antivirus vendors, Symantec, admitted that its products are able to detect only about 45 percent of new threats.
According to Mazurczyk, this is partially a result of new, sophisticated developments in network steganography, which cloaks a message’s origins in the shroud of Internet traffic. The traffic allows steganographers to send longer messages without leaving behind an obvious trail.
Mazurczyk has helped develop network steganography programs such as SkyDe, which sends hidden messages through Skype voice data, and StegTorrent, which encodes information in BitTorrent transactions. After analyzing these programs, Mazurczyk and his team then creates protocols to detect the hidden transmissions. The challenge is that every transmission route a steganographer uses to hide information requires a specific countermeasure, says Mazurczyk.
The damage steganographically hidden malware inflicts can be catastrophic. In the 2006 Operation Shady RAT case, the Trojan.Downbot virus infected computers from 72 organizations around the world, including the United Nations, the U.S. federal government, and economic trade organizations. JPEG and HTML files encoded with commands granted remote servers control over mainframe computers. It took institutions months to recover.
And Mazurczyk and Caviglione predict that such scenarios will only worsen as cybercriminals increasingly turn their attention to smartphones. Over the past two years, McAfee reported a 1,800 percent increase in mobile malware.
Smartphones are like Swiss Army knives that provide dozens of pathways to send a secret message, says Mazurczyk. Steganographers can launch an attack through a smartphone’s camera, its Wi-Fi and cellular network connections, applications, and sensors. For example, the virus Soundcomber can infer secret data by differentiating between changes in vibration or volume settings.
Since the paper was written, even more dangerous steganography cases, like the recent Hammertoss infiltration on GitHub and Twitter, have come to cybersecurity specialists’ attention.
“I feel that we are just at the beginning of the rope,” says Mazurczyk. “These are the most simple information hiding methods that can be used. In a few years, we will be starting to discover more sophisticated techniques.”
Mazurczyk and his colleagues are working on better ways to detect and prevent the transmission of secret viruses, and spreading awareness among cyber security organizations like the European Commission. But, in order to find hidden messages, they must first think like the stealthiest steganographers.
