The December 2022 issue of IEEE Spectrum is here!

Close bar

The Dark Side of Steganography

Cybersecurity researchers in Poland and Italy are trying to out-smart steganographers at hiding their malware

2 min read
The Dark Side of Steganography
Illustration: Getty Images

The complicated mess of code in image, voice, video and even electrocardiogram data provide the perfect carrier for hidden messages. At the Network Security Group at Warsaw University of Technology, in Poland, Wojciech Mazurczyk disguises data the same way cybercriminals do in order to beat them at their own game.

Hackers use the information disguising technique known as steganography to infiltrate computer systems. The technique has since evolved from tattoos to invisible inked letters to flurries of data packets. By altering small bits of data in a file such a JPEG or in packets of voice data, they can send secret information and viruses.

In an IEEE Security & Privacy report, Mazurczyk and Luca Caviglione, a National Research Council of Italy telecommunications specialist, identified three major steganography techniques hackers have used to hide the most recent and prolific malware: local channel, digital file, and network steganography.

“We are seeing trends among malware developers who are intrinsically using information hiding technique to make malware harder and harder to detect,” Mazurczyk says.

In 2014, antivirus research firm AV-TEST reported that there are about 130 million new forms of malware. This is a 63 percent increase from 2013. What’s more, one of the leading antivirus vendors, Symantec, admitted that its products are able to detect only about 45 percent of new threats.

According to Mazurczyk, this is partially a result of new, sophisticated developments in network steganography, which cloaks a message’s origins in the shroud of Internet traffic. The traffic allows steganographers to send longer messages without leaving behind an obvious trail.

Mazurczyk has helped develop network steganography programs such as SkyDe, which sends hidden messages through Skype voice data, and StegTorrent, which encodes information in BitTorrent transactions. After analyzing these programs, Mazurczyk and his team then creates protocols to detect the hidden transmissions. The challenge is that every transmission route a steganographer uses to hide information requires a specific countermeasure, says Mazurczyk.

The damage steganographically hidden malware inflicts can be catastrophic. In the 2006 Operation Shady RAT case, the Trojan.Downbot virus infected computers from 72 organizations around the world, including the United Nations, the U.S. federal government, and economic trade organizations. JPEG and HTML files encoded with commands granted remote servers control over mainframe computers. It took institutions months to recover.

And Mazurczyk and Caviglione predict that such scenarios will only worsen as cybercriminals increasingly turn their attention to smartphones. Over the past two years, McAfee reported a 1,800 percent increase in mobile malware.

Smartphones are like Swiss Army knives that provide dozens of pathways to send a secret message, says Mazurczyk. Steganographers can launch an attack through a smartphone’s camera, its Wi-Fi and cellular network connections, applications, and sensors. For example, the virus Soundcomber can infer secret data by differentiating between changes in vibration or volume settings.

Since the paper was written, even more dangerous steganography cases, like the recent Hammertoss infiltration on GitHub and Twitter, have come to cybersecurity specialists’ attention.  

“I feel that we are just at the beginning of the rope,” says Mazurczyk. “These are the most simple information hiding methods that can be used. In a few years, we will be starting to discover more sophisticated techniques.”

Mazurczyk and his colleagues are working on better ways to detect and prevent the transmission of secret viruses, and spreading awareness among cyber security organizations like the European Commission. But, in order to find hidden messages, they must first think like the stealthiest steganographers.

The Conversation (0)

Why the Internet Needs the InterPlanetary File System

Peer-to-peer file sharing would make the Internet far more efficient

12 min read
An illustration of a series
Carl De Torres

When the COVID-19 pandemic erupted in early 2020, the world made an unprecedented shift to remote work. As a precaution, some Internet providers scaled back service levels temporarily, although that probably wasn’t necessary for countries in Asia, Europe, and North America, which were generally able to cope with the surge in demand caused by people teleworking (and binge-watching Netflix). That’s because most of their networks were overprovisioned, with more capacity than they usually need. But in countries without the same level of investment in network infrastructure, the picture was less rosy: Internet service providers (ISPs) in South Africa and Venezuela, for instance, reported significant strain.

But is overprovisioning the only way to ensure resilience? We don’t think so. To understand the alternative approach we’re championing, though, you first need to recall how the Internet works.

Keep Reading ↓Show less