Fighting steganography detection
(benign viri as defence against sniffing)
noanon
Fravia's Anonymity Academy

by Fabian Hansmann

(04 January 1997, slightly edited by Fravia+)

Courtesy of Fravia's page of reverse engineering
Well, for once I'm hosting an essay of a person that does not use handles nor avatars nor nicknames: Fabian Hansmann, the Author of Steganos, one of the most interesting Stenographical applications on the scene. His idea of using a benign virus in order to spread noise is interesting, yet not new (some +masters have already prepared long ago a 'benign' cracking virus -antibil7.com- that registers Micro$oft's timelimited targets WITHOUT NOTICING the owner of the PCs where these targets are found :-)
So Fabian's idea can be implemented, moreover we will of course begin ourselves, during 1998, to 'deepen' (in a reversing sense) our knowledge of the whole steganographical existing bazaar... and I'm happy that we'll work hand in hand with steganographical experts (and nette Leute) like Fabian (and maybe other Authors as well as it seems) 


Fighting steganography detection

by Fabian Hansmann




  During the last years steganography was well known among academic people

and hackers only.

Meanwhile - especially in 1997 - the situation changed: steganography

software started to enter the mass market e.g. via freeware and shareware. 

Computer magazines discovered this interesting topic.



  People trust Steganographic systems since they just do not see or hear

any difference between a file carrying information and one that does not. 

Computer based steganography implementations are a very new technology 

which has never passed a dialectic process comparable to the one which 

encryption has passed. 

Nobody knows whether secret services have already developed steganography 

scanners which are searching the net for images or sounds containing hidden 

data in the very same moment you are reading this article.



  Cryptographic methods became very good in the last decades since

algorithms which had been secret during the years before were analyzed 

by the academic community. 

One of the newer cryptography goals for instance is the public key system, 

which was -officially - invented in the seventies of this century. 

However the ideas used in 'modern' steganography programs

are partly ancient - some ideas are described in books of the 17th 

century [1].



  As mentioned above mass media started to write about steganography, 

but the articles written about it are on a level far below the cryptography 

literature. 

There doesn't even exist any speculation about the existence of 

stego-detectors.



  Comparisons of existing steganography products in most cases are 

limited to the supported carrier-files and the quality of the user 

interface. In more serious articles the used encryption is discussed, 

but I didn't read any article with helpful information about the

most essential point: the algorithm's resistance against detection.



  I searched for information about the detection of carrier-files 

and asked many people -programmers, hackers and academics - if they 

have got knowledge about usable results but it seems that scientific

research  is concentrating on watermarking-techniques at the

moment.



  There are only a few books about the type of steganography we are

interested in. 

The people I asked said they would start by checking out the noise-theory 

-but this is a complex topic.



  A simple trick to find out whether a file is encrypted is trying to

compress it - of course compressed files are also 'detected' this way. 

Programmers know this fact -when you implement a compression algorithm 

in an encryption program you must compress the data before(!) you encrypt 

it [2].



  I think one could modify a known compression algorithm to check a

potential carrier-file for simple steganographic algorithms. If the 

steganography program hides data in a file without filling the rest of 

the carrier-file with random data one could do some fuzzy logic and 

compare the results of the spectral analysis for different parts of the

potential carrier-file and guess whether the file carries hidden 

information or not.



  If you compress two bitmap files, the original and the same file used as

a carrier-file by using a standard compression software - for example 

pkzip - the original picture can be compressed better. 

A good example is the pair of pictures on Fravia's Steganography Page [3].

He labelled purposedly the two files in the wrong way, but the truth was 

relatively obvious since the compressed carrier-file is in most cases 

bigger than the compressed original. Of course in 'real life reversing' 

nobody has the original version of a carrier-file if this has been well 

chosen.



  Since we just don't know how steganography scanners - if they exist -

work, a pretty unorthodox method to irritate such scanners without the 

need of knowing how they are working came into my mind: faked carrier-files 

which contain non sensitive data.



  A good possibility for creating and spreading such files would be a

computer virus which replaces everywhere the least significant bits ('LSB')

of sound and image files by pseydo random (and self-reproduces itself 

of course). The LSBs will look like encrypted data. 



  This is very interesting in countries which have cryptography

restrictions. Think about France for instance! Nobody can tell if 

sensitive information has been hidden in a file or if you'll find 

there after a long work just some crap. 



Nobody can prove if you use steganography (and you are the criminal) or 

if you have been infected by a nasty virus (and you are the victim).



  The consequences of a virus like that would be a well spreaded

steganography noise (I will call this from now on 'stego-noise') on 

Personal Computers all over the world and on the Internet.



Imagine the scenario: even supporters of the anti-crypto-campaigns and

members of the law-enforcement agencies would increase the stego-noise 

and confuse scanners by false alarms without even recognizing that their 

computer systems have been infected.



  After some weeks or months, when a high level of stego-noise has been

established by the virus, this could deinstall itself - probably before 

it has been detected and without having damaged the system.



  We know that the heuristic virus scanners sold nowadays are far from

being perfect. With some well-known tricks we can write a selfencrypting 

virus (a 'benign' one of the sort discussed above, that is) of a kind 

which won't be detected too fast.



  This virus would confuse a steganography detection - even a perfect

detection. 

But one must keep in mind that even non-destructive viruses can damage 

the system, because of unforeseen bugs and unexpected environments - 

that's definitely not what we want to achieve!



  Creating extra noise is not a very elegant way. The idea behind our 

science, steganography, is hiding information inside noise which already 

exists - for example in the chaotic background noise of a recorded 

sample.



  I think the best solution to defend us against steganography detectors is

attacking existing steganography algorithms, which is a highly interesting 

project, and improving at the same time the existing steganography 

programs. 



The possibility to detect carrier-files does not break the

cryptographic barrier, but that's a different topic and comparatively 

well discussed. 

The Contraband [4] cracker 'anti-contraband' [5], for example, extracts 

a hidden file out of a carrier-file when you use it. This only works for 

steganography programs using a bad cryptography algorithm or 

implementation, badly chosen passwords, or if massive brute force

is available. Even if you are able to crack a single file you can't use

this method if you do not know which file contains the hidden 

information you are after.



  If nobody has written a steganography detector yet people will do it 

as soon as cracking steganography algorithms becomes more interesting - 

because of financial/commercial reasons for instance. 



They probably will succeed... yet we will always be ahead of any 

commercial oriented mind :-)



References:

[1] Gaspari Schotti, "Schola steganographica", 1680,

    http://www.cl.cam.ac.uk/~fapp2/watermarking/steganographica/

[2] Bruce Schneier, "Applied Cryptography" (Chapter 10.7), 1996, Wiley

[3] Fravia, "Fravia's Steganography Page", 1997,

    http://207.30.50.126/Fravia/stego.htm

[4] Hens Zimmerman and Julius Thyssen,

    "Contraband", 1997, http://www.xs4all.nl/~jult/4u/contrabd.exe

[5] Massimiliano, "anti-contraband", 1997,

    http://207.30.50.126/Fravia/uncontra.zip



Written in 1997/1998 by Fabian Hansmann, author of the 

steganography program Steganos for DOS

and coauthor of Steganos for Windows 95 

(http://www.steganography.com )

EMail: fabian@demcom.com
_ _ _ _ _ _ _ _ _ _ noanon
Back to the Advanced Stego page ___Back to the Stego 'normal' page
redhomepage redlinks red+ORC redstudents' essays redcounter measures
redantismut CGI tricks redacademy database redtools redjavascript tricks
redcocktails redsearch_forms redmail_Fravia
redIs software reverse engineering illegal?
redFravia December 1997 ~ January 1998