When a Picture Paints a Thousand SSNs

See that JPEG photo? It may be hiding a list of stolen Social Security numbers.

Attackers are becoming increasingly clever in their efforts to hide stolen data, according to forensic experts. One of the most popular now is the technique of stegonography -- the hiding of stolen data within image files.

It's always been a cat and mouse game, experts say. Once a hacker finds he's being watched or detected, he finds another way to mask his activities, either by covering his tracks by wiping out logs, using rootkits, encrypting malware, or hiding behind a Trojan.

"Hackers are becoming more aware and conscious of tools and techniques people in the forensic response world use to track what they are doing," says Chris Novak, principal consultant with Cybertrust's Investigative Response Unit. Hackers are using anti-forensics techniques in about two thirds of the cases Novak is currently investigating.

Stegonography is one of those techniques. "We are starting to see more of this in our investigations, where an attacker can take any type of data and mix it with an image or photo," making it less likely to arouse suspicion, says Novak. "This poses a significant challenge from a forensics standpoint... And images aren't something any corporation can block."

Joe Stewart, senior security researcher for SecureWorks, says attackers for years have been covering their tracks by removing IP addresses, wiping out logs, and hiding code with encryption and other methods. But he says he has not seen stegonography as a way to conceal hacked data. "That's not really what it's for," says Stewart, who recently found the SpamThru trojan, which encrypts the spam message templates it sends to its bots. (See Spammers Turn the Tables Again.)

Attackers typically use legitimate encryption libraries or source code compiled into a Trojan to conceal traffic from network-based analysis, he says.

Most criminal hackers aren't interactively logging onto servers anyway, Stewart observes. They let the bots do the work for them. "And there are different levels of protection given to the bot itself, depending on how concerned the attacker is with having the software removed," he says. "Some simply don't care. Others use rootkits."

As a matter of fact, Stewart says he is currently writing detection signatures for LDPinch, a password-stealing Trojan that employs compression to pack the stolen data for transit. "It doesn't rely on encryption to obfuscate the passwords, opting instead to use a fairly obscure compression library called 'aPlib.'" aPlib has an easy-to-spot standard file header, Stewart notes, so a network IDS/IPS would easily pick it up.

"When we see it in an email attachment, it's almost always going to be a case where stolen data is involved," he says. "So except in cases where the attackers are using very random encryption, or covert channels, we can spot this stuff a mile away on the network IDS/IPS."

Cybertrust's Novak, meanwhile, says there are tools becoming available that make stegonography simpler for attackers to exploit. A file of stolen data appears only as a picture, with the hidden data embedded in it. "If you looked through the system, you'd see a bunch of JPEGs, bitmaps, digital camera pictures." Only the attacker who disguised the data can read it, but the naked eye cannot, Novak says.

"This [stegonography for hiding stolen data] is a fairly new issue," he says. "And it's likely this has been going on more than we think" because it's so tough to detect.

— Kelly Jackson Higgins, Senior Editor, Dark Reading