Next gen cyber attacks could be through Internet
images using Stegosploit tool which allows
hackers to embed malware in an image
Security Researcher Saumil Shah has developed a
Stegosploit tool wherein hackers can embed executable
JavaScript code within an image to trigger a drive by
download.
Internet is becoming a major source of media and
eventually emerging as a hub of various advertisements.
Hence, we can see so many innocent images scattered
all over the Internet be it any of the social networking
sites or the search engines. Security researcher Saumil
Shah feels that it is this field which the next generation
Cyber attackers could exploit.
Saumil Shah, a security researcher from Net Square
security, recently presented his Stegospoilt project at
Hack In The Box Conference held in Amsterdam. During
the conference he demonstrated an updated method of
his digital steganography project known as Stegospoilt
Tool, which allows hackers to embed executable
JavaScript code within an image to trigger a drive by
download.
What does all this mean?
In layman terms it would simply mean that going
forward there are chances that people might download
potentially dangerous malware into their devices just by
viewing an innocent looking image, even without clicking
or downloading that image. While a person views an
image, the hidden malware could get downloaded in the
computer or smartphone or Tablets without the
knowledge and consent of the user. Now, this malicious
program or the malware can be very dangerous as it can
steal user’s confidential data like photographs, login
credentials, financial information etc. The worst part here
is that antivirus and the malware detection scanners of
present times are not equipped to detect these types of
cyber attacks yet, thus even though the devices are
protected with the safety programs they are useless in a
scenario if the attackers choose to attack through the
Stegospoilt tools.
Steganography: This is a technique of transmitting some
messages in hidden form, in such a way that the
message becomes a part of something else such as an
image or article or shopping list or even cover text. This
technique is being used since 1499 and one striking
example of Steganography would be when some hidden
message is written with an invisible ink between the
visible lines of an innocent friendly letter.
Usually in case of cryptography, the encrypted message
arouses much interest; however in case of
steganography the secret message does not trigger any
attention and thus gets saved from unwanted scrutiny,
this is why steganography is preferred over
cryptography.
History has revealed that people have used a
combination of cryptography and steganography in the
past to transmit secret messages to the ‘right people’.
In his demonstration Shah said that steganography
method “hides the message in plain sight”. On the
contrary, the technique developed by Shah i.e.
“Stegospoilt tool” is an advanced method of the
steganographic method wherein the exploits will not only
be delivered in plain sight but also in style.
Besides being a security researcher, Shah also has a
passion for photography.
It was five years back when Shah decided to combine
his passions of hacking and photography; thus he
started experimenting steganographic techniques in the
images.
While speaking to iDigitalTimes , Shah said:
“I really love photography and I had been
looking into jpeg files and image files just
because I could. It was then that I began to
wonder if non-image data could be encoded
inside an image itself. Of course,
Steganography in images has been around a
long time and a lot of research has been
done with encoding text on pictures, but with
classic steganography you are just adding
text into an image and both the text and the
image are passive. What I wanted to do was
encode active code into the image pixels so
that when it was decoded, it isn’t viewed as
an image, but rather, executes.”
Finally, Shah discovered an executable code which can
be embedded in an image and then executed in the web
browser. Thus, Shah created his own tool ‘Stegospoilt’
with which he was able to hide executable code within
an image and then execute the same code in a web
browser that supports HTML5 Canvas. Further, the tool
uses Java Script to read the image pixel data and
decodes the image within the browser thus exploiting the
HTML5 Canvas.
Here is the video
Using this Stegospoilt tool, Shah has been taking known
exploits in Chrome, Safari, Explorer and other HTML5
Canvas supporting browsers and coded these exploits
into the image layers. Shah has dubbed the resultant
files as Imajs (image + JavaScript) which loads as
JavaScript in a browser and renders as an image as well
as an executable. Thus Shah was able to hide two
different kinds of content in one single file
delivering malicious content in the images.
During encoding process, the image may appear to be
totally unaltered depending on which layer the JavaScript
has been embedded. The Stegospoilt technique is able to
distribute the executable code around the inside of an
image file which makes it next to impossible to be
detected by the current antivirus programs. To detect
this hidden code, the antivirus needs to scan each and
every byte in an image which would directly affect the
speed of the internet.
It was in the month of March when, Shah gave the first
demonstration of his Stegospoilt tool at SyScan. Then,
the technique could render the malware by using two
images; one would contain the executable code and the
other would contain a code to decode it. However, Shah
has further worked on his technique and now both the
executable as well as the decoder codes can be
embedded within a same image. The technique is
possible with PNG as well as JPEG images. Further, as
long as the size of the file remains unchanged it can be
added to any webpage including Twitter, Imgur,
Instagram, dating profiles and many more.
People who view photographs and images online would
be easily victimized as the malware gets downloaded
just by viewing and does not need to be clicked or
downloaded. This can be a greatest technique which
cyber attackers can exploit in the near future. Shah is
pretty confident that we will witness these attacks soon,
though as of now there aren’t any cases of hackers
using this technique yet.
Shah said: “I can’t be the only guy that thought this
up. When I think of something I want to bring it out into
the light and say ‘here’s a technique that’s very difficult
to do but have at it. Use your creative thinking and find
out some defenses against, because this thing is
coming”.
I personally feel it is high time that all the anti virus
programmers and malware scanners need to work fast
and really bring some tool to act against such type of
cyber crime and be ready before the cyber crooks start
attacking the Internet users.
No comments:
Post a Comment