The digitalization of photography has made the distribution of present-day images a potential security threat through an esoteric practice called steganography. Here, we take a closer look at this modern-day evolution of an ancient practice.

Steganography is an evasive technique that aims to conceal a file within another file – in this case, an image – without altering the appearance of the original file to ensure secrecy.

The technique is often deployed by cybercriminals as a way to smuggle malware onto a network, but it can also be used for hiding nefarious activities such as data exfiltration.

In June 2020, for instance, researchers at cybersecurity firm Malwarebytes found malicious code hiding in the metadata fields of an image file, which was unknowingly being uploaded onto compromised e-commerce platforms for the purpose of siphoning consumer credit card information.

In other examples discovered by the company, image steganography has been deployed to mask configuration files that were deemed vital to the functionality and success of fraudulent operations.

This was most notably seen with a variant of the Zeus banking trojan, Malwarebytes reported in 2014.

How steganography is evading detection

Despite the diverse role that steganography plays in facilitating illicit activity online, malicious images remains an issue largely ignored by present-day security solutions like antivirus software.

That’s predominantly because an image file, unlike a document file, is not built with the capacity to run a program on a computer system.

“Downloading an image that contains steganography is not a problem in itself,” Jérôme Segura, director of threat intelligence at Malwarebytes, told SmartFrame.

“For the payload contained within the malicious image to execute, it must first be called by another program that will extract and then run it.”

An image that is used to conceal parts of ransomware code will therefore only become dangerous if a user is to run a second malicious program on the same system where the corrupted picture resides.

This can be done by tricking a user into clicking on a phishing link, for example, or by crafting an image so that it exploits a known vulnerability on a website, browser, or application. This was the case in Malwarebytes’ aforementioned unveiling of malicious code hiding within a picture’s metadata last June.

Without these two distinct parts, Segura said, corrupted image files can largely be downloaded onto machines without causing much harm.

This, however, has created a blind spot in the security practices of both organizations and websites. Images are not scanned adequately because the files being viewed are considered more of a passive threat that is simply too costly to sanitize in full.

Twitter, for instance, has been aware of instances of image steganography on its platform since at least 2018, when a researcher was able to illustrate how a thumbnail image hosted by the website could be abused to hide the complete works of William Shakespeare.

Despite the reported circumvention of the tech giant’s data sanitization efforts, which already strips an image file of most of its metadata, Twitter dismissed the issue – alongside a second one raised earlier this year – as not within the remit of its security concerns.

David Buchanan, the researcher who discovered the Twitter bugs, disagreed.

“I don’t think [that] this technique is particularly useful for attackers because more traditional image steganography techniques are easier to implement and even more stealthy,” Buchanan told BleepingComputer in March.

“But maybe it could be used as part of a C2 (command and control) system, for distributing malicious files to infected hosts,” he said.

In order for sites like Twitter to protect themselves against image steganography like that which was demonstrated by Buchanan, every single image file passing through its network would need to be scanned for potential abuse.

According to Segura, that can cause problems due to the evolving array of techniques that are used to mask malicious image files.

“A lot of this scanning can be done using various libraries or even AI (artificial intelligence),” Segura said.

“However, an attacker could simply try to bypass any measure by submitting different formats until one makes it through.”

The history of steganography

Image steganography is a branch of science with origins dating back to ancient Greece and the art of concealing messages within another message or physical object.

The practice draws parallels to cryptography in that its main purpose is to hide information. However, it differs in the fact that encrypted messages are understood to contain secret information, whereas steganography aims to shroud the existence of a message altogether.

Steganographic techniques find their familiarity in the early use of invisible ink but grew to be more complex during the Second World War when Axis powers learned to compress images to a size that would require a magnifying glass to decipher.

This would allow information to pass through unsecured channels looking like innocuous punctuation in a steganographic technique known as a microdot.

Steganography in a digital world

Digitalization has furthered the practice of image steganography through the malleability of formats such as JPEG, PNG, BMP and GIF.

These file types are notoriously liberal with the amount of information that they store, making them a great place for steganographic experimentation.

“There are a lot of ways to smuggle something inside an image,” Karlo Zanki, a reverse engineer at the cybersecurity company ReversingLabs, told SmartFrame.

“One of the ways is through steganography on bit level, where an attacker can add some piece of information to each image pixel so that it isn’t visible to the human eye.”

An image is a collection of pixels, which individually represent a specific element of an image file. These pixels can be altered in order to embed malicious code within an image without tampering with the picture’s original quality.

This can be done using a variety of different methods including least significant bit (LSB) steganography, which is where the nonessential pixels of an image are replaced with information.

However, techniques like these, or ones that focus on modification of a picture’s luminescence, tend to be reserved for the more advanced threat actors due to the significant amount of technical knowledge that’s required in their implementation.

“Metadata is a much easier way to hide malicious code within an image file,” Zanki explained, “which is why the technique is more popular than hiding data inside image pixels.”

He added: “When the level of effort for the attacker increases, so does the value of the target.”

Preventing steganography in digital images

Zanki, who wrote a lengthy blog post in March on the technical aspects of image steganography, believes that the prevalence of malicious images online is a growing systematic problem in our digital ecosystem that can only be solved by improving security solutions.

This would mean adapting antivirus software to keep up with the mounting number of image steganography techniques for the purpose of reinstalling trust in our digital media and services.

“Every place where you can upload some kind of image can be an entering place for malware,” Zanki said.

“Places where you can upload images should perform some kind of sanitization, regardless if you process the images or not, because someone using your service could potentially use that image and get hit by malicious intent.”

Find out how SmartFrame’s innovative image-streaming technology can help protect you and your audience against steganography here. Alternatively, learn everything you need to know about image security with more articles from our blog.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the views and opinions of SmartFrame Technologies Ltd or its partners.

 

Related articles