Cyber evildoers, seeking to outsmart anti-virus software and taking cues from old-school spies, are now wrapping their code in seemingly benign objects to take control of your system.
Watch any good spy flick, and you’re bound to see agents using myriad techniques to hide information: Invisible ink, writing on the back of a postage stamp, blinking in Morse Code, just to name a few.
The process of concealing messages is known as steganography, and actually dates back to ancient Greece when people would write secret codes on wax tablets. Later, spies began hiding messages in communiqués, radio signals, and just about every matter of media to covertly transmit messages. And in today’s digital age, it is no different.
#FBNBlackHat: Click Here for Full Coverage of Black Hat
One particularly clever breach was revealed this week by Brett Stone-Gross, a security researcher in the counter threat unit at Dell’s SecureWorks division. He said a client asked the firm to look into malware that was on its systems.
Digging into the software code, he found it made its way to the client’s computers using a previously-disclosed method in which popular websites were hijacked to deploy malware called Lurk through certain versions of Adobe’s (ADBE) Flash software. The exploit drops the malicious files into your system, and then executes them.
Once on your system, the software checks to see if you have one of 52 anti-virus software packages, and decides whether or not to install itself, based on the type of protection your computer is using.
The malware then uses a complex encrypted system to “phone home” to control servers. This type of setup isn’t actually too unusual – many software packages hijack your system in this way.
But where Lurk gets interesting is what in what happens next: The control servers send a white bitmap image back to the computer. If you were to open the file, it would literally look like a white box.
To the untrained eye, and most defense software, the image doesn’t seem particularly special. The hackers, however, devised a way to store data in what’s referred to as the least significant bit of every byte. Basically, they’ve transformed the color of the box ever-so-slightly to wedge additional information in. In this case, it’s an encrypted Web link that Lurk uses to download a “payload” onto your computer. The contents can vary from ransomware, to bank Trojans, to just about any type of malware, Stone-Gross said.
However, in this case, it turns your computer into a unit that commits click fraud – essentially tricking website advertisements into thinking you’re clicking them.
What’s so novel about hiding information in this way is that an anti-virus probably wouldn’t realize anything is wrong with the image file, since the underlying code actually looks like an image, Stone-Gross said. Older, more common techniques, actually rely on adding code at the end of the file, which is more easily detectable.
“This is something that is easy to implement, but difficult to detect,” Stone-Gross said.
He said detecting the image itself would involve “computationally expensive” statistics that rely on the fact that pixels (which make up digital images) near each other tend to be similar in color, and that’s not always the case with this type of corrupted file.
“It’s really powerful for these guys,” Stone-Gross remarked.