Steganography is the art of concealing messages into something innocuous in such a way that it is extremely difficult for someone to suspect, let alone find, a hidden message. The etymology of the word “steganography” comes from the Greek language and is translated as steganos-, or “covered”, and –graphie, or “writing”. So it literally means “concealed writing”.

Physical steganography has been in use since ancient times and included invisible ink, Morse code on knitting yarn which was then made into garments, microdots, messages on the back of postage stamps and more. One of the most mentioned historical use of steganography dated back to 440BC in “The Histories of Herodotus” where it was stated that Histiaeus, a tyrant of Miletus in Greece, shaved the head of his most trusted servant and tattooed a message on his scalp. When his hair grew again, he sent him through enemy Persian territories as an emissary to a friendly town to instigate a revolt against their leaders.

Digital Steganography

In the last 40 years, with the advent of personal computing, there has been a rise in digital steganography. Any type of information can be hidden in nearly all files. The best type of file for steganographic transmission are media files due to their large size. Files hiding other files are usually referred to as “carrier” files. These files are made so that, whilst containing the hidden information, they are still mostly functional and will not arouse suspicion to anyone not specifically looking for them.

Some examples are:

  • Text in media files – Text can be embedded in media files by adjusting the file slightly in predefined places so that the difference will correspond to a letter in the alphabet. Pictures can have several specific pixels, a music file some samples, and a video file some of the frames changed a little whilst keeping their functionality majorly intact. The changes are so minor that one will find it very difficult to notice that there is a text message when viewing/hearing the material.
  • Pictures in other pictures – Same size pictures can easily be hidden in carrier picture files by using the last 2 or 3 bits of each RGB value of each pixel of the container. It is like having the two pictures overlapping each other with one of them being nearly invisible. The resulting picture is nearly undetectable even when comparing it by eye with the unaltered one. The “hidden” picture is extracted by stripping, using a specific program, the carrier picture’s bits and turning up the brightness.
  • Pictures in video files – Pictures can be fixed in video material either by replacing a frame in the video or parts of the picture on several specific frames. These pictures can be viewed by either pausing the video or playing it at a faster speed respectively. When the video is played at normal speed, the change is so minor that the human eye cannot catch the difference and the video is viewed normally.
  • Files archived inside pictures – Any type of files can be stored in archives which look and act exactly as a picture. This technique is quite low profile so, unless there is a 10 gigabyte 640×480 jpeg file, it does not arouse any suspicion that the picture may be something more. One of the easiest methods to do this process is by utilizing an archiving program and a command. In one folder place a “carrier” jpg and the files to be hidden inside an archive file. Run “cmd” and type in the command in the form of “copy /b carrierpic.jpg + secretfiles stegapic.jpg”. The result would be a jpg file which acts and looks as a picture but in reality it is storing the hidden files in it and can be fully used as an archive file. This method shows how easily one can hide files without the use of specialized software.

Threats of Steganography

Digital steganography, as stated before, is just a series of methods which hides information and files from view into other files and can have many beneficial and secure properties such as watermarking photographs to deter art theft, keeping sensitive data secure in innocuous files in case of unauthorized access or data theft, etc. But as any other tool in the world, intentionally and unintentionally, people may use this difficulty of detection in not such secure ways.

“Is your PC virus-free? Get it infected here!”

This was a real Google Ad last year. You may think that no one in his right state of mind would click this advert. But they do. Fortunately, this was only an experiment by Mikko Hypponen, who is Chief Research Officer at security firm F-Secure and only leads to a “Thank You” html page. During the six month period that this ad was online, 409 people either by mistake, out of curiosity or stupidity thought it was a good idea to click the link to “see what happens”. This experiment was mentioned to show how some users willingly download viruses even if it says “Clicking this link will format your hard disk but you will see a dancing pig” let alone if the virus is hidden in an innocent attachment sent (seemingly) from a co-worker or a friend. (Anyone involved in computer security will know of the “Dancing pig problem”). The most common misuse of steganography is the hiding of malware into seemingly safe files such as pictures, audio and email attachments. This method is used to hide any type of malware ranging from viruses to worms from spyware to Trojans.

One of the simplest ways to hide malware is to use double extensions. A file would be named for example as “cutekitten.jpg.exe”. When this is clicked, Windows will look only at the last part of the extension and therefore treats it as an executable. For an unprotected computer this method is particularly effective as this can be received as an attachment and, by default, Windows hides the last extensions of its files and therefore this is shown as a jpg file and can be overlooked and executed. An example was the Anna Kournikova virus which was sent via email as an attachment “AnnaKournikova.jpg.vbs”. A similar technique is with URL links. These may be fashioned to show that they are directed to a jpg, mp3 etc but when clicked, the user is redirected to an executable.

Macros embedded in Microsoft documents also fall under the steganography cap. These mini-programs are executed as soon as one opens the document and mostly spread by copying the email addresses in the address book and sending itself automatically by email. The Melissa virus is a famous example of this; it had a null payload but its damage came in the form of email servers congestion due to its high rate of spread.

As stated before, text can be embedded in pictures. This may take the form of malicious code. Though harmless on its own, it can have a companion malware process which loads the program from the carrier picture. The main advantage is that in some systems, picture files are not scanned and the companion process will not have a virus signature.

While in the previous cases steganography was used to hide the malware to infect the system, it can also be used maliciously in reverse. A virus may be programmed to “hide” a user’s important documents or files inside a file and ask for ransom for the password that will be used to decrypt the data back to its original state (hopefully). A macro famous for this was a variant of the Melissa virus mentioned before called Melissa.V. This macro made a backup of documents and destroyed random parts of the original. Then it requested a ransom of $100 to be transferred to an offshore account. Fortunately the owner of the account was tracked down and it was discovered that the macro wrote information in the Windows registry and with this, the documents could be retrieved.

Another dangerous application to steganography involves malevolent users of the system whose intent is to transfer or steal sensitive information or files. This can very easily be done with “Text in media files” or the “Files archive in pictures” methods mentioned previously in this article.

For example take the picture of “Big Buck Bunny” to the right. If one sees this email being sent one can easily assume that the user just sent this screenshot home to remind himself to borrow the DVD or to show it to someone else.

But, if one takes this picture and checks it for hidden messages, he will find the message:

Hi,

The details for the server are the following:

IP: 123.123.123.123
Username: Administrator
Password: 1a2s3d4f

Take all important information and crash it. Then we will ask for ransom.

(To confirm this, one can download the image and pass it through http://mozaiq.org/decrypt/. The password is “123”)

One big advantage of steganography, when compared to other cryptic processes, is that the hidden material is truly hidden from view. If everyone knows that there is some secret information somewhere, no matter how tight and secure it is, some cowboy will try to crack it and, given enough time and motivation, the data will be exposed. I hope you found this article interesting and remember, a picture may be worth a thousand words but it may be concealing 2000 words as well or worse, the source code of your most valued product.