In a scene from the 2005 science fiction movie “Serenity,” the heroine, River Tam – a quiet, troubled girl – is watching TV in a bar when, without notice, she turns into a violent killing machine.
Later, the audience learns that River was triggered by a secret message created by the government and encoded in an ordinary TV commercial for a snack bar.
While River Tam and "Serenity" are just fictions, the ability to hide command-and-control computer code in seemingly mundane files such as JPGs, MP3s or MOVs is not.
Recently, researchers announced the discovery of a nasty bit of malware called HAMMERTOSS that uses encrypted commands hiding in files on established, legitimate services such as Twitter and GitHub to activate it.
Cloaking code within something else is nothing new. It’s called steganography, and has been used by spies for over a thousand years.
But it’s increasingly finding new life with some hackers, leaving cybersecurity professionals scrambling to try and combat it.
Hiding in the open
Hiding secrets in unexpected places using steganography is almost as old as secrets themselves.
From the Greek, meaning “concealed writing,” steganography has been used to hide messages in everything from ancient wax tablets to copies of Bible passages – even bits of yarn.
“Steganography involves hiding information in seemingly innocent cover media,” said Dr. Neil Johnson, steganography analyst and president of the cybersecurity firm Johnson and Johnson Technology Consultants.
“Where cryptography scrambles information so it cannot be understood, steganography attempts to camouflage information so the intended message is not observed," Johnson said.
One good example is invisible ink. Using various chemicals, spies can communicate all sorts of secrets in a document that raises no more suspicion than an old grocery list but, in the right hands, could prove the undoing of a general.
“Cover media [the file that secrets are hidden in] may be anything from written text, encoded messages, images, video – nearly anything,” Johnson told VOA. “We are limited only by our imagination on what and how information can be passed.”
This masquerade is why steganography is often called the “art of hiding in the open.”
Unlike encrypted messages, which are hidden messages visible on their surface, when skillfully done steganographic communication can be nearly impossible to detect precisely because it leaves no clues as to its presence.
Which means that in the digital world, with its billions of online files, almost anything could hide secrets. And increasingly, anything is.
Hit by Hammertoss
The most recent reminder of this came when researchers at the cybersecurity firm FireEye in late July published a paper on a new and dangerous malware bug called Hammertoss that uses steganography as an intrinsic tool of its stealth.
“Hammertoss is a remarkably complicated piece of malware that uses layers of obfuscation and a series of legitimate services for its command and control,” said Jen Weedon, threat intelligence manager at FireEye. “The way it operates makes it tremendously difficult to defend against.”
It’s complicated, but it basically works like this: once a computer system is infected, Hammertoss reaches out once a day to a preset list of Twitter accounts – an action that ordinarily would raise zero alarm for network administrators, given Twitter’s ubiquitous use.
Most days there was nothing to be found, and Hammertoss would go to sleep and repeat the cycle 24 hours later. But now and then, when those who created the bug wanted to turn it on, they would put a link on the Twitter accounts that would secretly trigger Hammertoss into action.
“The link was to a URL on GitHub – a popular site for developers – and then Hammertoss would download the contents of that page, including the image file,” said Weedon. Again, nothing that would raise security concerns.
However, Weedon said, hidden inside the image is steganographically encrypted code that Hammertoss decrypts, using clues found in the associated Twitter hashtag. And that code – wrapped in layers of steganography and obfuscation – triggers its attack on the infected system.
Like Weedon said: complicated. And, she added, likely the work of a national government.
“It requires talent to create this tool, and not everybody has the technical expertise, resources, time,” Weedon told VOA. “This is not something your average cybercriminal could create. This is something created by what we think is a state-sponsored group that can throw a lot of resources to create tools that work.”
FireEye researchers said that state-sponsored group, known as APT29, has previously been tied back to high levels in the Russian government – a charge Moscow denies.
Hackers up their game
Depending on the encoding techniques, finding data hidden using steganography can be very difficult to detect, even if security professionals know that the cover media has been compromised – and that’s a very big if.
“Steganography and its investigation through steganalysis is a cat-and-mouse game of code makers and codebreakers similar to the research areas of cryptology,” said Johnson, the president of the cybersecurity firm.
“The objective of steganography is to remain hidden. Any organization or group intending to keep secrets safe or cover their tracks will use whatever technology is available to them to meet their objectives. Thousands of steganography tools are available for just about every operating system and platform,” he told VOA.
The take-away for Weedon, FireEye's threat intelligence manager, is that Hammertoss' use of steganography illustrates the lengths that threat actors and bad guys are willing to go to get the job done.
“We’re seeing actors get much more creative in terms of leveraging techniques that hide their behavior,” she said. “Whether that’s steganography, whether that’s using legitimate websites for command and control, they’re adopting all of these techniques to up their game because on the defensive side, we’ve gotten better.”
Which, perhaps, leaves cybersecurity professionals with a frustrating paradox: the better they get at detecting and combating malware, the more they force the bad guys to get better as well.