04.19
We had a great time during this year's BlackHat Europe Conference last week. Now it is the time to sort out our impressions. First of all, thanks to all that have made it to our talk and have been asking us in hallways about the new engine that we were working on. In a packed full room we have discussed archive steganography and the impacts such and other malformed files have on security products. These two aspects of file tampering overlap and we have shown how steganography implementations can break archive processors thus causing vulnerabilities in file processing. However it is the vulnerability aspect of our presentation that got the most press. It has been covered here by CNET and here by PCWorld, and it has also been blogged about by ESET here and by one of the conference attendees here. In addition to all the media and web mentions we have published presentation, white-paper and NyxEngine all which can be found here. But to give you the whole picture about the presentation we will talk about it and our findings in short.
Our research has been focused around the impact that file malformations have on archive processors. We wanted to see if data could be hidden inside the archive in such a fashion that data itself is invisible to the user no matter which archive processing program is used. Starting from the most basic of methods of string obfuscation to most complex file malformation our research lead us to conclusion that there are multiple ways of achieving our goal. Steganography was not only possible, it was present all along in the "wild". We have found two existing solutions that successfully implemented file hiding in ZIP archives. To gauge how prevalent is this in the wild we have turned to AccessData, the pioneer in digital investigation software, and its COO Brian Karney. His answer was that to the best of his knowledge no one is really looking for this kind of steganographic hidden content and is thus not finding any evidence. This answer didn't surprise us since ti is quite a novel technique. Historically, the most common use of steganography was hiding messages in multimedia files. However amount of data which can be hidden in such fashion is commonly limited by the size and type of file in which the data was hidden. That's not a limitation when hiding data in archives. In such case there are no limitations to the size and type of steganographic content.
Steganography in archive formats, which in itself interesting, had some serious implications. During the course of our research we found that modifications that we do to the archive in order to hide data is interfering with some security applications. It made them skip or totally stop scanning the archive content. Each security product was differently impacted.
If we observe this kind of detection evasion from the standpoint of gateway scanner, the impact on scanning your email and incoming traffic would be high as it interferes with the basic software functionality. But if we observe this from a desktop or an endpoint scanner perspective, the impact is low since the potentially malicious payload is detected right after extraction. One would argue that even a desktop solution must be able to scan the packed content it supports. But not everyone agrees on this point, as protection ability of an end point scanning product would not be lessened.
Regardless of how you look at it, there is a very low threat to protected endpoints. But the general rule for security software is that it does not want to have any potentially harmful files resident anywhere on the protected endpoints. Such detection evasions must be handled.
During our presentation we have shown the possibility of steganography data hiding and the interference that it can have with anti-malware software. All vulnerabilities that we have found were disclosed to affected vendors in cooperation with CERT-FI and all issues were patched before the public disclosure. Thanks to CERT-FI for their hard work and support. Further research in this area by ReversingLabs will have the same disclosure dynamic. ReversingLabs is proud to contribute to the overall endpoint security and we will continue to further our research in the same direction.
