Concealing secrets in plain sight
Nothing Here
Intruders and spies have ways of concealing information in image files, doc files, and other innocuous locations. Welcome to the sneaky art of steganography.
Steganography is the art of passing secret information. Kapersky puts it this way: "Steganography is the practice of concealing information within another message or physical object to avoid detection. Steganography can be used to hide virtually any type of digital content, including text, image, video, or audio content. That hidden data is then extracted at its destination" [1].
This secretive process, which apparently dates back to ancient Greece, appears to have been named much later. The first recorded use of the term steganography was in 1499 by Johannes Trithemius in his Steganographia, "a treatise on cryptography and steganography, disguised as a book about magic" [2].
This article describes how attackers hide and extract potentially sensitive data. I will start by covering a sample of the types of steganography before looking at common ways of concealing information online. One common technique I'll describe in this article requires two message types: a container and a secret. The container conceals the secret from interception and ideally even conceals its existence.
Weaving Yarn
Steganography covers multiple media types, including network protocols. Some of the principal types of steganography are:
- Physical – information hidden under the part of an envelope where the stamp is stuck, messages in Morse code woven into the yarn of clothing, invisible ink written on paper. In ancient times messages would be carefully concealed on the back of wax tablets, away from the primary message.
- Digital – changing the order of items in an array, converting pictures into sound files, adding messages to areas of a file that are usually ignored or used by metadata, creating deliberate errors in a word processor's document using the tracking feature that reveal a message, concealing messages in images, hiding data in streamed and on-demand videos, altering executable files.
- Social – changing shared file descriptors or titles, purposely misspelling words to circumvent keyword filters in oppressive societies.
- Networking – creating covert communication channels using otherwise unused network fields, such as fields within the TCP/IP protocol. For instance, VoIP (Voice over IP) messages can be concealed in seemingly corrupted or delayed packets.
Now that I have covered some of the theory, I'll describe some examples.
The Bad Guys
Nefarious payloads can be disguised inside files that are viewed as innocuous. You won't be surprised to hear that many different applicable files, including video, audio, and text documents, can contain malicious data. In addition to these file types, a web page can also act as the container for delivering secrets to those who know how to look for them.
One of my favorite examples is described at the Life Plus Linux Blogspot site [3]. The example provides an excellent reason to be extremely cautious about what you copy-and-paste from web pages. The page presents the Linux command ls -lat
, which serves up a directory listing, including hidden files, along with ownership and permissions for each file. But pay attention to the surreptitious whitespace before the hyphen in the command.
The text for the payload is colored white (as is the background of the web page) so it is perfectly hidden from an unsuspecting user. If you look at how the CSS (Cascading Style Sheet) is constructed, it is configured to use this setting:
color: #f3f5f6; // set it to the color of the page
In Listing 1 you can see that, despite the web browser only displaying one whitespace, a subsequent copy and paste reveals a remarkable amount of code that could potentially contain a malicious payload. Note the ls
at the start and the -lat
at the end. Clever isn't it?
Listing 1
Malicious White Text
ls ; clear; echo 'Haha! You gave me access to your computer with sudo!'; echo -ne 'h4cking ## (10%)\r'; sleep 0.3; echo -ne 'h4cking ### (20%)\r'; sleep 0.3; echo -ne 'h4cking ##### (33%)\r'; sleep 0.3; echo -ne 'h4cking ####### (40%)\r'; sleep 0.3; echo -ne 'h4cking ########## (50%)\r'; sleep 0.3; echo -ne 'h4cking ############# (66%)\r'; sleep 0.3; echo -ne 'h4cking ##################### (99%)\r'; sleep 0.3; echo -ne 'h4cking ####################### (100%)\r'; echo -ne '\n'; echo 'Hacking complete.'; echo 'Use GUI interface using visual basic to track my IP' ls -lat
Figure 1 shows exactly how the browser interprets the code. It pulls it down using the nefarious stylesheet via the HTML <span> tag when it is pasted. And, as the webpage says, the possibilities for such an attack are endless. If that example doesn't give you a good reason to think before you next blindly cut n' paste from a website, it is likely nothing will. As you can imagine, all kinds of executable payloads could be delivered via such a method!
Steghide
One very popular tool used by security researchers and attackers alike is called Steghide [4]. You can install Steghide on Ubuntu and other Debian derivatives with
$ apt update; apt install -y steghide
Run the command man steghide
to study the manual once the package is installed. You'll learn that Steghide can use the JPEG, BMP, WAV, and AU file formats for the cover file and there are no restrictions on the format of the secret data. Steghide can use audio and image files to conceal secretive messages. Apparently, it is also powerful enough to work with other file types, too, but I haven't confirmed this.
I'll start with a screenshot from my laptop's background, showing the start of the Steghide help output (using --help
), as shown in Figure 2. I've called the screenshot secret_inside.jpg
after quickly converting the format to JPEG from PNG using the GNU Image Manipulation Program (GIMP) package [5].
Now that I have an image to use as a container, I'll create a secret. I just need a text file with a secret saved inside. I'll use the following command to echo text to a file called secret.txt
:
$ echo "Nothing to see here, move along." > secret.txt
Now I run the following command to use the embed
option:
$ steghide embed -ef secret.txt -cf secret_inside.jpg Enter passphrase: Re-Enter passphrase: embedding "secret.txt" in "secret_inside.jpg"... done
The passphrase I used is just abc
. As you can see, Steghide completes the process nicely. The -ef
option lets you specify the "embedfile" to use (the secret). The -cf
is for the "coverfile" filename (the container). If you are aware that a file probably contained a secret, but aren't sure, you can query the file with the following command:
$ steghide --info secret_inside.jpg "secret_inside.jpg": format: jpeg capacity: 34.1 KB Try to get information about embedded data ? (y/n)
If you click y
to continue, you are presented with a passphrase request for the secret file. If you supply the correct passphrase, you can see the cipher used to encrypt the passphrase and the filename of the embedded file:
Enter passphrase: embedded file "secret.txt": size: 33.0 Byte encrypted: rijndael-128, cbc compressed: yes
The cat
command reveals the secret was extracted correctly:
$ cat secret.txt Nothing to see here, move along.
Use the following command to skip the -info
option:
$ steghide --extract -sf secret_inside.jpg
And use -v
to get file format information in greater detail. The encinfo
option lets you view encryption options (Listing 2).
Listing 2
Viewing Encryption Information
$ steghide encinfo encryption algorithms: <algorithm>: <supported modes>... cast-128: cbc cfb ctr ecb ncfb nofb ofb gost: cbc cfb ctr ecb ncfb nofb ofb rijndael-128: cbc cfb ctr ecb ncfb nofb ofb twofish: cbc cfb ctr ecb ncfb nofb ofb <snip?>
The clever simplicity of Steghide is a good way of get started with steganography on the Linux command line. See the the Steghide documentation [6] for more information.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Fedora 41 Released with New Features
If you're a Fedora fan or just looking for a Linux distribution to help you migrate from Windows, Fedora 41 might be just the ticket.
-
AlmaLinux OS Kitten 10 Gives Power Users a Sneak Preview
If you're looking to kick the tires of AlmaLinux's upstream version, the developers have a purrfect solution.
-
Gnome 47.1 Released with a Few Fixes
The latest release of the Gnome desktop is all about fixing a few nagging issues and not about bringing new features into the mix.
-
System76 Unveils an Ampere-Powered Thelio Desktop
If you're looking for a new desktop system for developing autonomous driving and software-defined vehicle solutions. System76 has you covered.
-
VirtualBox 7.1.4 Includes Initial Support for Linux kernel 6.12
The latest version of VirtualBox has arrived and it not only adds initial support for kernel 6.12 but another feature that will make using the virtual machine tool much easier.
-
New Slimbook EVO with Raw AMD Ryzen Power
If you're looking for serious power in a 14" ultrabook that is powered by Linux, Slimbook has just the thing for you.
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.