Steganographic attacks conceal malware within innocent content, in ways that AV/firewalls cannot detect.
A classic example of a steganography-enabled attack involves malicious data concealed within an image, without changing the appearance of the image or increasing the file size. Sophisticated approaches involve manipulating individual pixels of an image to contain steganographic data. A complete file can likewise be attached to an image using, for instance, an RAR archive format, which is ignored by image display applications but can be easily extracted by a malicious actor or program.
Images are most frequently used for stenography but other kinds of files, including Excel, Word, HTML, and even network protocol files, can be manipulated to conceal stenographic data. In a variation on in-image concealment, white PNG files may be used to conceal explicit code.
Steganography Attack Mechanisms
In some instances, clicking on an image containing steganographic code is sufficient to activate the code or to signal the hacker that an access channel is available to the endpoint. More often, the steganography delivers just part of the payload, which is only extracted and utilized when the image is processed.
For malicious code hidden in attached documents, PowerShell and BASH scripts are used to automatically launch the attacks as soon as the documents are opened.
Protecting Against Steganographic Threats
Traditional scanning technologies such as antivirus are powerless to detect steganography since the code is hidden within – and indistinguishable from – legitimate code. Barring access to all images and attachments can protect organizations but is impractical and degrades the user experience. Steganography attacks can be foiled, however, by scrambling hidden content and disabling embedded malicious scripts, provided that image fidelity and desired native file functionality can be maintained.
Remote Browser Isolation (RBI) accomplishes just that. When a user visits a website, all content including images is opened by a virtual browser located in a hardened, isolated short-lived container in the cloud, as are attachments downloaded from emails or websites. RBI executes all code—malicious and benign–within the container, where it cannot access the end user machine or the information it holds.
Sampling and compression techniques are used to create safe rendering data that accurately represents the site content, including all images and functional elements, and is transmitted to the user’s browser. Users can interact with the site fully via their regular browser (and behind the scenes, a virtual browser located in the isolated container.) Hidden code within images or other site elements that may contain malicious content, however, is not faithfully rendered when RBI is used in secure frame mode, and thus neutralized of any threats it may contain.
In RBI solutions that provide integrated content disarm and reconstruction (CDR) capabilities, attachments are also routed to the hardened, isolated container. There, the files are examined for malware which, if detected, is disarmed. The document or other attachment is then reconstructed using similar techniques to those leveraged by RBI, with similar results: Extraneous code, even if it is well hidden and not identifiable as malicious, is omitted or broken, neutralizing threats from steganographic attacks.
Once the user stops browsing or after a specified period, the isolated container is destroyed along with all website content and attached files within, ensuring that malicious content, including stenography, cannot reach the user device.
ZTEdge: Granular Control, Outstanding User Experience and Strong Steganography Protection
In addition to providing seamless CDR integration, sophisticated RBI solutions such as ZTEdge Web Isolation further strengthen the hardened containers by leveraging low-privilege user accounts, strictly limiting their lifespans, and using read-only file systems. Containers are Linux-based to ensure they’re protected from Windows attacks.
ZTEdge policy-based controls enable admins to vary permissions by user group, individual user, site characteristics or other parameters. For instance, file downloads may be entirely barred for sites with newly registered domain names or from social media sites for some user groups, while permitted for others whose work entails social media use.
For more information about protecting your users and organization against stenography – as well as phishing and ransomware attacks, zero-day exploits, and data loss – download our Steganography Defense datasheet or request a ZTEdge demo.
How Stenography Works
For illustrative purposes, let’s look at one stenographic technique by which malware might be hidden in the code of an image, and why images are ideal for this purpose.
Images leverage non-executable file formats to store compressed data. To display an image, a browser uncompresses the file as it is loaded and creates the image, pixel by pixel, based on the data. Each individual pixel, however, can store more information that is actually needed to create a good representation of the image.
For instance, for colors that are represented using three bytes – for red, blue and green – the final four bits of each color can be used to indicate fine differences in color. These differences, however, have little or no impact on how users perceive the image. As such, a malicious actor can insert data or code in those bits without degrading the image, in a way that is transparent to an anti-virus solution. And a purpose-built program will be able to read that data and use it as needed.