A steganography method for hiding messages in image delivery latency
Steganography consists of the use of techniques that make it possible to hide a message so that its mere existence is not perceived. This data is embedded into normal-looking information (called cover) so the secret is only revealed if using suitable mechanisms.
In classical steganography, the security of the message was achieved by obscure methods, so that the channel was not discovered; whereas modern steganography makes use of existing channels, especially digital media such as video, audio or image files. However, there are many channels outside of digital media that are exploited to hide these messages, such as text files, executable files or communication protocols.
For this document, a steganography method based on web pages and the HTTP protocol will be developed. There are several ways to exploit this protocol, but in particular it will be focused on the loading time established for the different elements that contain the web page itself.
Today, modern steganography is focused almost entirely on digital channels, used mainly for intellectual property protection, intelligence agencies, activists and criminals. The latter can include all those who misuse cyberspace through the use of malware, be they individuals or entire organizations. An example of this type of organisation are those that make use of an APT, which will be the focus of this document.
An APT (Advanced Persistent Threat) is a set of processes that use multiple attack vectors to achieve a goal that is usually persistent over time. These objectives could be exfiltrating information, undermining or impeding critical aspects of the organization or positioning itself to carry out these objectives in the future. These threats often use the Command and Control (C&C) structure, which consists of using an external server to install malware on previously compromised machines in order to control them remotely over a long period of time. It is therefore important that the communication between the machines and the server be stealthy so that it is undetectable to the victim. In this work, a modern steganography method is developed in order to be able to maintain this communication between machine and server avoiding suspicion. It is based on a web page that will be accessed by the compromised machines to receive the information transmitted by the remote server. Thus, it is important that this page appears normal within the network traffic of the organization that actually owns the devices.
The message will be transmitted using the elements of the web page itself and its loading times. Since multimedia files tend to show more delay when loading, these will be the ones used. In order to have a large number of images without arousing suspicion, the website will have an icon storage aesthetic. This type of page is used for making PowerPoint presentations and similar tools, being suitable for both work and education scope.
The final goal of this project is to hide a message in a cover media. Following this goal, the team decided to develop a web front to hide commands sent from a C&C server to infected bots. There have already been many different approaches to this idea, but the team decided to devise a new and hopefully more effective take on this problem.
In order to achieve this, there are several milestones that must be met. Firstly, the commands must be somewhat hidden, as it would not be beneficial for it to be identified as a server used to send commands, since it would be taken down or blocked. For this reason, the team decided to develop a technique not easily identifiable. After some thought, it was agreed that tailor-made delays could be used in the delivery of elements, as it is something normal at first glance, especially when loading images.
Thus, the methodology proposed in this document is a website hosting multiple images (which will be icons), where the delay of serving those images to a client encodes the message itself.
Any user accessing this website, will see several icons untimely loading, which should not be unusual behaviour. But the time which takes to load these icons encodes the message.
To hide a message using specific delays, the first step was to convert the characters of the message to be hidden into numbers; this was achieved using the ASCII table, as every character is assigned a numerical value.
The first approach that was considered was to use the base decimal value, where character ‘A’ would be equivalent to 65 and ‘B’ to 66. In this sense, each image would be a single character, so a delay of 65 milliseconds would correspond to character ‘A’ and a delay of 66 milliseconds to ‘B’.
There is an intrinsic problem with this character to number translation: there is only 1 millisecond difference between two consecutive characters in the ASCII table, as it so happens with characters ‘A’ and ‘B’. The problem of this fact is that there is always a delay when transmitting data over any medium. In this sense, if the user connects to the webpage, there will be several additional milliseconds of delay for carrying the image from the server to the client. This usually means that the delay calculated by the client is not exactly the delay caused by the server that encodes the specific letter.
A valid countermeasure would then be to increase the milliseconds difference between two consecutive characters in the ASCII table. This gave rise to the concept of inter-delay. Instead of delaying n milliseconds, where n is the decimal representation of an ASCII character, the server would delay n*inter-delay milliseconds. Now, having an inter-delay of 10 milliseconds, ‘A’ would be equivalent to 650 and ‘B’ to 660. This allows the data transmission delay to have an error range of 10 milliseconds, considerably improving robustness. But typically, 10 milliseconds is not enough, as the transmission delay can sometimes be several hundred milliseconds, even a few seconds. This, of course, could be mitigated by having a high enough inter-delay. For example, 300 milliseconds is enough most times.
But increasing the inter-delay poses a new challenge: if the inter-delay is set to 300 milliseconds, an image could be delayed more than 37 seconds if it encodes the ‘~’ character, as it is translated into 126 (126 * 300 = 37800 ms). This is not only impractical, but also raises the suspicions of any user accessing the website.
The problem can be partially reduced by considering only the useful ASCII characters. Characters before the 32nd character can be omitted; the end line character may be useful, but as we are going to use the page to encode commands, it will not be strictly necessary.