This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog
Every now and then, old security concepts resurface as if they were something new. Recently, I’ve been seeing a lot more activity related to parasitic attachments in pictures.
A parasitic attachment, or parasite, is an unrelated file that is simply attached to another file. With pictures, it is an unrelated chunk of data attached to the image file. When rendering a picture, the parasite is ignored. And when transferring the picture, the parasite follows along for the ride.
To understand how this works, let’s focus on JPEG. Every JPEG has a header, information related to decompression settings, and the compressed binary image stream. The stream has a well-defined start and a well-defined end. When rendering pictures, your graphics program stops at the end of stream marker. It doesn’t look beyond that point, so anything attached after the JPEG becomes ignored information.
There’s actually a lot of information that may be intentionally stuffed after the image. Some vendors store thumbnail images after the main image. Back in 2010, I pointed out that some Android devices store operating system information after the picture.
Parasites are not limited to JPEG formats. Virtually every image format out there has a well-defined “end”, and rendering programs stop when they hit the defined end. PNG, BMP, and even GIF can all have parasites without impacting how the picture is rendered. There’s even a nice tutorial from 2010 for how to attach a parasite. And a similar tutorial from 2006. (And I remember doing this type of thing back in 1992, and it definitely wasn’t “new” back then.) Creating a parasitic attachment is literally as easy as appending data to an existing JPEG.
Parasites are not limited to the end of the file. They may be stuffed in comment fields, proprietary data blocks, and other unused areas in the picture file format. Both JPEG and PNG support custom data blocks. If the rendering software doesn’t support the custom data block, then the block is ignored. For parasites, you just define your own custom data block and expect it to be ignored.
Finally, there is the payload carried by the parasite. At FotoForensics, about 0.05% (yes, less than a tenth of a percent) of all files contain some kind of parasitic attachment. Zip files, RAR files, 7zip, and text are all common. But I’ve also seen PDF, PKCS7 certificates, encrypted data, word documents, unrelated pictures, and much more. In September 2014, FotoForensics received 34,206 unique file uploads. Of those, 17 files have parasites that my software readily identifies. Most of the parasites were zip files, but there were also a few RAR files and other types of data.
As an example, the following picture was uploaded to FotoForensics on 1-Sept-2014.
This file looks like a picture of some hamsters. But inside JPEG file is a parasitic zip file stuffed in an APP1 data field. This non-standard APP1 data block is ignored when the image is rendered. Even program like ExifTool and exiv2 ignore the unknown binary block. However, the APP1 data definitely contains a zip file and most zip programs will happily unzip it without even extracting it from the JPEG. Inside the zip file is another picture that gives clues to some GPS coordinates.
This hamster picture actually came from a geo-caching forum. In fact, most of the files with parasites at FotoForensics come from geo-caching forums.
“Why geo-caching?” They love puzzles. It used to be fun to give someone GPS coordinates and let them see if they could find some prize at the physical location. When that was too simple, they began to use remote coordinates — get ready for a three-hour hike or a mountain climb. When remote locations became too easy, they began to hide the objects — you might need to bring a shovel or a flashlight to find the prize. Then they began to turn the coordinates into puzzles: if you can solve the puzzle, then you will find the coordinates. Today? Hard-core steganography. First you have to find the puzzle. Then you have to solve it. Then you have to go to the coordinates (where there may be more puzzles) until you find the final prize. Seriously — if you want to see steg in real life, watch the geo-caching community.
As an aside, one of my friends keeps saying that we should start up a get-rich-quick business. Since FotoForensics receives lots of these geo-caching puzzles, we should solve them first and park a food truck at the prize location. You just know the players will be hungry when they get there.
Last month I read about a proof-of-concept tool that will turn a JPEG into a PDF or PNG file after applying AES or 3DES cryptography. Corkami works by using parasitic attachments. Specifically, they encrypt a PNG file and PDF, one with AES and the other with 3DES.
With many cryptographic algorithms, decrypting an already decrypted file is just another way to encrypt data. The results are binary data that can only be restored by encrypting the file.
After encrypting (technically, decrypting) the PNG and PDF, they store them in the JPEG. The example encodes the encrypted PNG at the beginning of the JPEG (in a comment) and the PDF as a huge binary parasite at the end of the JPEG.
The hard part for all of this is choosing the right key for all of the cryptography. The AES key is chosen so that it generates a proper PNG header (8 bytes) when given the JPEG header as input. Applying AES encryption to the JPEG creates a PNG header, some binary junk, and then decodes the encrypted PNG data. This results in a valid PNG with binary crud that is ignored by any graphics software.
Similarly, the 3DES key is chosen to generate the PDF header (8 bytes). And the encoded 3DES PDF is placed at the end of the JPEG. This way, the 3DES encoding reconstructs a PDF. And since PDFs start parsing at the end of the file, the binary garbage at the beginning of the file (created from the JPEG) is ignored and the entire thing looks renders a valid PDF.
Discussions about parasitic attachments seem to come up annually. Last year, some researcher discovered that they could hide PHP or Perl or other types of code in text comment fields. If your web site processes back-end server scripts, displays JPEG comments, and isn’t careful about protecting output when displaying image comments, then this could run code on the server. (FotoForensics has captured plenty of examples of these hostile comment fields, and I’ve been seeing this sort of thing for years; the announcement last year may be new to them, but it wasn’t new.)
Keep in mind, hiding malware in a parasitic attachment is not the same as renaming an EXE to “JPEG” and emailing it as an attachment. (“Just double click on the picture!”) A properly created parasite will not interfere with the host image. Just renaming an executable to “.jpg” does not make it a parasite.
There’s a difference between steganography and cryptography. Cryptography refers to making data inaccessible. You can see the data, but you cannot understand it. Steganography refers to making data hard to find. But if you find it, you may be able to immediately understand it.
Parasitic attachments are one form of steganography. However, as hiding places go, they are relatively easy to detect. Anyone parsing the file format will see a large, non-standard binary blob buried in the file. While your friends may not readily notice these large binary chunks stuffed in your pictures, forensic investigators are likely to find the hidden data very quickly. If you’re doing something malicious and investigators see these parasitic attachments, then they may be interpreted as “intent” to hide activities. (I’m not an attorney; if you find yourself in this situation, then you should get an attorney.)
Parasites are also trivial to remove. I frequently mention “resaved” images. That’s where a picture is decoded and then re-encoded as it is saved to a new file. Facebook resaves pictures. Twitter resaves pictures. And nearly every online picture sharing service that scales pictures also performs a resave. The simple action of resaving an image is enough to remove parasites. (I am pretty certain that Facebook and Twitter resave pictures as an explicit method for removing metadata, including any parasites.)
As far as the threat level goes, these parasitic attachments are explicitly hiding. They won’t activate on a double-click and, with few exceptions, remain passive and unnoticed. In order to use the data, you must know it is there and know how to extract the content.
Even though the technique has been around for decades, I still think finding parasites within pictures is a treat. You never know what you’re going to find. (I have no idea what “APdb6″ means, but GrrCon sounds like a fun conference.)