Digital Steganography: The art of Hiding Files, Part 2

Dennis Faas's picture

Continuing our conversation on Steganography from Tuesday's edition of the Gazette, Infopackets Reader Mike D. exclaims how he downloaded a .WAV sound file that also contained a Trojan:

" Hi Dennis,

As part of a talk I gave some time ago on IPSec [the IP Security Protocol Working Group], I wandered into the area of Steganography. The topic was of particular relevance to me because I had only just discovered (thanks to PestPatrol) that a Star Trek sound file that I downloaded from the Internet contained a Trojan!"

Side note: Digital Steganography is the ability to hide a file inside of another file, called the "carrier file". PestPatrol is a program which scans your computer for Trojans, worms, Spyware and steganographic files. A recent review was done on PestPatrol, and you can read about it here.

Further down the page, Mike went on to say:

" It’s also worth noting that many Internet sites and Newsgroups today are hosting links to -- what appear to be -- links to jpeg image files, when in fact, the link to the real file name is executable and contains a Trojan. I hope that mentioning this helps your readers (and keep up the good work!) "

Excellent point.

To compliment: files with double file extensions can be very dangerous (example: .jpg.exe, .gif.com are still executable because Windows looks at the very last part of the extension). I managed to find a web site that explains how to configure Windows to reveal file extensions so that double file extensions are more easily identifiable:

http://security.uwo.ca/antivirus/EFE.html

I also received a very interesting email from Infopackets Reader Rick K. His letter explains how two Operating System exploits (discovered last year) allowed Microsoft Internet Explorer and Outlook Express to execute potentially malicious files.

Rick writes:

" There was much ado about Steganography last year, when it was demonstrated that a virus could hide in a jpg image file. The first issue dealt with the assumption that Microsoft Internet Explorer (MSIE) or Outlook were going to open the file and would accept [Trojan] scripts and macros directly. If there was a script in the jpeg image, MSIE would execute it. Similarly, the vulnerability allowed MS Outlook to hand off the task to MSIE.

The second issue dealt with Microsoft's IE and Outlook opening ANY thing sent to them. For example, a virus could be smuggled through a system using MS Outlook if an executable (.EXE) file is renamed as .JPG and attached to an email. "

Side note: A script is another way of saying "program" and is often found in .HTML web documents and emails. Macros are also referred to as a script (or program) and are commonly used with Word Processors (MS Word / .DOC files) and Spreadsheets (MS Excel / .XLS file).

Another excellent standpoint.

It is for this exact reason that we should all keep Windows up to date. Not too long ago, Jake Ludington wrote an eBook entitled, "A Digital Lifestyle Guide to Securing Windows XP". In short, this essential eBook explains how to eliminate security holes in Windows XP, automate and stay up-to-date on security patches, protect your PC against viruses, and a whole lot more! For more info, please see this article:

A Digital Lifestyle Guide to Securing Windows XP

Steganography: More comments from Readers?

As luck would have it, I typed my email link incorrectly in Tuesday's edition of the Gazette immediately after asking for Readers to send me their comments on Steganography. It wasn't until after half of the newsletter was delivered that I realized (and corrected) the error. My first comment came in at around 7PM EST on November 25th, so I'm thinking that some emails must have been delivered to a Cyber Black Hole.

If you sent in an email regarding Steganography before 7PM EST on November 25th, please re-send the email. And, if you would like to comment on this ongoing conversation on Steganography, feel free to drop me a line:

http://www.infopackets.com/contact.htm?subject=steganography

Rate this article: 
No votes yet