Program Hides Secret Messages in Executables 250
DmuZ writes "My friend Rakan has created a new steganographic tool named Hydan which can embed messages into an executable without altering its size. He recently presented this tool to the public for the first time at codecon. This new technique was intriguing enough to get coverage on SecurityFocus.com. The code is available here."
stenography (Score:5, Insightful)
Note that as far as I remember, stenography by definition is supposed to make it imposible to prove that there is data hidden there - one step further than normal encryption. It's not so much as about hiding the data as being able to deny its existance.
One reason for this is if you have encrypted data on your disk, then courts can demand the password for it. Stenography allows you to insist there is no hidden data.
But detection should be easy... (Score:5, Insightful)
Novel idea though!
Virus (Score:1, Insightful)
Re:Redundancy? (Score:4, Insightful)
The second example has the additional problem of having a different side-effect on AX and possibly stack faulting.
Re:stenography (Score:4, Insightful)
OK, but geeks forget that possible/impossible isn't a binary state, like 1 and 0. It's a about likelihood. Is there a 1% chance that this file contains a hidden message? Or is it more like 90%?
One the police have "reasonable grounds", they can step up to the next level. You can deny it 'til you're blue in the face, but if they get a professor to testify that it's highly probable that there is a message there, and they have evidence that you have corresponded with other suspects ("exactly why did you send Mohammed bin Mohammed a picture of your kitten a day before al-Queda hijacked that airliner?") and suddenly your steganographic sK1Lz aren't worth so much.
Re:You might have gotten hoaxed. (Score:5, Insightful)
A -= 3;
if (A 0)
Which might be encoded as:
SUB EAX, 3
JC
will cease to function correctly!! The technique I cite (which has been proven and used in the a86 assembler) *DOES* work, since you don't change any of the instruction semantics, but just the instruction encodings.
So in fact, this *IS* yet another bogus story posted by timothy
Re:You might have gotten hoaxed. (Score:5, Insightful)
You work with pretty old computers like the IA32 then, and ancient character sets to boot :-P
Where I come from (which is C), the byte is defined as the smallest addressable unit of store (memory, IOW) that can hold one character from the execution character set (i.e. the number of bits in a char). If I'm using ASCII, then the character set is seven bits wide and the smallest addressable unit of store on an i686 is 8 bits, so the byte would be 8 bits. If I'm using EBCDIC on a computer that can address eight-bit-wide units of store, then the byte is still 8 bits.
But now consider a computer that can address eight-bit-wide areas of store, but my OS uses 16-bit Unicode. The byte is now 16 bits, as that's the smallest chunk of memory that can hold a single char. Or a computer that deals in 32-bit-wide chunks only, but I'm (for some Godforsaken reason) using Baudot coding as my execution character set. Now my character set only takes up five bits, but as the minimum addressable unit of store is 32 bits wide, the byte has to be 32 bits.
A common misconception is to think that the byte and the octet are interchangable concepts. They aren't. The octet is eight bits, the byte is defined as above (see the ISO C99 standard, for example). It's probable that every system you've used has an 8-bit byte; but don't start thinking that's a universal concept.
Re:You might have gotten hoaxed. (Score:3, Insightful)
There are cases in which the way the carry flag is set doesn't actually matter. In fact, I suspect that in most cases it doesn't actually matter. But, you're right, unless Hydan carefully analyzes the code to make sure it doesn't matter, it's broken.
Re:You might have gotten hoaxed. (Score:3, Insightful)
Re:stenography (Score:2, Insightful)
The problem is if you have two copies (Score:3, Insightful)
Another method to detecting an executable that contains hidden data is to work out whether the executable uses the most unusual method of implementing its assembly.
Of course just like in the film 'A Beutiful Mind', you could just end up seeing encrypted data left right and center, whether or not it is really there.
Re:stenography (Score:5, Insightful)
None of your freaking business. Mohammed bin Mohammed is an old friend of mine, he wanted to see a picture of my new kitten.
Freedom of expression, freedom of speech. No?
Maybe a professor's testamony of "high probability" is enough to get you in deep shit over there, fortunately we still have something that reminds of citizen rights, this side of the pond.
Re:stenography (Score:2, Insightful)
thats funny considering all those people being held without a lawyer and without a court date and without representation from their country in guantonamo bay... I don't think in light of any "Homeland Security act" you will be allowed to have "free" speech.. in fact it seems quite the other way.
more like.. You know who Mohammed bin Mohammed is.. you goto jail do not pass go do not have any rights do not even get to try to explain yourself infront of a judge.