Program Hides Secret Messages in Executables 250
DmuZ writes "My friend Rakan has created a new steganographic tool named Hydan which can embed messages into an executable without altering its size. He recently presented this tool to the public for the first time at codecon. This new technique was intriguing enough to get coverage on SecurityFocus.com. The code is available here."
Redundancy? (Score:4, Interesting)
Can someone explain to me exactly what this means? Will all i386 executable binaries have unnecessary redundancy? Could the size of the binary be harmlessly reduced by removing it? If so, then why isn't this done?
If a message is embedded in a binary with this method, can another message be embedded in the resulting binary the same way, or has the required redundancy already been eliminated?
Re:But detection should be easy... (Score:3, Interesting)
And the code looks pretty much like its compiler generated.
Re:But detection should be easy... (Score:4, Interesting)
This is also why the data should be encrypted before hiding it in the message
Difficult part, code, data, format (Score:2, Interesting)
I would recon you would need to be able to disassemble the whole thing before being able to make modifications. Otherwise you could touch static data (vars initialized in the code) or the executable format (some of the metadata about the executable, the ARCH field in and ELF binary eg).
Re:stenography (Score:1, Interesting)
$ cp
$ upx ls
Ultimate Packer for eXecutables
Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.24 Markus F.X.J. Oberhumer & Laszlo Molnar Nov 7th 2002
File size Ratio Format Name
-------------------- ------ ----------- -----------
69368 -> 32358 46.64% linux/386 ls
Packed 1 file.
$
Password:
Host file has no ELF section header
Inconsistency detected by ld.so: dl-fini.c: 66: _dl_fini: Assertion `i == _rtld_local._dl_nloaded' failed!
0wned!
Re:But detection should be easy... (Score:4, Interesting)
Furthermore in opensource environments, it may be very difficult to determine if differences are due to different compiler flag settings, or just a different version of the compiler.
Only for use by terrorists (Score:3, Interesting)
I bet the get shut down, under the patriot act, before you can say 'what's that knock at the door'..
Re:Difficult part, code, data, format (Score:4, Interesting)
Yes, it does that.
Re:stenography (Score:1, Interesting)
Re:stenography (Score:5, Interesting)
You have a point. On November 12th, 2001, a 58-year old Australian woman resident in Helsinki, placed an obituary notice for Mohammed Atta in Finland's daily newspaper, Helsingin Sanomat. She was questioned by police. If I remember correctly, she had met him many years earlier, had no idea he was a hijacker, but had heard that he had recently died. But, when thousands of lives are at risk, suspicious events have to be followed up, even if it's only to eliminate them from enquiries.
Maybe a professor's testamony of "high probability" is enough to get you in deep shit over there, fortunately we still have something that reminds of citizen rights, this side of the pond.
Since you mention Freedom of Speech, a Constitutional right, I'll assume you're on the West side of "the pond". I suggest you look up Jose Padilla's story.
Hydan works. (Score:2, Interesting)
"The SUB instruction
Which means that the CF stays the same for both instructions since their results are the same. Is the same as: So, "Hydan" works.
-j
Re:You might have gotten hoaxed. (Score:3, Interesting)
It'll be a strange day in legal history when the _user_ gets arrested/blamed/indicted because his computer crashes.