Program Hides Secret Messages in Executables

DmuZ writes "My friend Rakan has created a new steganographic tool named Hydan which can embed messages into an executable without altering its size. He recently presented this tool to the public for the first time at codecon. This new technique was intriguing enough to get coverage on SecurityFocus.com. The code is available here."

Redundancy?

[Phroggy]

It exploits redundancy in the i386 instruction set by defining sets of functionally equivalent instructions.

Can someone explain to me exactly what this means? Will all i386 executable binaries have unnecessary redundancy? Could the size of the binary be harmlessly reduced by removing it? If so, then why isn't this done?

If a message is embedded in a binary with this method, can another message be embedded in the resulting binary the same way, or has the required redundancy already been eliminated?

Re:But detection should be easy...

[brejc8]

I think the point here is that you never release the original binary.
And the code looks pretty much like its compiler generated.

Re:But detection should be easy...

[JohnFluxx]

True - this is why you should make sure there is no original - i.e. use it on home photos.

This is also why the data should be encrypted before hiding it in the message ;)

Difficult part, code, data, format

[peope]

The most interesting and difficult part I get from this is how can you be sure that the modifications are not done in DATA or in executable format headers (ELF eg).

I would recon you would need to be able to disassemble the whole thing before being able to make modifications. Otherwise you could touch static data (vars initialized in the code) or the executable format (some of the metadata about the executable, the ARCH field in and ELF binary eg).

Re:stenography

[Anonymous Coward]

I laugh at your silly techniques! Look how easy it is to outsmart:

$ cp /bin/ls .
$ upx ls
Ultimate Packer for eXecutables
Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002
UPX 1.24 Markus F.X.J. Oberhumer & Laszlo Molnar Nov 7th 2002

File size Ratio Format Name
-------------------- ------ ----------- -----------
69368 -> 32358 46.64% linux/386 ls

Packed 1 file.
$ ./hydan ./ls < msg > ls.stegged
Password:
Host file has no ELF section header
Inconsistency detected by ld.so: dl-fini.c: 66: _dl_fini: Assertion `i == _rtld_local._dl_nloaded' failed!

0wned!

Re:But detection should be easy...

[Ninja Programmer]

You are correct -- detection should be easy so long as you have access to the original unmodified binary. I.e., an original software vendor could embed the message in a product of their own making and you would have no idea.

Furthermore in opensource environments, it may be very difficult to determine if differences are due to different compiler flag settings, or just a different version of the compiler.

Only for use by terrorists

[nurb432]

Just kidding, but you KNOW that's how it will be viewed by the 'outside'..

I bet the get shut down, under the patriot act, before you can say 'what's that knock at the door'..

Re:Difficult part, code, data, format

[Oswald]

I would recon you would need to be able to disassemble the whole thing before being able to make modifications.

Yes, it does that.

Re:stenography

[Anonymous Coward]

Unless you're a suspected terrorist. Then they throw due process out the window and you're burned at the stake. Like that prof. from florida. Is it just me or in the interest of a fair and just trial, shouldn't they simply report about the story without plastering the guys face all over national news saying he funds terrorism? All you've gotta say is 'A florida professor has been arrested due to suspected funding of x terrorist organization.' The only reason to put video/images of him on the air is to screw the guy over. Whenever something else happens you hear 'The police have x suspects in custody an aren't saying shit else'. They don't plaster the guy all over the news, because it slants the fucking trial. I'm all in favor of justice, but it should be done in a just way, otherwise we're no better than a modern age inquisition of sorts...

Re:stenography

[sql*kitten]

None of your freaking business. Mohammed bin Mohammed is an old friend of mine, he wanted to see a picture of my new kitten.

You have a point. On November 12th, 2001, a 58-year old Australian woman resident in Helsinki, placed an obituary notice for Mohammed Atta in Finland's daily newspaper, Helsingin Sanomat. She was questioned by police. If I remember correctly, she had met him many years earlier, had no idea he was a hijacker, but had heard that he had recently died. But, when thousands of lives are at risk, suspicious events have to be followed up, even if it's only to eliminate them from enquiries.

Maybe a professor's testamony of "high probability" is enough to get you in deep shit over there, fortunately we still have something that reminds of citizen rights, this side of the pond.

Since you mention Freedom of Speech, a Constitutional right, I'll assume you're on the West side of "the pond". I suggest you look up Jose Padilla's story.

Hydan works.

[jinglz]

From the intel instruction set manual:
"The SUB instruction ... sets the CF flags to indicate an overflow in the unsigned result".

Which means that the CF stays the same for both instructions since their results are the same.

ADD EAX, 3 ; eax = eax + 3

Is the same as:

SUB EAX, -3 ; eax = eax - (-3)

So, "Hydan" works.
-j

Re:You might have gotten hoaxed.

[cryptor3]

Furthermore, there might be cases where it doesn't matter if the program works. So the program crashes or has logical errors. Does that make you 'guilty' of having hidden data in your file?

It'll be a strange day in legal history when the _user_ gets arrested/blamed/indicted because his computer crashes.