They didn’t know anything was wrong until it was too late.
Thousands of bank accounts across the world were compromised, but at first, no one knew how it had happened. Security researchers eventually identified the culprit: a particularly nefarious piece of malware, nicknamed Vawtrak.
Vawtrak is a banking Trojan that, when downloaded from innocent-looking emails, begins to meticulously disable antivirus protections and communicate with a remote command and control server—a single location from which hackers can control massive networks of infected computers, all while receiving and sending illicit information, including browser history, cookies, keystrokes, and screenshots from the victim’s computer. Circumventing two-factor authentication, Vawtrak allows hackers to steal private keys, stored passwords, and login credentials for all of the major accounts it can find, including bank and social media accounts.
Since its first appearance in mid-2013, Vawtrak has cracked hundreds of different banks and financial institutions in more than 25 countries. Copenhagen-based anti-malware firm Heimdal Security called it “one of the most dangerous pieces of financial stealing malware detected.” While attacks have slowed since that initial flurry, the virus is still out there, and it occasionally springs up to resume wreaking havoc.
Vawtrak is cleverly designed to hide in plain sight. It only communicates with its command and control server when users on the infected computer are browsing the internet, when packets of traffic are passing over networks; anything else would look suspicious. It transmits its mother lode via the HTTP protocol to command and control servers it receives by connecting to separate update servers hosted on Tor; the list of servers constantly updates and is couched in the encrypted security of SSL and a Tor2web proxy. Someone analyzing the machine might never realize something is amiss.
When Vawtrak downloads a new list of command and control servers via Tor, it doesn’t dump the details onto the computer. Instead, it hides the lists within an otherwise innocuous file we encounter every day online: the favicon. Vawtrak hides parts of itself in the favicons of various websites, stealthily changing the color of a standard image by a shade or two to allow information to be stored within the file—a method of infiltration called “least significant bits.” The favicon is just four kilobits large, but still contains enough information to communicate covertly.
One analyst compared Vawtrak to a nesting doll, wrapping itself in so many layers that you can’t see the evil within. Worse still, it keeps adapting, remaining out of reach of virus scanners. As Vawtrak spread to computers across the globe, laying waste to everything in its path, researchers puzzled over how it managed to spread secretly, evading capture and virus scans.
They eventually found their answer: steganography.
Steganography isn’t anything new. The first major examples of its use in malware are decades old, and the concept itself dates back much further, to 440 BCE. In ancient Greece and the wider Mediterranean region, hiding messages in plain sight involved shaving the head of a slave, tattooing a message on their scalp, then waiting for their hair to regrow before sending them out to deliver the message, undetected by enemies. A more contemporary example of physical steganography: drug traffickers who hide their illicit bounty inside their bodies (except that law enforcement has ways to identify the hidden cargo).
In ancient Greek, from which the word originates, “steganography” means “covered writing.” In practice, it’s the act of concealing a secret message within something that would not ordinarily carry such a message, then decoding the hidden element upon delivery. And according to those in the know, it could wind up a big cybersecurity threat.
“It’s a Cinderella subject,” said Alan Woodward, a professor at the Center for Cybersecurity at the University of Surrey. Like the fairy-tale protagonist, steganography has long been given short shrift by cybersecurity researchers. “Everyone has been so focused on encryption,” he said, that they’ve overlooked the potential of so-called stegomalware to not only collect private information, but to do so without leaving a trace.
In order to understand steganography, you need to know the three ways online data is communicated. It can be transmitted via plain text—understandable and interceptable, and therefore not all that helpful. Then there’s encrypted data—interceptable, but a load of gobbledygook unless decrypted.
“That’s always been one of the problems with encryption,” said Woodward. “It stood out, so people knew what to look for, because people would only encrypt things that were sensitive.” As a result, whenever hackers saw the telltale signs of encryption, they’d spend their time and effort cracking it. Today, end-to-end encryption of almost all online communication—not just the important, stealable bits—makes that harder to do.
Now, if you want to communicate covertly without drawing attention to the fact that you’re doing so (which is a primary concern in cryptography), there’s really only one way to do it—the third way, steganography. “It’s hiding in plain sight,” Woodward said.
Much of the work on steganography has been done in the entertainment industry, where it’s used to insert digital watermarks into audio and video files that Hollywood studios and music producers don’t want to be seen, but do want to track.
Steganographic techniques are commonplace, and the research on hiding data (be it information or something else) invisibly in files is advanced. Much of the work on steganography has been done in the entertainment industry, where it’s used to insert digital watermarks into audio and video files that Hollywood studios and music producers don’t want to be seen, but do want to track.
What’s less commonplace—experts think, though they don’t know for sure—is the use of steganography to hide malware, and any data it exfiltrates from a compromised network.
“Malware [used to] phone home and start sending the data back,” said Woodward. That in itself is a problem, but it’s an easily identifiable one: You could monitor the packets being sent across a network and see that something was wrong. Then malware advanced and was coded to start encrypting messages it transferred. “There’s so much traffic now on your network that’s encrypted, you have trouble spotting what’s malware communicating and what’s not.” Now, bad actors are believed to be avoiding the problem entirely by adopting steganographic methods, sneaking out information without being seen. But how often this happens is an open question.
“The problem is that no one knows what the size of the problem is, because unlike cryptography, where you can see how much of the traffic is encrypted, with steganography you can’t detect it,” said Woodward.
“It’d be a complete nightmare for law enforcement to do anything about it,” said Tim Holman, CEO and founder of 2-sec, a cyber resilience consultancy that works with major banks in the City of London, the UK capital’s financial district.
But those in the know believe that it’s happening. It’s why Woodward and colleagues from other universities and the European Cybercrime Centre (which is run by Europol, the European supranational police force) came together to form CUIng, the Criminal Use of Information Hiding initiative.
CUIng was established in June 2016 to internally share strategic intelligence, track techniques used in the wild, and raise awareness of the concerns surrounding steganography. In all, more than 90 members from 30 countries worldwide—including representatives from the Bank of Ireland, Vodafone, and Trend Micro—have joined the organization.
“We see it’s an issue, and in criminal activities, we see attack vectors where it’s being used in combination with things like encryption to hide data or to exfiltrate data,” said Philipp Amann, head of strategy at the European Cybercrime Centre. “When it comes to malware, it’s been an increasing issue.”
But getting a handle on the scale of the problem is like trying to nail Jell-O to a wall.
But getting a handle on the scale of the problem is like trying to nail Jell-O to a wall. The whole point of using steganography is to avoid detection, so reliable data on its impact is hard to come by. (If steganography is detected, one could argue that it’s failed as steganography.) An initial study analyzing image files from eBay to see whether any of them contained hidden messages or information did not turn up any results—but that doesn’t mean there weren’t any.
“That’s always the problem with steganography,” said Woodward. “The techniques we’re using are looking for something hidden in a certain way.” Because steganography is, by definition, hidden, those techniques aren’t bound to catch it. Finding a better, more efficient way of uncovering steganography is easier said than done.
It’s only natural for a criminal to want to take advantage of the subterfuge steganography provides, said Amann. “We’ve seen an increasing abuse of encryption tools and techniques to hide data and location, so it’s fair to assume that those kinds of techniques and their use will only increase,” he said. It’s a simple equation: “Whatever criminals can do to hide their activity, they will do.”
And when that “whatever” involves effectively hiding malicious activities under a virtual invisibility cloak, law enforcement agencies are faced with what appears to be a near-insurmountable challenge. “We’re all scratching our heads at the moment, thinking, ‘How on Earth do we do this?’” said Woodward.
It’s the question every researcher on the board of CUIng is asking themselves. Currently, they’re more likely to crack the code through chance than through cunning. “What tends to happen is that by some other happenstance you work out that something’s going on, then you look at the malware and realize it’s using a hiding technique,” said Woodward. From there, researchers can analyze other instances of malware to look for similar patterns.
Woodward and the other researchers he works with—a global team that’s starting to devote their attention to this concern—admit that they may be sounding the alarm for something that isn’t as large an issue as they fear. “We might all be crying wolf without knowing it,” he said. “We don’t know. Nobody knows.” And without comprehensive analysis and study, nobody will know.
In 2003, Krzysztof Szczypiorski highlighted steganography as a potential method for transmitting hidden messages over computer networks in a presentation at a security conference in his hometown, delivered at the Warsaw University of Technology. (Szczypiorski declined to speak with Increment over the busy summer months as he was on vacation.)
It had been a topic of debate in scientific literature since 1996, Szczypiorski admitted, but was rediscovered as a method of covert communication via computers in the aftermath of September 11, 2001. Some used it relatively innocently—in the early days of the internet, using steganography to conceal a porn stash within the metadata of an otherwise innocuous image, like a sunflower, was not unheard of. But others saw a different sort of potential. Steganography went from being a tool to play with as a theoretical challenge—“How do I will one file into hiding another?”—to a method for potential malfeasance that law enforcement had to tackle.
Before they could do that, though, they needed to solve a fundamental question: how to find it. In the concluding remarks to his audience in Warsaw, Szczypiorski called it an “impossible mission.”
The steganographic techniques that can be deployed to avoid detection are out there, and have been for years. Experts in steganography and cybersecurity point to cryptography as a precedent that risks playing out again with steganography: Cryptography was largely overlooked by law enforcement for a number of years before any real concerted action was taken, allowing both good and bad actors to develop ever more sophisticated methods. Experts fear that the same thing is happening with this more opaque technique.
Woodward and the members of CUIng continue to warn law enforcement and the tech industry about the threat that steganography can pose in the wrong hands, despite the outstanding question marks. “Law enforcement agencies like Europol are interested,” Woodward said, “but for the people at the coalface, it’s much more difficult because they’re dealing with so many issues. They’re saying, ‘We haven’t got any tools; is there nothing you can give us yet to solve this problem?’ It’s all still in the research realm.”
At the same time, computer labs at numerous universities around the world are investigating steganographic techniques, and they’re coming up with so-called steganalysis methods that will hopefully be able to identify and highlight incidences of steganography used for nefarious means, decode them, and then produce solutions that could help counteract their spread.
Some police and security sources argue that people like Woodward shouldn’t be talking about it at all. “People want to shut you up, so that you don’t give criminals any ideas,” said Woodward. “But they’ve [already] had the idea for years. It’s difficult not to conclude that if criminals know law enforcement are swinging their big guns around [to solve] the problem of encryption, the criminals will move on. That’s the bit that’s worrying.”
And Holman highlights a lack of demand due to a lack of awareness: “Most people don’t ask us to investigate it because they’re probably not really aware of the threat. People don’t know information is being sent. It’s a family picture, and in it could be instructions to build a nuclear bomb or something, and you wouldn’t know.”