Security Researcher Hides ZIP, MP3 Files Inside PNG Files On Twitter (threatpost.com) 24
A security researcher has discovered a novel steganography technique for hiding data inside a Portable Network Graphics (.PNG) image file posted on Twitter, a tactic that could be exploited by threat actors to hide malicious activity. Threatpost reports: Researcher David Buchanan heralded his discovery on Twitter earlier this week, accompanied by a photo declaring: "Save this image and change the extension to .zip!" He made the source code for his method available in a ZIP/PNG file attached to the image as well as on a post on GitHub that explains his methodology.
Specifically, Buchanan demonstrated how he could hide both MP3 audio files and ZIP archives within the PNG images hosted on Twitter. The reason he was successful is because while Twitter strips unnecessary data from PNG uploads, they don't remove trailing data from the DEFLATE stream inside the IDAT chunk if the overall image file meets the requirements to avoid being re-encoded, he explained. There are some requirements for both the images used to obscure files and the files being hidden inside them for his method to work, Buchanan explained.
"The cover image must compress well, such that the compressed filesize is less than (width * height) -- size_of_embedded_file," he wrote in his post. "If the cover image does not have a palette, then it must have at least 257 unique colors (otherwise Twitter will optimize it to use a palette)." Resolution on images can be up to 4096 x 4096, although Twitter will serve a downscaled version by default for images greater than 680 x 680 depending on certain factors, Buchanan wrote. The image also should not have any unnecessary "metadata chunks," he added. For embedded files, the total output file size must be less than potentially 5MB, but kept under 3MB to be on the safe side, otherwise Twitter will convert the PNG to a JPEG file, Buchanan explained. Moreover, if the embedded file is a ZIP, then the offsets are automatically adjusted so that the overall file is still a valid ZIP, he said. "For any other file formats, you're on your own," Buchanan added, noting that many will work without special parameters, including PDF and MP3 files.
Specifically, Buchanan demonstrated how he could hide both MP3 audio files and ZIP archives within the PNG images hosted on Twitter. The reason he was successful is because while Twitter strips unnecessary data from PNG uploads, they don't remove trailing data from the DEFLATE stream inside the IDAT chunk if the overall image file meets the requirements to avoid being re-encoded, he explained. There are some requirements for both the images used to obscure files and the files being hidden inside them for his method to work, Buchanan explained.
"The cover image must compress well, such that the compressed filesize is less than (width * height) -- size_of_embedded_file," he wrote in his post. "If the cover image does not have a palette, then it must have at least 257 unique colors (otherwise Twitter will optimize it to use a palette)." Resolution on images can be up to 4096 x 4096, although Twitter will serve a downscaled version by default for images greater than 680 x 680 depending on certain factors, Buchanan wrote. The image also should not have any unnecessary "metadata chunks," he added. For embedded files, the total output file size must be less than potentially 5MB, but kept under 3MB to be on the safe side, otherwise Twitter will convert the PNG to a JPEG file, Buchanan explained. Moreover, if the embedded file is a ZIP, then the offsets are automatically adjusted so that the overall file is still a valid ZIP, he said. "For any other file formats, you're on your own," Buchanan added, noting that many will work without special parameters, including PDF and MP3 files.
Suck it, Parler! (Score:1)
3 decades late at the party (Score:3, Informative)
The warez scene was doing this with their cd-roms in the '90s already.
And now some tech savvy researcher thinks he made a major discovery.
Re:3 decades late at the party (Score:5, Insightful)
Pretty sure they were doing it in the 90s to image files. Certainly by the early 2000s it had been done because I had done it (but with GIF files) and I was copying someone else (can't remember who, I think a story I saw on Slashdot).
Re: (Score:1)
Re: (Score:2, Informative)
The warez scene was doing this with their cd-roms in the '90s already.
The warez scene was posting cd-roms as PNGs on Twitter in the 90s and it worked even though Twitter modified the images? And all you had to do was change the .png to .iso? That's impressive given Twitter was founded in 2006.
And now some tech savvy researcher thinks he made a major discovery.
Next time you want to feel good about yourself by attacking someone's work, at least bother to read and understand it.
Re: (Score:1)
Absolutely!
Polyglot files are nothing new : https://truepolyglot.hackade.o... [hackade.org]
Re: (Score:1)
I never claimed to have invented polyglot files. Like all effective research, I built from those that came before me.
You are welcome to try uploading every file on that page to Twitter. Twitter will strip all the non-image data, and the polyglot will break.
Note that the very first link on that page cites the work of Ange Albertini, perhaps the most respected researcher in the field of polyglot files.
He made a thread explaining my work: https://twitter.com/angealbert... [twitter.com]
If a domain-expert considers my researc
"As", not "In" (Score:5, Insightful)
As others have already noted, and doubtless many more will, steganography has been around for decades.
The "news" here is that a .png file can serve directly as a .mp3 or .zip without need for a steganography decoder. This is mildly interesting.
Re:"As", not "In" (Score:5, Informative)
Sanity-Checking File Types (Score:4, Interesting)
Over the last few years we’ve seen examples of destructive attacks being propagated through PDF file types, through several different image file types. Obviously we’ve known for years that any general office file types that support macros [.xlsxm, for example] can also be vectors for malicious code. I’m setting that sub-group to one side here.
The point here is that when the file format is developed, often by an industry working group or equivalent (as in the case of
If we set out, today, to design and develop a brand new file type for a new application, chances are that we would think to include a cyber security specialist and work with them to ensure that our file format included referential integrity, could self-evidence if it had been modified, could include an optional digital signature to prove origination and authenticity, and so on.
So maybe a better question for us to be asking ourselves, as a technology industry, is this:-
Given that the last few years have shown us multiple exploits across multiple file format types, why are we not asking the custodians of the designs or intellectual property for all common file formats to meet basic security best practices, either by strengthening or replacing their file formats?
We have to be careful here - doing this isn’t as harmless or automatically helpful as we might want it to be, since there are also risks that we might introduce vulnerabilities in the code routines used for data marshalling and file packing/un-packing. But the practices and principles needed to get this right can be developed and shared.
This vector is well known and this article is yet another example of the way it can be exploited. How many more examples will we need before we get a more concerted effort to ensure the integrity of data files?
I’m not suggesting that this would somehow be effortlessly easy: adding security in to an existing piece of software used to manage an existing file type will almost certainly be harder than writing a secure file handler from scratch. But that doesn’t mean that, as users, we can ask for or expect our industry to do this.
Re: (Score:2)
While there are certainly file formats and associated applications that are notorious for vulnerabilities, I don't think the ability to embed something that the png processors would ignore constitutes a 'vulnerability'. It's a neat trick to be sure, but everything about the resultant image would steer it to normal image processing (not only file extension, but the 'magic' based system would see a png header). You can potentially sneak something by a third party with both participants in on it, but the fil
They already have the answer (Score:2)
This vector is well known and this article is yet another example of the way it can be exploited. How many more examples will we need before we get a more concerted effort to ensure the integrity of data files?
Security is easy. Doing it is the costly part that no one wants to engage in, maintain and monitor. Money, money and more money, all for something they can sorta ignore because most "common" users could give a shart. Security money follows prurient interests, all times.
Re: Sanity-Checking File Types (Score:2)
" by strengthening or replacing their file formats?"
Good luck getting the entire world to ditch .JPG or other 'vulerable' formats that have developed incredible inertia over the years. Won't happen for decades, at least.
The only way to fix this is through the software itself, making sure there are no buffer overruns, that there are iron clad sanity checks in place, that there is no way to break the software to allow malicious code to be executed, etc..
Of course, this too will take a long time to deploy and
Re: (Score:2)
Re: (Score:2)
Is "copy /b image.jpg+payload.rar newimage.jpg" considered a steganography tool?
Is this special because it is PNG and ZIP, not JPG and RAR?
Helen Lovejoy (Score:5, Interesting)
> a tactic that could be exploited by threat actors to hide malicious activity.
And it could be used to avoid censorship.
If your security depends on keeping threat actors from encoding data in pictures on twitter you didn’t lose but you never entered the stadium to play the game.
Not sure about it (Score:4, Interesting)
unzip /tmp/shake.zip /tmp/shake.zip
Archive:
error [/tmp/shake.zip]: missing 454 bytes in zipfile
(attempting to process anyway)
error: invalid zip file with overlapped components (possible zip bomb)
A blast from the past (Score:2)
They should concentrate on inserting racist and homophobic language in 10 year old tweets, that's the best way to ruin careers nowadays, not hiding 'Happy Birthday' inside a cat pic.
Re: A blast from the past (Score:2)
Planting racial slurs on people. I wonder how long this would be effective?
Hell this was done in the 80's (Score:2)
Re: Hell this was done in the 80's (Score:2)
copy /b lovely.exe+illicit.zip lovely1.exe
This can still be done now in Windows's cmd shell
Re: (Score:2)
Stenography (Score:2)
I've been hearing stuff like this for decades- encoding a file in the least significant bit pr. byte to prevent too much degradation in the image itself.
Of course, to do any malware stuff, there needs to be a malware image reader on the victim's computer to extract the hidden file and execute it, in which case you might as well just skip the whole "s0oPuR d3k0d3r r1nG" step and just have the malware connect to your bot net of choice.