Exploit Delivery using Steganography as Covert Channel

Security is a major topic in recent researchers, and finding new methods deliver was the motivations for this research to emphasize and as an awareness to browsers developers to handle


Introduction
The Internet is often filled with ways to deliver Malicious Code to victims utilizing direct and indirect methods to achieve the result‫ز‬ This paper discusses delivering exploits "malicious code" to victims using digital steganography by encoding JavaScript code inside the image pixels which are then decoded using an HTML 5 Canvas element that allows for dynamic rendering of images, allowing the attacker to take controls of victims system, steal confidential data or to take the system downs by infecting it with malicious code [1] [2] utilizing images as mediator to deliver them ,these can be done using different covert channels such as advertisements [3], social media sites and popular sites [4].
The exploit delivery using steganography is very risky and hard to detect. In this paper, we analyze these types of attacks are analyzed and impact of the attack is studied. Then we suggest mitigation techniques handles these threats.

Problem
Exploit kits and hackers started using steganography as a new method for delivering malware [1] and sometimes found in social media [5] or by using advertisement images [3] [4]even hiding card data inside images [2] and lately to deliver ransomware "is computer malware that installs covertly on a victim's computer, executes a cryptovirology attack that adversely affects it, and demands a ransom payment to decrypt it or not publish it" [6].
All emerged researchers now are focusing on delivering and hiding exploits or malware inside images [7] [8], and methods to detect and eliminate such threats.
Steganography in its definition is the art of covering messages in a secret way in which only the sender and receiver can reveal the hidden message. Generally, the data is hidden inside an image so that even if a third party discovers the image, there won't be any suspicious about the image.

Digital Steganography Methods
This paper is dedicated to steganography in image files "Cover Image", image based steganography methods varies and have evolved over the years in its embedding methods [10] along with its detections methods [11].
There are many different methods to hide information inside of images, such as " • Discrete Cosine Transform (DCT) • Discrete Wavelet Transform (DWT) • Least Significant Bit (LSB) • Discrete Fourier Transform (DFT) Our primary focus will be on Least Significant Bit (LSB), one notable note worth mentioning is that any used methods should take into consideration the following points: 1. Size of information that can be hidden inside the cover EXPLOIT DELIVERY USING STEGANOGRAPHY 5 2. Perceptual transparency this means that each cover has certain information hiding capacity. If data was loaded into the cover, then it results in degradation of the cover then this will differentiation in original and infected cover will be noted 3. Robustness of the hidden message to remain undamaged.
4. Tamper resistance makes it difficult for the attacker or pirates to alter the original Steganography involves in two fragments of data: • the cover which works as a medium, and • Data to be hidden, data which is in this paper is the exploit or malicious code.

Least Significant Bit (LSB) Method
The LSB method works by replacing some of the information in a given pixel with information from the data in the image. While it is possible to embed data into an image on any bit-plane, LSB embedding is performed on the least significant bit(s). This minimizes the variation in colors that the embedding creates [12] The Least Significant Bit (LSB) method is the most common steganography method in which the secret information is hidden in the least significant bits of the image.
Images can be presented in one of the following digital representations  The values after the insertion of an 'A' letter will be: The same concept could be applied to the 8-bit and 8-bit grayscale images. This is done by adding very little noise to the original picture, For 24-bit images, this can be extended in some cases to the second LSBs without being noticeable [13]

Example of the Steganography Exploit
The exploit used in the research is based on two known Common Vulnerabilities and

Exposures (CVE) "Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known cybersecurity vulnerabilities.":
• CVE-2014-0282 :Microsoft Internet Explorer 8 / 9 / 10 -CInput Use-After-Free Crash PoC (MS14-035) [14] • CVE-2009-2478: Mozilla Firefox 3.5 -(Font tags) Remote Buffer Overflow [15] Delivering the exploit is done by browser exploit using images by hiding the exploits into cover images using LSB steganography method, this is done using a simple tool Stegosploit tools EXPLOIT DELIVERY USING STEGANOGRAPHY 7 [16] by utilizing two components the decoder and the exploit code, the main job for the decoder is to run the exploit code at the target, the below image is the logo for PSUT used as demonstration Figure 1 Cover Used for exploit As shown in Table 3  EXPLOIT DELIVERY USING STEGANOGRAPHY 8 Knowing these two factors give the attacker an advantage to use these weakness in browsers to run the exploit and deliver the malicious code, this is done by omitting the image extension leading the browser to sniff, the below Figure 2 Content Sniffing Matrix shows what content could be sniffed [17] the header content and executing the code inside the image by choosing the appropriate processor for the code chunk its executing [17].

Solution
Browser vendors need to start thinking about detecting content before it is rendered in the DOM. This is easier said than done. Server side applications that accept user generated images should currently transcode all received images, for example, transcode a JPG file to a PNG file with slightly degraded quality, and back to JPG. The idea here is to damage any steganographically encoded data [17] 6. Future work • Define new image policies protocols to render images from other websites • Re assess the content policy process • Working towards more secure browsers to detected and disable any malicious code.

Conclusion
While the full implication of practical exploit delivery via steganography this paper shows that browsers fails in stopping such attacks and the need to have new methods to detect these types of attacks such as behavioral analysis.