Traditionally, the bad guys’ malware bypasses our signature based defenses with some form of obfuscation, like encoding their malware with XOR, base64, gzip etc. or using any of the malware packers tracked by Shadowserver. Penetration testers have long relied upon the capability in Metasploit to render their payloads undetectable to Antivirus programs.
Peter Gramantik, a member of the research team at Sucuri, has uncovered a new method of hiding malware once it has gotten past your initial defenses. Have you heard of Steganography Malware?
- So you bypassed the gateway defenses and grabbed a foothold but how can you hide your malicious payload from defenses that might be operating on the compromised server and still maintain persistence?
On its own, steganography is really nothing new and in the simplest of terms is the art / science of not only hiding a message but also more importantly, hiding the fact that a message was sent. Anyone that has taken a SANS course has probably done a hands-on lab like SEC401 using Steghide or any of the many other steganography tools available today to hide a message within a JPEG image. The message insertion process had little if any effect on the image. A casual user receiving the image would have no idea that it contained a message at all. With the right software however, a recipient could extract the message hidden within the image. More advanced steganography lessons teach how the tool SteganRTP is used to hide a message within a VoIP call – it even provides a remote shell via a VoIP call.
Sucuri CTO and Open Source SECurity founder, Daniel Cid has written a blog post on Peter’s analysis of a sample of Steganography Malware found at a compromised site. It is a great analysis and is certainly worth reading to gain a better understanding of evolving threats. Not to steal Cid’s thunder but he explains the methodology stores the malware within the EXIF data in the photo. EXIF data is the metadata in a photo that would typically be used for camera setting, GPS coordinates etc. By using the EXIF data area, the image appears unaltered when viewed. However as explained in Cid’s blog post, with a little PHP code, the malicious payload can be extracted from the image.
Another interesting thing noted in the blog post was that the payload contained within the image EXIF area also used base64 encoding, which would likely render detection with traditional signature based antivirus unlikely. What can be done about this? You might remove all EXIF data from any stored images however that is not always an option if you actually need the images EXIF data. A little more labor intensive but more supportive of your organization’s business practices, you could also carefully white-list only those PHP scripts that support necessary business needs and simply deny anything else. This would give you a leg up on the bad guys.