steganographic computer warfare - iws · steganographic computer warfare thesis ......
TRANSCRIPT
STEGANOGRAPHIC COMPUTER WARFARE
THESIS
Jordon T. Cochran, Captain, USAF
AFIT/GCS/ENG/00M-03
DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY
AIR FORCE INSTITUTE OF TECHNOLOGY
Wright-Patterson Air Force Base, Ohio
APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED
The views expressed in this thesis are those of the author and do not necessarily
reflect the official policy or position of the United States Air Force, Department of
Defense, or the United States Government.
AFIT/GCS/ENG/00M-03
STEGANOGRAPHIC COMPUTER WARFARE
THESIS
Presented to the Faculty of the Graduate School of Engineering and Management
Of the Air Force Institute of Technology
In Partial Fulfillment of the
Requirements for the Degree of
Master of Science in Computer Systems
Jordon T. Cochran, B.S.
Captain, USAF
March 2000
Approved for public release, distribution unlimited
iii
Acknowledgments
I would like to express my sincere appreciation to my research advisor, Dr. Henry
Potoczny, for giving me incredible freedom to explore the subject of virus steganography
and perform research that I felt was important. His wit and encouragement made a
seemingly impossible task well worth the effort. I thank my committee members, Dr.
Gregg Gunsch and Lieutenant Colonel Tim Jacobs, for their interest and support of this
excursion into the unique field of information hiding. Also, to the fellow academic
researchers who shared their insights with me to help me get started, I thank you.
Finally, and most importantly, I would like to express my most heartfelt
appreciation to my wife and best friend, Kathy, and our "children", Jenny Joy and
Precious. Their love and understanding was the greatest support and comfort to me
during the ceaseless academic course work. Without them in my corner, my research
most likely would not have been possible.
Jordon T. Cochran
iv
Table of Contents
Page
Acknowledgments............................................................................................................... iii
Table of Contents................................................................................................................ iv
List of Figures ....................................................................................................................viii
List of Tables .......................................................................................................................x
Abstract ............................................................................................................................... xi
STEGANOGRAPHIC COMPUTER WARFARE ..............................................................1
I Introduction............................................................................................................. 1
1.1 Executive Summary...................................................................................... 1
1.2 Specific Problem .......................................................................................... 3
1.3 Research Objectives ..................................................................................... 5
1.4 Scope ............................................................................................................ 6
1.5 Research Need .............................................................................................. 7
1.6 Document Sequence ..................................................................................... 7
II Steganography......................................................................................................... 9
2.1 Introduction .................................................................................................. 9
2.2 Historical Perspective ................................................................................. 10 2.2.1 Security through obscurity............................................................ 11 2.2.2 Camouflage ................................................................................... 11 2.2.3 Hiding the location of the embedded information........................ 13 2.2.4 Spreading the hidden information................................................. 13
v
2.3 Terminology ............................................................................................... 14 2.3.1 Message File ................................................................................. 15 2.3.2 Cover File...................................................................................... 15 2.3.3 Steganography vs. Cryptography.................................................. 15
2.4 Steganographic Methods ............................................................................ 18
2.5 Research Areas ........................................................................................... 19
2.6 Summary..................................................................................................... 21
III Methodology ......................................................................................................... 22
3.1 Introduction ................................................................................................ 22 3.1.1 Problem Definition........................................................................ 22 3.1.2 Problem Statement ........................................................................ 23 3.1.3 Scope............................................................................................. 23
3.1.3.1 Selected Strategies ........................................................... 23 3.1.3.2 File Format ...................................................................... 23 3.1.3.3 Image Library.................................................................. 24
3.2 Steganography Tools Overview ................................................................. 27 3.2.1 Contraband HE.............................................................................. 27 3.2.2 Encrypt Pic .................................................................................... 27 3.2.3 FFEncode ...................................................................................... 28 3.2.4 Gifshuffle ...................................................................................... 28 3.2.5 HideSeek ....................................................................................... 28 3.2.6 In The Picture................................................................................ 28 3.2.7 JSteg Shell..................................................................................... 29 3.2.8 Pretty Good Envelope ................................................................... 29 3.2.9 S-Tools .......................................................................................... 29 3.2.10 Snow.............................................................................................. 30 3.2.11 SteganoGifPaletteOrder ................................................................ 30 3.2.12 Steganos ........................................................................................ 30 3.2.13 Steghide......................................................................................... 31 3.2.14 wbStego......................................................................................... 31
3.3 Method of Evaluation................................................................................. 32 3.3.1 Process Overview.......................................................................... 32 3.3.2 Cover and Message File Controls ................................................. 32 3.3.3 Steganography Tools ..................................................................... 32
3.4 Method of Delivery .................................................................................... 34 3.4.1 Network Propagation System Analysis ........................................ 34 3.4.2 Methods of Transmission.............................................................. 35 3.4.3 Trouble with Propagation Timing................................................. 37
3.5 Anti-Virus Programs .................................................................................. 39 3.5.1 McAfee VirusScan........................................................................ 41
vi
3.5.2 Norton Anti-Virus ......................................................................... 41 3.5.3 PC-cillin ........................................................................................ 41 3.5.4 InoculateIT.................................................................................... 42
3.6 The Real Threat .......................................................................................... 42
3.7 Summary..................................................................................................... 43
IV Analysis and Results ............................................................................................. 44
4.1 Introduction ................................................................................................ 44
4.2 Steganography Tool Test............................................................................ 44 4.2.1 Windows-based tools .................................................................... 44 4.2.2 DOS-based tools ........................................................................... 46 4.2.3 Overall Results .............................................................................. 47
4.3 Alternative Methods ................................................................................... 48 4.3.1 HTML Web page and Java Applet ............................................... 48 4.3.2 Executable Wrapper ...................................................................... 50 4.3.3 Overall Results .............................................................................. 51
4.4 Anti-Virus Analysis .................................................................................... 52
4.5 Summary..................................................................................................... 52
V Conclusions and Recommendations ..................................................................... 54
5.1 Introduction ................................................................................................ 54
5.2 Conclusions ................................................................................................ 55
5.3 Recommendations ...................................................................................... 56 5.3.1 Java................................................................................................ 56 5.3.2 Research Virus Distribution.......................................................... 57 5.3.3 Dependence on COTS Products.................................................... 57
5.4 Military Implications .................................................................................. 57 5.4.1 Potential Attackers ........................................................................ 58 5.4.2 Usage Conditions .......................................................................... 59 5.4.3 Appropriate Responses ................................................................. 59
5.5 Closing Statement....................................................................................... 60
Appendix A, Computer Virus Primer ................................................................................61
A.1 Overview............................................................................................................... 61
A.1.1 Why Are Viruses Developed ...................................................................... 62
A.1.2 Brief Virus History..................................................................................... 63
vii
A.1.3 Definition of A Computer Virus ................................................................. 64
A.1.4 Virus Types ................................................................................................ 65 A.1.4.1 Trojan Horse ................................................................................. 68 A.1.4.2 Network Worm ............................................................................. 68 A.1.4.3 Virus E-Mail Hoaxes .................................................................... 68
A.1.5 Virus Development..................................................................................... 69
Appendix B, Network Testbed Environment .....................................................................72
B.1 Hardware Resources ............................................................................................. 72
B.1.1 Overview .................................................................................................... 72
B.1.2 Server.......................................................................................................... 73
B.1.3 Client Systems ............................................................................................ 74
B.2 Software Resources............................................................................................... 74
B.2.1 Overview .................................................................................................... 74
B.2.2 Server.......................................................................................................... 74 B.2.2.1 Network Properties ....................................................................... 75 B.2.2.2 FT Gate (Gateway, HTTP, FTP, Internet Mail)............................ 78 B.2.2.3 Microsoft Personal Web Server .................................................... 81
B.2.3 Client Systems ............................................................................................ 82 B.2.3.1 Network Properties ....................................................................... 83
Appendix C, Vendor Contact Information.........................................................................84
C.1 Steganography Tools ............................................................................................ 84
C.2 Anti-Virus Tools................................................................................................... 86
Appendix D, Software Request Form Letter .....................................................................87
Bibliography.......................................................................................................................89
Vita.....................................................................................................................................92
viii
List of Figures
Page
Figure 1, Number of Information Hiding Publications......................................................10
Figure 2, Cryptography.....................................................................................................16
Figure 3, Steganography ....................................................................................................17
Figure 4, Combined Protocol.............................................................................................17
Figure 5, camp.bmp ...........................................................................................................25
Figure 6, test.jpg.................................................................................................................26
Figure 7, mona.gif ..............................................................................................................26
Figure 8, Virus Infection Sources ......................................................................................38
Figure 9, Windows-based Steganography Tool Example Encoding .................................45
Figure 10, Windows-based Steganography Tool Example Decoding ...............................46
Figure 11, Sample DOS Steganography Tool Execution ..................................................47
Figure 12, Executable Wrapper Example Script................................................................51
ix
Figure 13, Dr. Cohen's Virus Pseudocode .........................................................................70
Figure 14, Network Testbed Environment .........................................................................73
Figure 15, Network Neighborhood Properties ...................................................................75
Figure 16, TCP/IP Properties .............................................................................................76
Figure 17, TCP/IP-IP Address Propoerties ........................................................................76
Figure 18, TCP/IP-DNS Configuration Properties ............................................................77
Figure 19, TCP/IP-Gateway Propoerties ...........................................................................78
Figure 20, FTGate Mail Gateway Properties .....................................................................79
Figure 21, FTGate Mailbox Manager Properties ...............................................................80
Figure 22, FTGate Properties.............................................................................................81
Figure 23, Personal Web Server Properties .......................................................................82
x
List of Tables
Page
Table 1, Steganography Tool Sample Files .......................................................................24
Table 2, Tool Settings and Options ....................................................................................33
Table 3, Steganography Tool Platform..............................................................................47
Table 4, Client System Software .......................................................................................83
AFIT/GCS/ENG/00M-03
xi
Abstract
Computer technology permeates every aspect our daily operations. As this
dependence increases, users become more susceptible to attacks. This threat comes
largely from computer viruses, which fall under the Information Warfare domain.
Steganography's goal is to conceal information, in plain sight. Although
steganography tools have been around for several years, their true potential continues to
be explored. This resurgence in steganography combined with the aforementioned
computer virus threat raises potential risks. This research attempts to determine
strategies that can be used automatically to decode a steganography file. Emphasis is
placed on automated techniques and is not specific to any steganography application.
The primary objective of this thesis is to explore and assess computer systems'
vulnerability to steganographic virus attacks. The results indicate that steganography
tools are not conducive to be sole attack weapons. However, the tools combined with
other applications could be used to automatically extract the hidden information with
minimal user intervention. The research examined the current state of steganography tool
capabilities with regard to computer virus implementations. Coupling these two
technologies can result in a very deceptive and powerful IW attack and pose a significant
risk to the United States government and our national information infrastructure.
1
STEGANOGRAPHIC COMPUTER WARFARE
I Introduction
1.1 Executive Summary
Personal computers (PCs) have been at the heart of the United States
government's productivity gains since the early 1980s. Computer technology permeates
every aspect of daily government operations, from a secretary's word processing duties to
the military operations analyst's war game modeling activities. Most military weapons
systems are 80% or more dependent on computers and computer software. This
environment puts military combat operations at risk if a scenario evolved where real-time
operations were required without computers [31].
The tactical and strategic command, control and communications systems of
today's military are becoming increasingly dependent upon automation. Likewise,
America's commercial strategic systems, utilities, communications networks, and
financial networks are increasingly dependent on computers. Because of this increased
2
automation, all of these systems are becoming more vulnerable to attack. This threat
does not come from physical attack from bombs or artillery shells, although physical
attack is always a concern. Rather, it comes from computer viruses. Generally, a virus is
one of a group of computer pathogens made up of viruses, worms and Trojan horses.
Consider the following scenario: At exactly XXXX hours on some precise future
date, the server nodes of the Secure Internet Protocol/Routing Network (SIPRNET) and
Non-Secure Internet Protocol/Routing Network (NIPRNET) fail. In less than 30 minutes,
dependent organizations have totally lost the ability to move position reports, operational
orders, data, and communications. Exactly 30 minutes after the initial failure, a near peer
adversary attacks several United States' installations. Initially, personnel are unable to
communicate, pass on any tactical or strategic information, or coordinate counter attacks.
Eventually, the networks are restored and the attack is defeated, but only after huge losses
of personnel and equipment may have occurred.
The introduction of computers into the Department of Defense (DOD), in garrison
and on the battlefield, and into United States' society in general has led to an
unprecedented improvement in combat system effectiveness, speed of communications
and productivity. It has also led to an unanticipated reliance on them to do everything but
make tactical and strategic decisions. As we increase our use of and dependence on
computers, our potential adversaries are looking for ways to exploit this ever-evolving
global information infrastructure [8]. This situation only serves to increase the likelihood
that an event such as the one described in the scenario will happen. It is only a matter of
when, where and how. Viruses can attack without warning, quickly shutting down
systems after penetrating multiple levels of virus protection [42].
3
Why are viruses important? Quite simply, they form a potential class of computer
warfare weapons that fall within the domain of Information Warfare. More importantly,
when national or theater-wide cyberspace or computer systems are involved, the threat of
viruses becomes strategic in nature [13].
Potential information warfare targets include various types of information,
processes that use information as their foundation, and various types of information
systems. Also included are information networks; specifically, telecommunications
systems, television broadcast systems, electrical power supply systems, and financial
systems. With the center of information warfare focused at achieving “information
supremacy”, it is essential that the United States have the capability of affecting and
defending these systems at critical times [1].
This vulnerable environment suggested that research be required to assess
steganographic contributions concerning computer virus capabilities and their combined
effect on government computer security. These two technologies combined could serve
as an offensive information warfare computer attack. It is through this research that the
United States will better understand and be able to defend against similar attacks.
1.2 Specific Problem
Joint Pub 3-13 [22] defines Information Operations (IO) as “actions taken to
affect adversary information and information systems while defending one’s own
information and information systems.” Information Warfare (IW) is IO during times of
crisis to promote specific objectives. Although IO/IW encompass a broad spectrum of
actions and capabilities, the concept is often associated with computer network attacks
4
(CNA). With this new realm of warfare, the services have inherent difficulties in dealing
with combat IO/IW implementations and capabilities. Specifically, there is a lack of
understanding concerning the use of viruses for CNA type scenarios.
The USAF operates approximately 350,000 Microsoft-based personal computers
with the number in the entire government probably over 1.5 million (estimate based on
over 2.12 million DOD employees) [29, 10]. These PCs are inherently vulnerable to
computer virus attacks due to holes in security implementations or simply poor security
practices. Virginia Hockett from the 3M Company quoted an alarming statistic from a
government and private industry study: "According to a 1992 study by USA Research,
monetary losses attributed to computer viruses--chiefly, the opportunity cost of search-
and-destroy missions-reached about $1 billion in 1991" [18]. This figure has increased
ten-fold to $12.1 billion during 1999 [11]. Even this figure may be well understated with
most organizations’ reluctance to report attacks for fear of highlighting vulnerabilities to
other would-be attackers.
During the Gulf War an estimated 5,000 computer systems were unintentionally
shut down when a military member accidentally introduced a computer virus to an
operational computer network [27]. In addition to the cost of removing the
contamination and restoring full operational capacity to the individual systems that made
up the network, the network was unavailable to perform mission essential processing
during the period of time it took to bring it back on-line. The military declined to
comment on the specific impact of this computer virus infection, but it certainly
adversely affected the efficiency of their operations. This incident forces military
computer security personnel to consider just how dangerous an intentional virus attack by
5
a determined enemy could be to operational military capabilities that rely heavily on
computers.
Now, in computer viruses, the most important thing to be resolved is the need to
find methods of virus insertion and activation. Speaking in terms of computer viruses
acting as a type of weapon, taking viruses and introducing them into enemy computers
can cause operational malfunctions or computer system's paralysis. As a result, offensive
IW computer virus weapons must be able to be introduced into enemy computer systems,
relying on the computer virus’ own reproduction in order to infect entire systems.
Moreover, triggering the virus at specified times becomes the key to cause enemy
computers to operate in accordance with the virus programs. This action could easily
result in the control and even partial or total destruction of enemy computer systems [2].
1.3 Research Objectives
The objective of this thesis is to explore and assess the vulnerability of computer
systems to virus attacks that are disguised by steganographic techniques. An
understanding of the functionality and capabilities that exist with commercially available
technology must be obtained. The research accomplishments of this exploration include
an examination of where current steganographic tool capabilities exist concerning the
implementation of computer viruses. For additional specific information on computer
viruses, reference Appendix A, a Computer Virus Primer.
6
1.4 Scope
Much of the discussion presented in this thesis must be on a macro level. The
topics brought together here are many and could occupy the material of several books.
The details associated with computer viruses, what they really are, the implications of
their use in IO/IW actions, organizational theory and design, and computer design and
connectivity will be presented as necessary to clearly understand the practical
applications of steganographic computer viruses.
This research effort focuses on government Microsoft PCs processing sensitive,
unclassified information in the national office automation environment. These machines
are the most widely used and very vulnerable to computer viruses attacks. Embedded, or
special purpose, computer systems were specifically excluded. In the case of networked
systems, the research applies to the individual PCs that make up the network and leaves
the peculiarities of interconnected computer networks and the various network
architectures that support them to future research efforts. Ongoing research in operating
system security and secure system development must be considered separate topics that
cannot be addressed within the scope of this research.
This research will not exhaustively discover or take advantage of all possible
virus attacks. It will attempt to determine a reliable infection mechanism for a target
system that uses many of the common commercial software products (e.g. Windows,
Internet Explorer, Netscape Communicator, Java, etc). These products coupled with a
testbed environment were used for the virus steganography research.
7
1.5 Research Need
A United States General Accounting Office (GAO) report on computer security
highlighted the need for more computer virus research:
Although DARPA [Defense Advanced Research Projects Agency], NIST [National Institute of Standards and Technology], and NCSC [National Computer Security Center] sponsor or conduct considerable computer security-related research, none of these agencies are doing research specifically aimed at computer viruses. [39]
Obviously, this fact has since changed; however, the need to maintain a technologic
advantage over an adversary still exists. This is very evident in comments from the
Defense Intelligence Agency director, Vice Admiral Thomas Wilson. He said that it is
“essential to have an all-conquering offensive technology and to develop software and
technology for Net offensives so as to be able to launch attacks and countermeasures on
the Net, including information-paralyzing software, information-blocking software, and
information-deception software" [15]. Past and emerging threats to computer systems
and the need to periodically update protection mechanisms to keep up with the ever-
changing virus threat warrants this research. Discovering or reducing the United States
government’s vulnerability to computer virus attacks is also a core objective of this
research.
1.6 Document Sequence
This thesis includes five chapters. The first chapter summarized the research plan
by stating the problem, objectives, and scope. Chapter II discusses the origin of
steganography and how it has historically evolved to its present-day computer
8
applications. Chapter III describes the methodology used to meet the research objectives
followed by Chapter IV's research analysis and results. Finally, Chapter V addresses the
research recommendations and conclusions. Appendix A serves as a computer virus
primer and discusses their history, types, and development. Appendix B discusses how
the Network Testbed environment was established. Appendix C shows the software tools
point of contact information. Finally, Appendix D provides a sample anti-virus software
request form letter.
9
II Steganography
2.1 Introduction
Steganography is an ancient art that has been reborn in recent years. The word
steganography comes from Greek roots (στεγανο-ς, γραφ-ειν), which literally means
covered writing [32], and is usually interpreted to mean hiding information in other
information. Steganography researcher, Markus Kuhn, has submitted the more modern
definition of steganography as the “art and science of communicating in a way which
hides the existence of the communication" [4]. The goal is to conceal, in plain sight,
information inside other innocent information to disallow an outsider or adversary the
opportunity to detect that there is a second secret message present.
Within the past several years, there has been an exponential increase in the
research community and industry’s focus towards information hiding techniques as
opposed to the traditional cryptography area. Figure 1 expressively depicts this rapid
increase in topic publications. There have been three international workshops related
solely to information hiding since 1996.
10
Figure 1, Number of Information Hiding Publications
One of the primary drivers of the renewed interest in steganography is for
mitigating copyright abuses. As audio, video and other works become more readily
available in digital forms, the ease with which perfect copies can be made may lead to
large-scale unauthorized copying. This type of copying is naturally of great concern to
the music, film, book, and software publishing industries. There has been significant
recent research into digital watermarks or hidden copyright messages and digital
fingerprints or hidden serial numbers. The idea is for file fingerprinting to be used to
help identify copyright offenders and then potentially prosecute them with the digital
watermark [32].
2.2 Historical Perspective
The past several hundred years have had numerous examples of steganography in
practice. These examples encompass a variety of techniques. Security through obscurity,
Number of Informat ion Hiding Related Publ icat ions
2 2 4 1329
64103
200 *
0
50
100
150
200
250
300
1991 1992 1993 1994 1995 1996 1997 1998 1999 2000
Year * - Est imated
11
camouflage, hiding the embedded information location, and spreading the hidden
information will be discussed in the following sub-sections. The broad steganography
definition previously mentioned outlines an important historical aspect of successful
steganographic systems: they all employ cover media that is inconspicuous. This
maintains the fundamental premise of steganography – hiding the appearance of
communications.
2.2.1 Security through obscurity
A large literature on steganography had been composed by the 16-17th centuries.
The basis of this steganography relied on novel information encoding methods. Gaspar
Schott (1608-1666), in his book Schola Steganographica, explains how using musical
notes to correspond to a specific letter could be used to hide messages in music scores.
He also expanded Johannes Trithemius’ (1462-1516) Ave Maria code proposed in
Steganographæ, one of the first known steganography-related books. Similarly, David
Kahn, in his book: The Codebreakers, explained how acrostic methods were used for a
monk to hide his lover's name in the first letters of successive chapters of a book he
wrote. Kahn, also tells of prisoners of war’s hidden messages in letters home that used
the dots and dashes on i, j, t and f to spell out a hidden Morse code information [16, 22].
2.2.2 Camouflage
The above security through obscurity may be improved by intelligent
camouflaging techniques. Even if the method is known, making the hidden information
expensive to try to find can be beneficial, especially when a large amount of cover traffic
exists. For example, artists understood that works of sculpture or painting appear
12
different from certain angles. Perspective and anamorphosis rules were established so
that the anamorphic images could be used as an ideal medium for camouflaging
dangerous political statements and heretical ideas [33].
Herodotus (c.486-425 BC) tells how around 440 BC Histiæus shaved his most
trusted slave’s head and tattooed it with a message that was naturally hidden when his
hair grew back. The tactic was to initiate a revolt against the Persians. Surprisingly, the
method was still used by some German spies at the beginning of the 20th century [29].
Herodotus also tells how Demeratus, a Greek at the Persian court, warned Sparta of an
imminent invasion by Xerxes. The wax from a writing tablet was removed and a
message was written on the wood. The tablet was re-covered by the original wax and
returned to its original appearance. The tablet so much resembled a blank one that it
almost fooled the recipient. Numerous techniques were invented or reported by Æneas
the Tactician [37]. Some examples included letters hidden in messengers' soles or
women's earrings and notes carried by pigeons. He also proposed hiding text by making
very small holes above or below letters or by changing the heights of letter-strokes in a
cover text. These miniscule dots were masked by the contrast between the white paper
and the black letters. This technique was improved with invisible ink to print very small
dots instead of making holes and was reused by German spies during both World Wars
[22, 16]. A modern adaptation of this technique is still in use for document security [3].
Wilkins’ invisible ink camouflaging process was extensively used. Originally, the inks
were made up of organic substances, such as milk or urine and were developed with heat.
The technology fell into disuse with the invention of ‘universal developers’ which could
easily determine which parts of a piece of paper had been wetted [32].
13
2.2.3 Hiding the location of the embedded information
The ancient Chinese developed a security protocol where the sender and the
receiver had copies of a paper mask that had a number of random holes cut out. The
sender would place his mask over a sheet of paper, write the secret message into the
holes, remove the mask and then compose a cover message incorporating the code
ideograms. The receiver could read the secret message at once by placing his mask over
the resulting letter. This method was reinvented in the early 16th century by Cardan
(1501-1576), an Italian mathematician and was used by a British bank in 1992 where
customers concealed their personal information number used with their cash machine
card [5].
A final camouflaging example comes from mathematical tables. Publishers of
logarithm tables and astronomical ephemeredes in the 17th and 18th century used to
introduce errors deliberately in the least significant digits. Even today, database and
mailing list vendors insert phony entries in order to identify customers trying to resell
their products [32].
2.2.4 Spreading the hidden information
Steganography techniques that have been used recently involve the introduction
of noise into the embedded data channel via filtering operations and the use of coding
techniques to exploit the residual bandwidth. The simplest is the repetition code -- one
simply embeds a bit enough times in the cover object that evidence of it will survive the
filter. This is inefficient in coding theoretic terms but can be simple and robust in some
applications.
14
Another way to spread the information is to embed it into the statistics of the
luminance of the pixels. Some tools use a pseudorandom generator to select pixels and
slightly increase or decrease their luminosity contrast. Thus, the contrast of this set is
increased without any change in the average luminosity of the image. These statistical
methods form a type of primitive spread spectrum modulation. General spread spectrum
systems encode data in the choice of a binary sequence that appears like noise to an
outsider but which a legitimate receiver, furnished with an appropriate key when
necessary, can recognize. Spread spectrum radio techniques have been developed for
military applications since the mid-1940's because of their anti-jamming and low-
probability-of-intercept properties [32].
2.3 Terminology
The general model for hiding information in other information can be described as
follows:
The embedded data is the message that one wishes to send secretly. It is usually hidden in an innocuous message referred to as a cover-text, or cover-image or cover-audio as appropriate, producing the stego-text or other stego-object. A stego-key is used to control the hiding process so as to restrict detection and/or recovery of the embedded data to parties who know it (or who know some derived key value). [32]
The vocabulary associated with steganography was agreed upon at the first
international Information Hiding Workshop sponsored by Cambridge University in 1996.
As previously shown in Figure 1, steganography's widespread adoption is evident in the
numerous papers and journal articles recently published. The primary definitions
concerning this research involve the top-level steganography functions. The actual
15
process of embedding information in another file usually involves two classes of files –
message files and cover files.
2.3.1 Message File
The message file is the information that is hidden or embedded during the
steganographic process. Depending on what a user is hiding, the message file can be any
type of information source – audio, graphic, text, or even malicious files. The only
restriction on a message file is that it must fit within the cover file.
2.3.2 Cover File
The cover file is the medium that contains the message file after the
steganographic process is applied. Again, the intent of steganography is to maintain the
initial visible quality of the cover file after the message file is hidden. Therefore, the file
should not draw undue attention to itself or compromise any features and characteristics
generally found in other similar files of its particular type. A cover file can also be
referred to as a container file or stego-file. The latter term usually only applies to the
cover file after the message file has actually been embedded.
2.3.3 Steganography vs. Cryptography
Although steganography differs from cryptography, many of the techniques and
wisdom from the more thoroughly researched discipline can be borrowed. Covert
information is not necessarily secure and secure information is not necessarily covert.
The two are fundamentally different. The distinction between the two is made clear in
the following discussion.
16
In cryptography, information is secured by transforming original data into
encrypted data with an enciphering scheme. Figure 2 depicts the encryption process that
produces the output, or ciphertext. The cipher text should be meaningless as to what it is
truly representing.
Figure 2, Cryptography
Steganography, on the other hand, leaves the original data unchanged and
conceals it. The original information is hidden using an embedding technique into an
innocent cover medium, as shown in Figure 3. To an observer, the cover medium
appears normal. By applying the reverse of the original embedding technique, the
original data is recovered.
Past cryptography history has shown that the adversary usually knows that
communication is occurring and is able to intercept it. The adversary is often aware that
the information is encrypted and that in most cases will break the encryption algorithm at
any cost. Thus, cryptography’s underlying security is based on the difficulty of breaking
the encryption algorithm. With sufficient time and resources, this decryption task has
usually been achieved.
Plaintext CiphertextOriginalPlaintext
Key Key
Encryption Decryption
17
Figure 3, Steganography
In contrast, steganography assume the adversary can intercept the cover, but
cannot perceive any information besides the original cover content. The information is
concealed and may have no additional security besides the actual message embedding.
However, some security can be implemented by combining the two sciences as shown in
Figure 4. The combination of these two techniques has become an everyday practice for
many of the steganographic systems.
Figure 4, Combined Protocol
Message‘Info’
Cover ‘Info’
Cover ‘Info’
(Stego)
OriginalMessage‘Info’Embedding Recovery
Message‘Info’
Cover ‘Info’
Cover ‘Info’
(Stego)
OriginalMessage‘Info’Embedding Recovery
Stego-Key Stego-Key
Crypto-KeyCrypto-Key
18
2.4 Steganographic Methods
The Internet is a vast channel for the mass dissemination of information (e.g.
publications and images). Images provide excellent carriers for hidden information.
Many different steganographic techniques exist, but most can be grouped into two
domains: the image domain and the transform domain.
Image domain tools encompass bit-wise methods that implement least significant
bit insertion and noise manipulation. These approaches are prevalent in steganographic
systems and are characterized as simple systems [4]. The typical image formats used
with such steganography methods are lossless and the data can be directly manipulated
and recovered easily.
The transform domain category of tools includes those that manipulate algorithms
and image transforms such as discrete cosine transformation. These methods conceal
information in significant areas of the cover and may alter image properties such as
luminance. Watermarking tools usually fall in this domain. Typically, these methods are
more robust than bit-wise techniques. However, a consideration must be taken as to the
benefit of added information to the image versus the extra robustness obtained. Many
transform domain methods are unconstrained to image format and may remain persistent
for lossless to lossly, or vice versa, conversions.
Some techniques share both image and transform domain characteristics. These
may employ patchwork, pattern block encoding, spread spectrum methods, and masking
which all can add redundancy to the hidden information. These combined approaches
may help protect against some image processing techniques such as cropping and
19
rotating. For example, the patchwork method uses a pseudo-random selection technique
to mark multiple image sections (or patches). Each patch may include the watermark, so
if one section is destroyed or cropped, then others may persist [21].
2.5 Research Areas
It is not surprising that steganography has enjoyed a resurgence in today’s
computerized world. As computers continue to permeate millions of people’s daily
routines, their use as steganography instruments makes perfect sense. Steganography
takes advantage of covers that are commonplace – a role that computers fill in society
today. Steganography’s rise in popularity can be attributed, in part, to the United States
government’s cryptographic material export prohibition. This has driven some people to
use steganography as a means to reduce the casual interception of private information.
Another reason for the increase in steganography usage is due to the cover space
abundance provided by digital media, particularly within the various computer file
formats (e.g. BMP, GIF, JPG, PDF, WAV, HTML, TXT etc). With these almost perfect
digital media and the many continuous technology advancements, there has been a rising
concern for copyright abuses. This has driven much of the steganography advancements
with a immense focus on digital watermarking. This promising technology is proclaimed
by industry as an excellent anti-fraud and forgery mechanism. The music and movie
industries have invested millions of dollars on techniques to conceal company logos and
other proprietary markings in digital images, videos, and music recordings. The interest
in creating a robust, tamperproof digital fingerprint has been the focus of much of the
academic research in steganography. Consequently, this anti-piracy technology has
20
created a corresponding interest in basic steganographic methods. Although this interest
has increased, there are relatively few companies that have tried to capitalize on any
commercial steganography products. Nonetheless, there are several impressive non-
commercial products that have been developed and are publicly available on the Internet.
As stated previously, the majority of the research in both academia and industry
has primarily dealt with digital watermarking. While some research concentrates on
making steganography more secure, pure steganography seems to have taken a back seat
to the more profitable watermarking realm. Within the Department of Defense, very little
unclassified research efforts in pure steganography exist. Available Air Force-related
information can be found at the Air Force Research Laboratory-Rome site,
http://www.if.afrl.af.mil/div/IFE/IFEC/.
Although there are not many DOD efforts in steganography, it does have many
implications for the security of our national interests. Intelligence agencies could surely
benefit from hiding information from casual interception or observation. Also, it is
important that more attention is focused on the topic so that a diverse understanding of
the capabilities and implications of the technology exist. Another reason for DOD
steganography research is for day to day information assurance. Current computer attack
methods include protocols for slipping Trojan software past virus detection mechanisms.
The use of steganographic methods to conceal the presence of the malicious code could
allow it to remain undetected. The malicious code could be used to decode certain
instructions, also possibly hidden via steganography in other files, and execute an attack.
A similar protocol could be developed where the Trojanized code could be used to
21
decode hidden messages that reside inside routine communication channels. In this way,
the message and the activator could remain undetectable.
2.6 Summary
Although steganography tools have been around for several years now, the
scientific community continues to explore the true potential of steganographic
capabilities. Likewise, the computer virus problem has grown in magnitudes over the
past several years and the operational environment to this threat has seen an expanse for
risk management. Chapter III presents the methodology that correlates these two areas
and assesses the nature of change in the computer virus arena.
22
III Methodology
3.1 Introduction
3.1.1 Problem Definition
Most steganography tools available today introduce changes to the cover file as a
byproduct of the embedding process. These changes are usually very subtle and most
often indistinguishable to the human eye. The goal of this research will not be influenced
by these changes though an attack attempt on a targeted system is much better
implemented under cover or unbeknownst to a targeted user. However, since there was
little concern about the changes on a cover or container file, no graphic file steganalysis
was performed.
Originally, this research was going to be directed towards the actual development
of a virus. However, after further literature review, it became very apparent that the
research need be focused more towards steganography. This direction was further
emphasized by the plethora of viruses that were developed and released in the wild in the
last few months of 1999: Melissa, Funlove, Worm.ExploreZip, Mypics.Worm and
Babylonia to name a few. However, there are some related aspects of viruses that will be
touched upon and detailed later in Appendix A for edification purposes.
23
There was no detailed information available in the public domain pertaining to the
coupling of steganography and virus implementations. There were, however, an
overabundance of each available separately in the public and freely accessible. Merging
the two technologies to study their combined residual effects on automated systems was
needed for both a potential attack weapon as well as a combatant for its defense.
3.1.2 Problem Statement
This research attempts to determine strategies that can be used automatically to
decode a steganography virus file. Emphasis is placed on techniques that can be readily
employed in an automated environment and methods that are minimally specific to any
individual steganography application.
3.1.3 Scope
3.1.3.1 Selected Strategies
The initial research strategy was to determine if a steganographic file could be
automatically decoded with little or no user intervention. In addition, strategies for
decoding the steganographic file with different levels of user intervention were explored.
Ultimately, the exploitation of a given target was desired.
3.1.3.2 File Format
As mentioned previously, observing the steganographic file effects was not a
priority. Further, the steganographic file format chosen for this research was limited by
each specific tool. The range of formats included Windows © Bitmap (BMP), Joint
24
Photographic Experts Group File Interchange Format (a.k.a. JPEG, JPG, or JFIF),
Compuserve’s © Graphics Interchange Format (GIF), HyperText Mark-up Language
(HTML), and text (TXT) files.
3.1.3.3 Image Library
The image library for this research consisted of a minimal set of cover images or
container files. They were not selected because of their underlying picture composition
or content. When applicable, the same file was used in multiple tests across the
steganographic tools. Cover files were selected if they could provide sufficient cover
space to hide a basic batch file or even a known virus file. Table 1 shows a sample listing
of files that were used with each steganography tool.
Table 1, Steganography Tool Sample Files
Steganography Tool Container File Message File Contraband HE camp.bmp test.bat Encrypt Pic camp24.bmp test.bat FFEncode test.txt test.bat Gifshuffle mona.gif test.bat HideSeek camp.bmp test.bat In The Picture camp.bmp test.bat JSteg Shell test.jpg test.bat Pretty Good Envelope test.jpg test.bat S-Tools camp.bmp test.bat Snow test.txt test.bat SteganoGifPaletteOrder mona.gif typed input Steganos camp.bmp test.bat Steghide camp.bmp test.bat wbStego camp24.bmp test.bat
25
Figure 5 shows the 8-bit Windows Bitmap file that was used as the cover file on
the majority of the steganography tools. When required, the bitmap was converted to a
24-bit BMP for processing. Figure 6 shows the 24-bit JPG container file used in the
innovative JPG steganography tools.
Figure 5, camp.bmp
26
Figure 6, test.jpg
Finally, the GIF related tools used the following as the cover file:
Figure 7, mona.gif
27
3.2 Steganography Tools Overview
Evaluation copies or free, full versions (when available) of the selected
steganography tools were obtained from Internet sources (see Appendix C for point of
contact information). The tools were selected based on specific platform compatibility,
file type diversity, and ease of use. Only a subset of the entire steganography tool
spectrum was utilized in this research. Exhaustive steganography tool testing was not
feasible or necessary which is ascertained later. The following subsections give an
overview of each tool.
3.2.1 Contraband HE
Contraband HE is a Windows-based program that embeds and extracts with
strong encryption any thinkable message file into 24-bit true-color BMP files. It has a
nice setup program and user interface. It is still in beta, but only lacks supporting help
files. Contraband's least significant bit substitution does not change the size or format of
the BMP. Also involved in the embedding process is a scrambling technique that makes
the embedding somewhat irregular, more personal and less predictable, thus making the
hidden information virtually impossible to recover without knowledge of the embedding
process.
3.2.2 Encrypt Pic
Encrypt Pic v1.3 is a Windows-based program that allows information to be
hidden in 24 bit BMP images. It has the added benefit of a powerful data encryption
algorithm.
28
3.2.3 FFEncode
FFEncode is an interesting little DOS program that hides a file in a text file by
using a morse code of NULL characters.
3.2.4 Gifshuffle
Gifshuffle is a DOS command-line-only program for windows that conceals
messages in GIF images by shuffling the color map. The picture remains visibly intact,
only the order of color within the palette is changed. It works with all GIF images,
including those with transparency and animation, and in addition provides compression
and encryption of the concealed message.
3.2.5 HideSeek
HideSeek for Windows 95 is a steganography program based on the DOS
versions of HideSeek. It uses file wiping options and only works with BMP files where
previous versions (e.g. 4.1 and 5.0) worked only with GIF files. The hiding technique is
least significant bit substitution with a pseudo-random process to flip non-hiding bits in
order to make unauthorized recovery more difficult. HideSeek uses the Blowfish
encryption algorithm for header file encryption.
3.2.6 In The Picture
In The Picture is a Windows 95-based steganography program that hides data in
BMP images. It offers multiple unique keys so you can encrypt data intended for
multiple recipients into the same file. It has a drag and drop interface and can generate a
random fractal image to use as a container image, if desired.
29
3.2.7 JSteg Shell
JSteg Shell v1.0 is an interface to run JSteg DOS, a program that hides data in the
ever-popular JPG image format. Some features include 40 bit RC4 encryption,
determination of the amount of data a JPG can hide beforehand, and user-selectable JPG
options (e.g. degree of compression). This type of steganography was believed to be
impossible, or at least infeasible, since the JPEG standard uses lossy encoding to
compress its data. The trick of the tool uses the fact that the JPEG encoding process is
split into lossy and non-lossy stages. As such, steganographic information can be
inserted using least significant bit substitution into the image between those two steps and
not risk any image disruption.
3.2.8 Pretty Good Envelope
Pretty Good Envelope (PGE) v2.0 is a DOS-based program that hides a message
in another file by simply appending the message to the file, and then appending a 4 byte
number which points to the start of the message. PGE can be used with graphic files
(GIF and JPG) or any other binary files, including COM and EXE files. Additionally,
PGE has an automated clearing function to empty the envelope after use.
3.2.9 S-Tools
S-Tools v4 is an excellent Windows 95/NT-based steganography tool that hides
files in BMP and GIF graphic files, and WAV audio files. S-Tools provided many user
options including encryption and compression. Even though S-Tools uses least
30
significant bit substitution and pseudo-random dispersion of hiding bits, the quality of the
output is extraordinarily good when paralleled with comparable tools.
3.2.10 Snow
Snow is a text-based steganography program that conceals messages in text files
by appending tabs and spaces on the end of lines. It can run under Windows or as a Java
applet. The steganographic encoding scheme takes advantage of tabs and spaces that are
invisible to most text viewers. Snow includes a compression function to allow you to
hide more information into a given file. Snow also includes some basic cryptography
functions via the ICE algorithm.
3.2.11 SteganoGifPaletteOrder
SGPO (SteganoGifPalatteOrder) is a Java v1.1 based program with a nice
interface that hides messages in GIF images by shuffling the color map. The picture
remains visibly intact, only the order of color within the palette is changed. The current
version offers no encryption options.
3.2.12 Steganos
Steganos II is a security suite of Windows 95/98/NT applications designed to
ensure safe data through cryptography and steganography. It uses strong RC4 compatible
encryption and the proprietary Dynamic Cell Spreading steganographic technique to hide
data in graphic (BMP), sound (WAV), and text (TXT and HTML) files. Some features
include: 'InKA' (Invisible Key Agreement) - an implementation of public key
steganography, disk encryption, advanced password management tools, a "Zero-
31
Emission-Pad" text editor to combat tempest attacks, a data shredder, and the "SysLock"
function that can protect a computer from intruders.
3.2.13 Steghide
Steghide is a DOS command-line application that features hiding data in BMP
graphic and WAV and AU audio files. It features blowfish encryption, 128 bit MD5
hashing of passphrases to blowfish keys, and pseudo-random distribution of hidden bits
in the container file. Steghide is available in precompiled binaries for Windows and
Linux platforms.
3.2.14 wbStego
This Windows-based steganography program hides information in BMP, HTML,
PDF, and text files. wbStego99 has an easy to use wizard interface and optional data
encryption for extra protection. It offers two different methods for encoding data in text
or html files:
• Standard method: the file size remains unchanged. When importing manipulated
carrier files into word processors (especially under Windows), there can appear
special characters in the text.
• Compatible method: the file size is increased. There are no visible changes when a
manipulated carrier file is imported into other applications.
In addition, hiding data with wbStego99 in a PDF file will increase its filesize.
32
3.3 Method of Evaluation
3.3.1 Process Overview
The selected steganography cover and message files were applied to each
respective steganography tool. The reverse process was executed to decode the
embedded file. The order in which the tests are conducted was irrelevant, since they are
independent of one another.
3.3.2 Cover and Message File Controls
The composition of cover files provided adequate samples from which
comparison results could be made. These results may be further manipulated, if
necessary, to provide other research alternatives. In addition to using the same cover file
where possible, identical message files were used among the test cases.
3.3.3 Steganography Tools
The steganography tools used in this research are unique. They have different
interfaces, algorithms, and options. However, as mentioned previously, these tools
provide a good sampling of the tools in use today. Settings and options used for each tool
are listed in Table 2. Details concerning each setting and other available options can be
found in the documentation included with each tool.
33
Table 2, Tool Settings and Options
Tool Settings and Options Contraband HE Password encoding = Disabled
Create backup = Yes Encrypt Pic Password = Not used
Message encryption = (none available) Compression = (none available)
FFEncode No settings or options available Gifshuffle Quiet mode = Disabled
Space available = Disabled Password = Not used Compression = Not used
HideSeek for Windows95
Password = “password” Message encryption = (none available) Compression = (none available)
In The Picture Key = Key1 => 2305vSMA529 Message encryption = (none available) Compression = None available
JSteg Shell GreyScale output = Disabled Optimize Huffman table = Disabled Smooth dithered output = Disabled Emit debug output = Disabled Auto run capacity batch file after opening JPG file = Disabled Warn when stegging without a PassPhrase = Disabled Use password characters to hide PassPhrase = Disabled Open "Save As" box directly after successful steg = Enabled Auto retrieve contents after opening JPG = Enabled Ask for PassPhrase if no filename/plaintext message = Disabled Remember file name = Enabled Compression quality = 75%
Pretty Good Envelope No settings or options available S-Tools v4.0 Password = "password"
Encryption algorithm = IDEA Median-cut box color reduction = Center Dimension choice = Large RGB Distance Floyd-Steinberg dithering = Disabled Message encryption = Enabled (not configurable) Compression = Disabled
Snow Password = Not Used Message Encryption = Not Used Compression = (none available)
SteganoGifPaletteOrder No settings or options available
34
Steganos for Windows95 Password = Not used 8-bit to 24-bit conversion = Disabled Message encryption = Disabled Compression = Enabled (not configurable)
Steghide Password = None Data spaced = Constant three bytes Data mask = One least significant bit Message encryption = (none available) Compression = (none available)
wbStego Mix data = Disabled Password = Not used Transmit password = Disabled Message Encryption = Disabled in shareware version Compression = (none available)
3.4 Method of Delivery
Now that the steganographic implementation methods have been discussed, it is
vital to outline the potential delivery methods for the steganographic virus file. The
following subsections will outline these capabilities and concerns.
3.4.1 Network Propagation System Analysis
The question to be answered when considering IW attacks on computer networks
is how computer viruses can propagate through networks or systems. Computer viruses
employ the same techniques that other programs use within a system. Therefore, viruses
can propagate and spread throughout the network at very high rates. For example, within
hours of the Melissa virus' release on 26 Mar 1999, over 100 sites and approximately
50,000 employees had been affected. The distribution of viruses and their speeds are
relative to the specific type of virus involved and the commands that it uses. The Melissa
virus arrived innocently as a Word e-mail attachment sent from a boss, fellow employee,
or friend. When opened, the Word file ran a macro that immediately modified the Word
35
macro template setting and subsequently e-mailed the same message and file to the first
50 addresses of the user's Microsoft Outlook address book [30].
As viruses are executed, they can spread through systems at varying rates. Many
factors determine this speed of propagation. First, user habits need to be identified in
order to understand just how far a particular virus can travel. One must identify the
situations where these files would traverse from user to user or system to system.
3.4.2 Methods of Transmission
There are many ways for users to share files. One of the more common is by
storing files on diskettes (e.g. floppy and zip disks) and providing them to another
individual. This is a common practice in most businesses today. A company letter or
military personnel performance report submitted, through the appropriate chain of
command, for approval is often accompanied by a diskette in the event that any changes
are necessary. At any phase along this process, the opportunity for virus infection exists.
Other common circumstances involve users bringing files between home and work.
Many organizations require “outside” disks to be scanned for viruses before they may be
utilized within the workspace. Having witnessed this system first hand, it often fails.
While floppy disks offered the very first method of transmission of computer viruses, the
advent of networking and internetworking has increased these avenues.
The basic purpose of a network is for interconnectivity and resource sharing.
Networks allow users to share devices such as printers, scanners, and large storage
devices. Additionally, users may share data and application programs. In many ways
networks have eliminated the need for users to trade information via diskettes as the
36
information could be left in a publicly addressable area within the network environment.
Clearly, this establishes an ideal domain for virus transmission. If all users share or are
exposed to an infected file, the infection is transmitted to each user's machine.
Now expanding the network concept to the Internet, one user or a multitude of
users may access an infected file resulting in spreading at extreme rates. Additionally, an
infected file may be posted on a company or organizational web site and distributed to all
that retrieve the file or visit the site.
E-mail has proven to be a superb asset to any organization’s functionality.
However, it has also become one of the largest concerns with multitudes of network and
internet-work ramifications. While e-mail combined with the possibility of computer
viruses spreading is most often misunderstood, it does offer a haven for virus
transmission. In order for a virus to operate, it must be given execute privileges.
Although some e-mail systems are offering automatic opening of e-mail attachments (e.g.
Microsoft Outlook and Internet Explorer Mail), very few actually do so without some
required user intervention. Either way, the sanctuary of the e-mail attachment offers a
potential conduit for the transmission of viruses. Today, this is by far the number one
method for virus transmission and spreading.
Another proven asset has been the Internet web browser (e.g. Internet Explorer or
Netscape Navigator) for viewing World Wide Web pages. However, these tools have
continued to reveal potentially dangerous security holes that if not patched could be
devastating. Multitudes of holes and design flaws have been exposed with ActiveX code,
Java, JavaScript, and Active Server Pages. These all provide additional methods for
attacks on computer systems.
37
3.4.3 Trouble with Propagation Timing
Important in the IO/IW attack world is an understanding of what effects one can
hope to realize by a particular action. If a computer virus is designed to target a
particular system, then some method of determining how long it will take to propagate
through the network is necessary. In most cases, this has been shown to be largely user
dependent. However, recent virus development has shown that the user can almost be
totally removed from the scenario and still participate in a virus-related incident (e.g.
BubbleBoy). In order to construct a model for the determination of speed of propagation,
some assumptions must be made concerning the propagation and spreading methods.
The primary factors, which positively determine the speed of propagation for the virus,
are the speed of transmission from one user to the next and the frequency with which a
user operates a particular program or application. Figure 8 shows how the medium for
accessing electronic information has diversified over the past several years and how the
mediums have allowed for multiple modes for computer virus propagation [19].
38
Figure 8, Virus Infection Sources
Speed of transmission between users is dependent on how files are exchanged.
The assumption is that for propagation through the network, the driving factor will be the
most common and fastest means of transportation through the system. Among the fastest
ways is through an e-mail system. This leads to a very difficult task of figuring out how
long it takes an e-mail message, with an attachment, to reach another user. With the
processing power that exists today, this time is virtually instantaneous. However, this
process is very user-dependent on the speed with which a user reads an e-mail and
retransmits it. This limits the feasibility to determine the propagation time.
9%
36%
10%
21%
15%
0%
11%
26%
42%
16%
27%
7%
5%
8%
32%
36%
9%
21%
5%
2%
4%
56%
25%
11%
9%
7%
3%
2%
E-Mail Attachment
Diskette/CD: Home
Internet Download
Diskette/CD: Other
Unknown
Internet Browsing
Diskette/CD: SalesDemo 1999
1998
1997
1996
39
3.5 Anti-Virus Programs
Having some delivery methods discussed, it is essential to discuss the other side
of virus infection, that is virus protection. The currently prevalent method of combating
most computer viruses is through anti-virus software programs. These programs usually
have two parts associated with them. There is the scanning portion that analyzes disks
and files and there is a memory resident component, usually called dynamic virus
protection, which analyzes running programs for viruses. These anti-virus programs
generally look for some type of virus signature, although the latest breeds of anti-virus
products make claims of looking for virus activity through heuristics. The
steganographic virus file presents an additional level of difficulty for these programs.
It is clear that with the capabilities of viruses, the triggering mechanism can be
made as general or as specific as the creator wants. The more specific, the more precise
targeting of a system that can be realized. From an IO/IW standpoint, this is important as
decisive solutions to problems are usually desired. The virus could search for a specific
trigger or it could be a time/logic type trigger.
Because of this, the question is whether computer viruses or the capacity to
support their life can be eliminated. This question is a difficult one. Anti-virus software
is currently the primary means of defense against such software. A look at the
progression of anti-virus programs over time shows their development progressing along
the same route as medicine. Medical technology today treats the symptoms of biological
viruses. Anti-virus software treats the symptoms of computer viruses. Some anti-virus
products have included a program that is termed an inoculation program for the very
same reason that medicine uses inoculation. When programs are in a known original
40
state, free of any viruses, the inoculation program attaches a signature to the files. This
can identify if a file has been mutated. While it may not necessarily prevent viral
infection, one can be sure if the file has been modified. Unfortunately, these programs
have a very bad reputation as many complex programs rely on changing the program files
when configuration settings are updated [36]. As a result, their use has been almost
completely terminated. Another technique to combat viruses is to eliminate the
environment that supports their life. This is impossible to accomplish with today’s digital
information age.
The task of determining whether a computer program has or is a virus is an
unsolvable problem. Anti-virus programs that can correctly tell a user, with a 100%
success rate, whether a program is infected with a virus, for all possible viruses that have
ever been or could be written is impossible. If this were not so, all of the major anti-virus
vendors and information system personnel would definitely celebrate. This would end
the cycle of costly-to-develop and difficult-to-distribute monthly virus updates and end
annoying false positives [38].
The specific anti-virus tools chosen for this research were based primarily on
market share. McAfee and Norton Anti-Virus products are by far the most popular anti-
virus software installed on servers and personal computers with market shares of 59.2%
and 25.2%, respectively [19]. Two other credible products, Trend Micro's PC-cillin and
Computer Associates' InoculateIT, were added to the research to provide additional
breadth in testing. The following subsections provide an overview of each of the anti-
virus tools utilized in this research.
41
3.5.1 McAfee VirusScan
VirusScan acts continuously as an active guard, shielding attacks from viruses and
preventing harm from other malicious software. It has a powerful set of scanning tools
and other enhancements that have kept it near the top of the anti-virus software industry.
VirusScan significantly reduces the vulnerability to infection and can potentially save
time, money and data loss. It provides the necessary tools to maintain an intact and
secure system. VirusScan can help a safe computer prevent debilitating attacks and the
spread of malicious software throughout the network.
3.5.2 Norton Anti-Virus
The Norton AntiVirus product is primarily based on two heuristic technologies:
Bloodhound and Bloodhound-Macro. The basic Bloodhound is capable of detecting
upwards of 80% of new and unknown executable file viruses. Whereas, Bloodhound-
Macro detects and repairs over 90% of new and unknown macro viruses. This
technology represents a complete departure from traditional heuristic scanners that only
use the classical static or dynamic behavior cataloging algorithms. Instead, Bloodhound
uses a hybrid technology that enjoys the benefits of both schemes. Most other anti-virus
products use the basic static string scanning which inevitably falsely identifies uninfected
files and macros as viral and can cause more problems than it solves.
3.5.3 PC-cillin
Trend Micro has been in the anti-virus business longer than both
Norton/Symantec and McAfee/NAI, but has not been able to enjoy the market share that
they have. Trend Micro's technology uses the tried and true pattern recognition scanner
42
that only provides for static protection. Signature pattern updates must be made
frequently. Trend Micro does purport to have a premium customer service department
for the users.
3.5.4 InoculateIT
InoculateIT is a growing anti-virus solution for networked environments offering
quality management and virus protection. InoculateIT is certified by the International
Computer Security Association (ICSA) to detect 100% of viruses "in the wild" and
ensures your network is protected against potentially damaging and costly virus incidents.
InoculateIT is fully integrated with AntiVirus clients for all major desktop systems.
InoculateIT scans files for known virus signatures (or fingerprints) and also
detects polymorphic and stealth viruses. InoculateIT automatically detects and cleans
conventional file and boot sector viruses as well as macro viruses that infect Office 95,
Office 98, and Office 2000 Word documents, Excel spreadsheets, PowerPoint files, and
Access databases. It provides excellent protection against Internet and e-mail viruses,
protecting your PC from infected files downloaded from web sites around the world, and
from infected attachments sent to you via e-mail.
3.6 The Real Threat
The real threat posed by viruses is not that they may infect a host. If all they did
was replicate, then they would only be a nuisance and nothing more. The real threat is
when they become active. They may do nothing more than display a simple message on
the computer screen to annoy the user. However, they can do something much more
43
destructive like erase some or all files, destroy the boot track of the disk, delete portions
of the operating system kernel, cause a hard disk to be reformatted, or even cause the
system to completely crash. These destructive acts pose the real threat. Unless the
system in question has a good backup, any lost data may be irreplaceable. For example,
if the system in question is an accounting or transportation system, valuable accounting
or control system data might be lost and result in revenue losses or even death,
respectively. Even worse, if the system is a critical C4I node, commanders could lose the
ability to carry out command and control operations. Any or all of these could likely
occur at the worst time.
Viruses are being developed all over the world. There are documented cases of
viruses coming from foreign countries like Bulgaria, Poland, Russia, Taiwan, and
Australia -- to name just a few. Currently, there are few publicly documented cases of
state sponsored virus writing. However, if the number of viruses is an indication of
amateur activity, one can only assume that state sponsored virus development is taking
place and will be commonplace in the near future.
3.7 Summary
The methodology described in this chapter provided a preliminary foundation to
answer the central thesis question of can a steganographic embedded file have its
contents automatically extracted with no user intervention. Chapter IV presents the
analysis and results to answer this question.
44
IV Analysis and Results
4.1 Introduction
This chapter is divided into two main areas. Section 4.2 discusses the results of
the steganography tool testing. Section 4.3 examines results gained from some
alternative tests.
4.2 Steganography Tool Test
The initial results of the steganography tool test indicated that the tools can be
classified into two main categories. The first category involved tools that were strictly
Windows-based. The other category involved the tools that were DOS-based. The
capabilities of each were similar as far as the encoded file was concerned, but differed in
the technique to decode the steganographic file.
4.2.1 Windows-based tools
As computers have developed over recent years, the move towards Windows-
based programs and applications has dramatically increased. This rise has largely helped
the end-user better utilize the tools and effectively carry out necessary business. One
factor driving the Windows direction has been the infiltration of the Microsoft Windows
Operating System platform. Numerous other vendors have followed suit to provide the
45
user the same look and feel as the underlying environment and facilitate tool structure
familiarity and ease of use.
As shown in Figure 9, the user must interact with the tool to specify the
designated files. This interaction was required to embed the information (test.bat for this
example) into the container or carrier file (camp24.bmp) to get the resultant
steganographic file (camp24out.bmp). Similarly, Figure 10 demonstrates that the reverse
process also required user intervention to decode the steganographic file. The inherent
Windows environment and the required user interaction made the auto-extraction
capability impossible. In addition, similar results were obtained with the Java-based tools
that were examined.
Figure 9, Windows-based Steganography Tool Example Encoding
46
Figure 10, Windows-based Steganography Tool Example Decoding
4.2.2 DOS-based tools
Even though the technology has rapidly moved towards the Windows operating
system, the older Disk Operating System (DOS) programs still have numerous
applications and are still supported. The steganography tools in this environment were all
very similar in their functionality with command-line executable calls. Figure 11
demonstrates the steg/unsteg process with the StegHide steganography tool. The flags,
-w and -r, performed StegHide's separate embedding and decoding processes,
respectively with the stego-file.
47
Figure 11, Sample DOS Steganography Tool Execution
4.2.3 Overall Results
Obviously, the DOS-based tools were very simple to use and provided the same
capabilities as the Windows-based tools. Accordingly, the DOS-based tools required
user intervention to unsteg the encoded file. These results signify that the steganography
tools alone are not sufficient to implement an attack. However, it is the command-line
calls that provided the DOS tools more capacity when used in conjunction with other
applications. Table 3 lists the tools utilized for this research and their corresponding
operating environment.
Table 3, Steganography Tool Platform
Steganography Tool Windows DOS Java Contraband HE X Encrypt Pic X FFEncode X Gifshuffle X HideSeek X X In The Picture X JSteg Shell X X Pretty Good Envelope X S-Tools X Snow X X SteganoGifPaletteOrder X Steganos X Steghide X wbStego X
48
4.3 Alternative Methods
Since using the steganography tool alone to auto-extract the encoded file was not
feasible, a few alternative methods were examined. These methods were via a HTML
web page, Java applet, and executable wrapper.
4.3.1 HTML Web page and Java Applet
This method was comprised of two components: the delivery and the extraction.
The delivery of the steganographic file was the easy part of this process. The encoded
file was implanted on the target file system through a basic web page. Immediately upon
site visitation, a complete copy of the file was loaded into the web browser's cache
directory. However, after this was accomplished, actually accessing the encoded graphic
file was impossible due to intrinsic web browser and operating system security features.
The Java applet method provided preliminary results similar to the HTML
method. The basic Java applet was built and loaded on the server web page. When this
page was visited, a complete copy of the embedded steganographic file was loaded in the
web browser's cache directory. Again, security features limited future access to this file
once it was in the cache.
However, this attack method could have been further developed by investigating
existing application holes or by searching for new security flaws. The power and
complexity of the Java language make it extremely likely that security holes will continue
to appear. With every major Java Development Kit release, the Java source code has
doubled in size. This opens the environment up to further scrutiny. Often with any new
49
features comes new risks to manage; most notably, the risk that the implementation will
have holes and the risk that security policies will falter. A number of security holes have
already been found in Java which primarily were results of bugs in the actual
implementation. For example, Microsoft initially implemented the Java Virtual Machine
with Java class libraries that had a programming flaw. This permitted a malicious applet
to violate Java's core sandbox security rules.
Even without capitalizing on existing programming bugs, the Java applet attack
method could occur through other ways. For example, Java applets that are loaded from
the local file system have no restrictions. These applets have the implicit trust of the
application that launched it. There is a big difference between having an applet loaded as
part of a web page and downloading the applet as a file and running it locally. Running a
downloaded applet locally is as dangerous as running any other random downloaded
executable. This tactic would inevitably have to rely on some user coercion to participate
in the attack, which is not necessarily that difficult to achieve.
Another Java attack avenue is through the ease with which class files can be
decompiled and altered to produce deviant byte code. This entails that the quantity of
deviant byte code is vastly greater than that of the legitimate byte code produced by Java
compilers. The Java verifier can check with 100% certainty whether or not a given file is
a bona fide class file. However, the verifier can not determine whether or not that file
was actually produced by a Java compiler. Deviant byte code resists decompilation
because it corresponds to no Java source code. This suggests that class files could be
protected from decompilation by making them deviant, while preserving their
50
functionality. It is easy to see that the power of Java's byte code greatly exceeds the
power of the underlying source code.
4.3.2 Executable Wrapper
After unsuccessful attempts with HTML and Java, some success was achieved
with the use of an executable wrapper. The tool allowed for the packing of the
steganographic file, the DOS steganography decoding program and commands, and a
cover application. An example script used for this process is shown in Figure 12. This
packaged executable allowed for the aforementioned files to be automatically extracted
and subsequently executed. All of this was of course accomplished with some initial user
intervention.
Actually getting the user intervention is not that difficult in today's digital society.
Approximately one out of five users on a network trust what they read and unknowingly
provide for information warfare attack opportunities (e.g. a hoax-like e-mail that points
the user to a web page or an acclaimed executable) [25]. Note that for a more effective
IW attack, the executable name should be something pervasive (e.g. cool_game.exe or
the like) that may help entice the user.
51
Figure 12, Executable Wrapper Example Script
As mentioned previously, combining the DOS-based steganography tools with the
executable wrapper provided a means to implement the auto-extraction operation. The
fact that the DOS-based tools were all relatively small in program size aided this course
of action and kept the packaged file relatively small. The essential feature of the
executable wrapper file was that once the initial user intervention occurred, no additional
action was required for the extraction and execution of the encoded file. These actions
were hidden from the user with the assistance of a cover application (i.e. the
Minesweeper game in this example).
4.3.3 Overall Results
The alternative methods discussed above show only a cursory investigation and
can be greatly enhanced with further research. Obviously, the current course of action
required the targeted user to assist in the attack. However, as previously mentioned, this
//Begin jpgtest.exe ;packed executable name y ;perform CRC-32 checking testout4.jpg ;the steganographic encoded file 1 ;include entire graphic file in packed executable djpeg.exe ;the unsteg command application 5 ;pack and execute, hidden, synchronously -steg test.bat testout4.jpg ;command line parameters to unsteg the encoded file winmine.exe ;cover application 2 ;pack and execute, visible, asynchronously ~ ;noop testrun.pif ;the unstegged file execute options 5 ;pack and execute, hidden, synchronously ~ ;noop //End
52
enticement may not be that difficult to accomplish. Future efforts should choose and
maximize a more specific attack effort, thus minimizing any extraneous attempts.
4.4 Anti-Virus Analysis
The steganographic file by nature should evade any anti-virus tools. The anti-
virus tools could conceivably provide a warning if an embedded file is detected through
the header of a file. However, most of the steganography tools provide a mechanism to
embed or encrypt the header portion along with the original message file making anti-
virus detection that much more difficult. Even if the detection could occur, the process
would have to be "fail-closed" and provide warnings of every steganographic file. This
of course would produce excessive false-positives and eventually be counter productive.
The anti-virus tools used in this research all failed to detect the basic
steganographic file that had a known virus (e.g. Chernobyl) embedded. However,
immediately during the de-steganography process, the virus was discovered and the anti-
virus tools warned the user. This warning could potentially be avoided if the virus could
disable the anti-virus tool or if the virus was a new type or variant.
4.5 Summary
This section attempts to illustrate the difficulties associated with this entire
research undertaking. The initial research conditions were difficult to determine based on
the resources required. A stand alone, controlled environment was required in order to
perform any live virus testing. The decided configuration and setup of this network
testbed environment is incorporated in Appendix B.
53
After setting up the testbed network, it was time to analyze a sampling of the
publicly available steganography tools. After this analysis, difficulties arose in deciding
additional avenues to pursue to obtain better virus steganography results. This indecision
to use a more focused attack plan caused the results of this research to be not as
conclusive as desired.
The HTML/Java-based virus attack could prove to be a powerful weapon. It
could potentially provide the vehicle for a platform independent virus. Not only this, the
current anti-virus measures in the field do not provide much online, proactive virus
content detection. This could prove to be a bad vulnerability to any system. One side
effect of this realm is the potential for self-induced infection. Consequently, the targeting
capabilities need to be fully declared to any necessary involved parties to help mitigate
this dilemma.
The methods used in this research had to be modified to take into account
coercion tactics so the user at the target system would unknowingly assist in the attack.
This substantially limited the methods and subsequently the analysis. However, the
research results uncovered possible avenues for future Information Warfare researchers to
explore in greater detail.
This completes the analysis and results section. Given the findings, there are
important conclusions and recommendations that must be presented. Chapter V has been
designed to meet that requirement and presents the conclusions, recommendations, and
related military applications or concerns that can be reasonably inferred from the
literature review, methodology, and analysis and results.
54
V Conclusions and Recommendations
5.1 Introduction
If knowledge is power and information is a force multiplier, then security is the
key to defense and commercial supremacy in the information age. Any kind of strength,
whether military or economic, represents a target for adversaries or competitors.
Information, however, is to modern civilization what fire was at the dawn of humankind:
an unlimited asset that, if not controlled, quickly can be turned against its user. With
today’s interconnected world built around the reliance on the Internet and web-related
technologies, it is foolish to think of security in any term other than international.
These security threats need not come through a nation’s military system. Civilian
government and economic infrastructures are targets enough. Crippling the infrastructure
of even one coalition nation could slow, or even stop, an alliance mobilization or
deployment. Virtually every strategic system is vulnerable to virus attack. Those
systems that use the Internet for interconnectivity are especially vulnerable. The only
way to be 100% sure that a system will not be come infected is to operate in a stand-alone
mode. This is almost impossible for most systems, and especially impractical for DOD
command and control, logistics, financial and data retrieval systems. These systems gain
their utility from being very interconnected. These facts along with the research
55
presented, prove that the Department of Defense has every obligation to be extremely
concerned about computer viruses and their use in Information Warfare attacks.
5.2 Conclusions
This thesis investigated public steganography tools and how such programs could
be used in an Information Warfare attack scenario. A virus alone is often not enough to
perform a desired mission or goal. Often times, the virus must be used in conjunction
with Trojan horses or other applications in order to provide the most successful results.
Although computer programs cannot perform any functions that are not possible by
software, they can be well engineered to access powerful and sometimes deceptive
capabilities of the software and exploit vulnerabilities that may be inherent in the system
within which they operate. The concept of a precise solution in an IW attack scenario is
made possible by implementing this specific engineered functionality into the attack
weapon. The groundwork laid here can be used to frame future IW attack scenarios
utilizing the computer virus as the attack mechanism.
The accomplishments of this research include an examination of where current
steganographic tool capabilities exist concerning the implementation of computer viruses.
As shown in Chapter IV, the Windows environment tools will continue to provide an
obstacle to integrate fully the computer virus and steganography technologies. When
coupled, they can be very deceptive and powerful as future offensive attack measures. It
is not only essential to investigate these methods for offensive tactics as it is essential to
be able to detect and react to an enemy's use of the weapon. This could pose significant
risks to the United States government and national information infrastructures.
56
5.3 Recommendations
5.3.1 Java
The Java-based attack needs to be further developed. Many of the steganography
tools provide their source code that could potentially be expanded upon and integrated
with Java to produce a customized attack weapon. This type of attack could prove to be
very valuable for the developer in that it could possibly provide some level of platform
independence. This attack could be more fully implemented and even be developed in
conjunction with existing Java attack groups or organizations. The International
Computer Security Association has a Malicious Mobile Code Consortium that addresses
the threat of these applications through a range of special projects and by serving as a
clearinghouse for Internet security vendors.
Similarly, other groups study and scrutinize the Java environment. One notable
company is Reliable Software Technologies (RST). Dr. Gary McGraw, Chairman of the
previously mentioned Malicious Mobile Code Consortium and Vice President of
Business Development at RST, is a principal Java Security investigator on grants from
Air Force Research Labs, DARPA, and NIST's Advanced Technology Program. He
works closely with Dr. Ed Felton whose work in Java Security is widely publicized.
Together they host The Java Security Web Site at http://www.rstcorp.com/javasecurity,
which is probably the most comprehensive and up-to-date resource about Java security or
insecurity.
57
5.3.2 Research Virus Distribution
The anti-viral community does not have any standardized procedures for
identifying legitimate virus researchers for subsequent distribution of research viruses.
This situation often limits the depth and breadth of the research, which potentially
inhibits future discoveries and improvements. The virus research community should
formulate standard guidelines for computer virus related research as well as provide some
type of controlled access to national virus databases. This would greatly enhance the
design and analysis of future virus related information warfare weapons and defenses.
5.3.3 Dependence on COTS Products
Part of our susceptibility problem has resulted from the heavy influence of
commercial-off-the-shelf (COTS) products that have become a mainstay in DOD daily
operations. The problem with this increasing reliance is that such products may contain
malicious code inserted during the development of the product or may contain design or
implementation defects that generate an exploitable vulnerability. Exposed software
defects that introduce security weaknesses can be as equally exploitable as an intentional
hole left by the developer. The power of the COTS products must be integrated with
expert DOD systems or knowledge to provide a solid foundation from which virus
offenses and defenses can be built upon.
5.4 Military Implications
Viruses and other computer pathogens should be considered as actual information
age weapons. There are several Information Warfare features that define the way the
58
future battlespace will look. The facts that the computer virus technology has a low entry
cost, crosses now blurred traditional physical boundaries, and poses an overall danger to
the United States homefront all indicate that computer viruses will certainly be a
significant weapon of choice for future conflicts.
Almost every user and system administrator fears the entry of viruses into their
systems and many experts fight daily to avoid such dangerous agents from spreading.
Attacks may occur on systems that manage America's infrastructure and financial
markets. The United States must have and most likely does have an undeniably effective
plan to penetrate and destabilize enemy nations' computers.
We have seen how viruses and other computer pathogens are and should be of
significant concern. Not only will our forces need this attack method, but also our
adversaries will inevitably use viruses in their attacks. If these attacks are developed
covertly and are very efficient in their implementation, they could prove to be serious
strategic threats. These strategic areas include the potential attackers, potential usage,
and our potential response or retaliation
5.4.1 Potential Attackers
The group of potential attackers using viruses is ever expanding. They can range
from hackers to state actors. Hackers include those people who develop and distribute
viruses for personal, non-political reasons. High school and college programmers, as
well as professional programmers who often have personal vendettas can all be included
in this group. The state actors include government sponsored virus activity and can
include criminals and even political terrorists. Criminals may utilize viruses to embezzle
59
money or to influence a target’s desired actions, while political terrorists may employ
viruses to further their specific political goals.
Viruses are relatively inexpensive to develop compared to other strategic
weapons. Even further, the strategic targets that are susceptible to the viruses are notably
very lucrative. A potential user need only obtain the services of an accomplished and
willing programmer and a target platform representative example for development and
testing. In a very short while with a small investment, the opposition can develop a
strategic information warfare weapon.
5.4.2 Usage Conditions
Several conditions might cause an actor to contemplate using viruses to
accomplish certain goals. The state actor may use viruses for some of the same reasons
that a non-state actor does: to harass, extort money, force a course of action, or extract
retribution. Most likely, they will also attempt to use viruses for the digital battlefield
preparation. Specifically, the viruses could infect command and control systems,
communication switching systems, and logistics systems with explicit triggered timing.
Of course, this would be most likely to occur in conjunction with a conventional ground,
air, or sea attack.
5.4.3 Appropriate Responses
Suppose we are fortunate in identifying systemic virus risks, formulating an
action plan that anticipates potential attacks, and developing tools and techniques to
counter potential attacks. Will we then be able to coordinate and execute effective
60
counter responses? If so, these responses should utilize our own suite of offensive virus
capabilities to retaliate and even usurp future attacks.
5.5 Closing Statement
This research demonstrated that computer viruses reflect only one dimension of
the overall computer security problem. Although the use of computers in the federal
government and the private sector has exploded over the past ten years, competent
computer security research has failed to keep pace with that phenomenal growth. If this
trend is not reversed, the relative promise of the computer age may very well become the
Pandora's box of the 21st century.
With this in mind, it is safe to say that computer viruses are not the Information
Warfare silver bullet, but their use and application is very appropriate and applicable.
The analogy to a weapons system is important to remember because a virus can be used
and designed just like any other weapon. This will be especially more evident with the
Internet serving as the de facto standard for anyone participating in the information
revolution.
61
Appendix A, Computer Virus Primer
A.1 Overview
Why should there be any concern with computer viruses? The answer is quite
simple. Nearly every piece of electronic equipment has some form of a computer inside
it. With each computer component comes software that must be programmed. The
programming notion lends itself to the concept of automation. Since the computer can
automate human tasks, it is also possible to have the computer automate its own tasks. If
these tasks involve the capabilities to regenerate, spread, and do something, then that
program is considered a computer virus. Because the task performed by these automated
programs is usually associated with something negative, computer viruses are normally
viewed as malicious programs.
The initial direction of study for this research was to develop an understanding of
computer viruses. The details of this information are presented in this appendix. This
understanding includes discussion on why viruses are developed with a brief virus
history, definitions, and types. Finally, the components for computer virus development
are outlined.
62
A.1.1 Why Are Viruses Developed
With so many known viruses in existence, why would anyone want to write an
application that could potentially cause harm? David Harley [17] believes that viruses
are written because their creators:
• Do not understand or prefer not to think about the consequences
• Simply do not care
• Get a buzz, acknowledged or otherwise, from creative vandalism
• Think they are fighting authority
• Are keeping the computer anti-virus vendors in business
Simply stated, some virus writers destroy data for pleasure and often enjoy causing harm
to other people's work.
Most wild viruses currently target and infect personal computers (PCs), namely
the Microsoft Operating System (DOS and Windows 95/98/00). PCs are readily
available to the world population and the Microsoft operating system is easy to learn and
manipulate and subsequently breach. The cost and availability of PCs may account for
their vulnerability and popularity as targets. For example, a mid-range or less PC (i.e.
technology that is less than a couple of years old) can be purchased for just a few hundred
dollars. With this power within everyone's grasp, virus writers have found it very easy to
write software that deletes files, changes data, or reformats a disk without any user
notification or permission.
An inverse relationship exists between computer capabilities and enforceable
security measures. Amusingly, Robert Slade begins his book with “Jeff Richard's Laws
63
of Data Security: 1) Don't buy a computer and 2) If you do buy a computer, don't turn it
on" [34]. Professor Eugene Spafford of Purdue puts this even more expressively, "The
only truly secure system is one that is powered off, cast in a block of concrete, and sealed
in a lead-lined room with armed guards - and even then I have my doubts" [26]. These
two quotes illustrate the concerns over the fact that as computers attain more capabilities,
they inherently become less secure and that no computer system can ever be completely
secure.
A.1.2 Brief Virus History
The first virus was written in 1981 to see if a computer program could be
developed that would replicate similar to that of a biological virus. The first instance of a
malicious virus in the wild was the Lehigh virus, which overwrote a disk’s File Access
Table and boot track [34]. Throughout the years, individuals have continually searched
for ways of using computers to automate or simplify tasks. Computers can repeat tasks
indefinitely with minimal performance decreases with each iteration. The problem is that
for every task, someone must program the computer to perform that specific operation or
even physically interact with the task. Eliminating this interaction can greatly increase
efficiency and system administration. This concept of autonomous tasks led to programs
being alive or virus-like [7].
As the computer virus notion quickly grew in familiarity, there were those who
saw this as a way to do something far easier than administrative tasks on a networked
system (i.e. to wildly destroy data). Often times, virus creators used splash screens or
messages as success indicators for their inventions. Thus, the virus progression over the
64
years has moved the computing industry towards an overall negative connotation towards
the words, "computer virus."
A.1.3 Definition of A Computer Virus
Exactly what it is that defines a program as a computer virus must be identified.
Fred Cohen defines a computer virus as "a computer program that can infect other
computer programs by modifying them in such a way as to include a possible evolved
version of itself" [7]. Computer viruses are usually a special form of malicious logic,
have existed for nearly 20 years, and have continually developed and matured. To date,
there have been over 25,000 computer pathogens and their variants identified and
cataloged [40]. Of that number, 440 are currently identified in the "wild," which means
that current computer systems are being infected somewhere in the world [41].
According to Dr. Alan Solomon, "a virus is a program that copies itself" [35].
This definition is in general agreement with the formal definition provided by Dr. Cohen.
However, the copies need not be exact ones. He points out that this caveat to the term
copies is one of the more complicated issues involved in the detection and eradication of
viruses. While these definitions might describe a virus in the strictest sense, Dr. Cohen
also more loosely describes a virus through pseudocode in his book as a four part
program: three subroutines (infection, damage, and trigger-pull) and a main program (see
section A.1.6).
One of the more important aspects that is most often misunderstood is that a virus
is not a program that exhibits black magic properties. It is simply a program and must be
executed to operate. This point is extremely critical. If a virus program is never given
65
execute privileges, then it can do nothing and hence do no damage. In many virus
laboratories, test systems literally have thousands of viruses on them, however, none of
these programs is considered harmful as long as they are not executed. Virus programs
can only do what they are allowed to do and can only do what software can do. If one
can write a program that can perform a function, then a virus can perform that same
function as well.
A.1.4 Virus Types
Computer viruses are named because of their functional similarity to biological
viruses, in that they can spread rapidly and uncontrollably throughout a host system.
Viruses are categorized and labeled based on how they attempt to avoid detection, how
they infect a target host, how quickly they infect a host, and to what degree they infect
the host [9]. Computer virus developers have contrived some unique ways for viruses to
attempt to avoid detection after target infection. They include the stealth virus, the
companion virus, the armored virus, and the polymorphic virus. The stealth virus
monitors the infected system and returns false results to the system's functions that
attempt to discover its presence. The companion virus creates a new program that is
executed instead of the intended program, which will run after the virus has executed.
The armored virus uses deception to make it difficult to trace and disassemble its code.
Finally, the polymorphic virus is a virus that modifies each copy of itself as it is
replicated. It alters the virus signature that is used by most anti-virus software to identify
potential viruses in the system.
66
Viruses are divided into those that are memory resident and non-memory resident.
Memory resident viruses reside in a system's memory. When an infected program runs, it
then infects other files upon their opening or executing. On the other hand, non-memory
resident viruses are active only when an infected file is running. They only infect files
that are opened or executed while the virus is active [6].
Computer viruses can be further categorized into boot sector viruses and file
viruses or a combination of the two (i.e. multi-partite). Boot sector viruses replace or
modify the operating system information in the boot sector of a disk. This type of virus
can only infect a disk during the system boot process before the operating system is
loaded.
File viruses are the other main category and are simply viruses that attach
themselves to executable files to propagate. Due to this nature, file viruses are both
platform and operating system dependent. When a file is run, the virus runs first,
executing its program, when that is complete, control is transferred back to the main
program. Often the virus becomes memory resident and will infect any other program
executed, however these specifics can vary among viruses. Interestingly enough, file
viruses were thought only to affect executables. That is because if a virus infected data
files or library files, then there would be some wasted file resources that would be
harmless since the data files would never be executed. However, the rules have changed
with the increased development and use of macros. The macro virus has evolved enough
to be classified by itself as a third virus type [36].
Early on, there was much speculation that programs containing macro languages,
such as Lotus 123 and Microsoft Word, could be used for viruses, however nothing
67
materialized. This was partially due to the minor capabilities of early versions of the
macro language and its overall infrequent use. However, in the last few years, the macro
virus has become the number one reported virus to affect systems. This is the first file
virus which could run embedded macros when the infected data files are opened. The
program opening them contains an interpretive language, which can execute the macro
program. Because the macro language is a relatively simple one, it is easier to write
macro virus programs with no required assembly language knowledge. Macro viruses
offer a new side on virus programming: the possibility of platform independence.
Previously, boot sector and executable file infection viruses could only infect one
platform. Now, for example, any platform that runs Microsoft Word could be susceptible
to a macro virus embedded in a Word file.
The final descriptive classification of viruses identifies how quickly and
completely they infect the target system. These classifications are fast, slow, and sparse
infectors. The fast infectors almost immediately infect all files on a victim's system. The
slow infector only infects those files that are opened while the virus is active. The sparse
infector will only infect a limited number of files in a given time period (e.g. files saved
on the first of each month) [24].
Having discussed the general virus categories and types, it is necessary to discuss
some specific virus-related areas. Areas include trojan horses, network worms, and virus
hoaxes. These are outlined in the following subsections.
68
A.1.4.1 Trojan Horse
Trojan horses appear to be legitimate programs, but have hidden plans. They are
defined as any program that appears to perform a desirable and necessary function but
actually is performing additional, unknown functions (due to unauthorized code within it)
that are most likely unwanted by the user. A trojan horse usually is intended by its
developer to transport a virus or worm to a target platform. This type of pathogen usually
requires the user's participation in a cover application (e.g. a game, cool screensaver, or
clever demo). The trojan horse does exactly what it is suppose to do; but in addition to
its publicized function, it deposits malicious code on the target [6].
A.1.4.2 Network Worm
A network worm is an independent program that spreads by making complete
copies of itself across a network. Network worms are so dangerous due to the number of
networks that have gained strategic importance because of their use in the movement of
governmental, military, and commercial data. Once active within a system, a network
worm could behave as a virus, implant Trojan horse programs, or perform other
disruptive activities. Generally, worms confine themselves to persistent attempts to
replicate. This in and of itself is enough to consume system resources and in most
instances can cause the system to crash [6].
A.1.4.3 Virus E-Mail Hoaxes
The more capability and power that a program has to offer, the more destructive it
can be. This again is the major dichotomy associated with computer viruses: the tradeoff
69
between flexibility and capability versus security and protection. Consequently, there
have been numerous virus developments that are actually hoaxes. While these are not
classified directly as viruses, they are denial-of-service computer network attacks. The
hoaxes clutter the Internet with excessive traffic of a "black plague" type virus that is so
dangerous that one should immediately forward the notice to everyone they know. This
network traffic can be very excessive and possibly even shut down systems from
overloading or cause system crashes. The real attack is the received message and should
be deleted immediately to halt the hoax propagation. Unfortunately, a side effect to a
hoax is the second wave of traffic after the hoax is discovered. Hoaxes usually state that
reading an e-mail message is all that is needed to become infected. This has been proven
to be impossible on a system that simply reads the mail where no execute privileges have
been given to a program. Now, there do exist some mail systems that automatically
launch applications to open attachments (e.g. Microsoft's Internet Explorer and Outlook),
which could allow a file to have executable privileges. A basic understanding of virus
hoaxes can greatly help mitigate their effects.
A.1.5 Virus Development
Creating a new virus was originally part of the goals of this research. With this in
mind, when writing a program to perform a specific function or purpose, it is often
easiest to program from the ground up. As computer viruses are essentially no different
in structure than any other program, they must be designed in exactly the same way. The
virus design should be an iterative top down approach. A functional analysis must be
developed in order to ensure that no pieces of the design are omitted. A systems
70
engineering approach would also help facilitate a more comprehensive development. Dr.
Cohen points out that the only thing to refer to when developing a virus is the pseudocode
presented in his book. If other virus code is examined, then the opportunity to be
influenced by other programmers' methods or techniques could occur.
The pseudocode presents the four basic parts of a virus. There is an infection
routine, a damage routine, and finally a trigger pull routine. These sub-components are
then called by the fourth routine (i.e. the main program). It is the infection routine, which
is the one that formally distinguishes the program as a virus. Note that there is no
requirement for a payload or trigger for the program to be considered a virus. Figure 13,
outlines the pseudocode as the framework for virus development [7].
Figure 13, Dr. Cohen's Virus Pseudocode
Program V := {1234567; Subroutine infect-executable :=
{loop: file = random-executable; if (first-line of file = 1234567) then goto loop; else prepend V to file;}
Subroutine do-damage :=
{whatever damage you can program} Subroutine trigger-pulled :=
{whatever trigger you want here} Main-program-of-virus :=
{infect-executable; if (trigger-pulled) then do-damage; goto next;}
next: }
71
This code contains two enhancements that need not be a part of the virus. A
marker, 1234567, so the virus will not infect the same file twice and a loop so the virus
continuously runs. Dr. Cohen developed this code with executable file type viruses in
mind. However, these techniques may be modified for specific instances and serve only
as a foundation for future virus efforts [7].
72
Appendix B, Network Testbed Environment
B.1 Hardware Resources
B.1.1 Overview
To assist with this research, a testbed network environment was developed and
installed. This was mostly due to the necessity to keep dangerous and malicious code
from entering the AFIT network system. The following sections, B.1.2, B.1.3, and B.2,
of this appendix fully describe the design of the network and the settings that were used.
The Appendix was fully developed by a fellow Air Force Institute of Technology student,
Captain Dale Lathrop and is included here with only minor changes. It is an essential
reference for future steganographic virus-related work [25].
The testbed network consisted of a server and two client PCs connected with
category 3 Ethernet cable running at 10 megabits per second (Mbps). No hub was
necessary for this configuration. The network environment is shown in the following
diagram.
73
Figure 14, Network Testbed Environment
B.1.2 Server
The server is a basic PC with enough power to drive a small network of users. It
provided the resources such as memory and hard disk space to accommodate the server-
based software and manage the network without visible degradation in speed. The
servers hardware specifications were:
• IBM 350-P100 running at 100 megahertz (MHz)
• Zenith DTV 15 inch monitor
• IBM 101 Key Keyboard
• Logitech 2-Button PS-2 Mouse
• 1.6 gigabyte (GB) hard drive
• 1.44 megabyte (MB) floppy drive
• 64 MB random access memory (RAM)
• SMC Elite 16 Ultra Ethernet network card
• Chinon CDS-545 CD-ROM drive
• 1 MB S3 Trio PCI video board
Server
Client PC-1 Client PC-2
Cat 3 Ethernet (10 Mbps)
74
B.1.3 Client Systems
The client systems were established to meet the requirements of a common user
system. The PCs were built with the ability to communicate with an Internet server. The
hardware specifications for the client systems were:
• Zenith DTV Z-Station GT running at 133 Mhz
• SONY Multiscan 17sf II monitor
• Zenith 102 Key Keyboard
• Microsoft PS-2 Mouse
• 4.3 gigabyte (GB) hard drive
• 1.44 megabyte (MB) floppy drive
• 64 MB random access memory (RAM)
• SMC EtherEZ 8416 Ethernet network card
• AZT 66801 SE - 6X CD-ROM drive
• 2 MB ATI Graphics Pro Turbo (Mach 64 VT) video
B.2 Software Resources
B.2.1 Overview
To accomplish fully the task of simulating an entity such as the Internet, a wide
array of software was utilized. The next few sections illustrate the software and the
configuration parameters that allowed this simulation to be successful.
B.2.2 Server
The majority of the software on the server PC was utilized to control the entire
environment. The overall task was to allow for e-mail and Internet-related (e.g. web
75
browsing) communication to occur between the server and the clients. The system was
configured to use the Internet Protocol (IP) format.
B.2.2.1 Network Properties
The most crucial information for the Windows 95 network configuration was
evidenced in the properties of the network neighborhood as seen below in Figure 12.
Figure 15, Network Neighborhood Properties
This configuration used the Microsoft Network client to establish the link and
used IP addressing for the communication of information. The file and print sharing
option was used to provide file server capabilities, but was not necessary to complete the
research. The TCP/IP properties allowed an administrator to configure the
communication capabilities of the network. As illustrated in the next figure, the network
was bound to the Microsoft client.
76
Figure 16, TCP/IP Properties
An address must be assigned to each machine. In the servers case, the address
101.0.0.1 was assigned as a base for the network. Other software discussed later in this
appendix required this IP address.
Figure 17, TCP/IP-IP Address Propoerties
77
The subnet mask was defaulted to 255.255.255.0. The tab labeled DNS
Configuration allowed the administrator to set the Host and Domain names for the
network. This was utilized in the addressing of Internet mail. In this research, the Host
was set to server and the domain to hackers. When e-mail was addressed, it took the
form of [email protected].
Figure 18, TCP/IP-DNS Configuration Properties
For the Internet mail manager software, a gateway was designated. The server
itself filled this role as seen in Figure 19, the gateway IP lookup list.
78
Figure 19, TCP/IP-Gateway Propoerties
With these settings, the networked client PCs could communicate with each other and the
server via the IP protocol.
B.2.2.2 FT Gate (Gateway, HTTP, FTP, Internet Mail)
Since the main software environment for this research was based on the Microsoft
Windows 95 platform, an additional Internet mail server software package was needed.
The product chosen was Floosietek’s FTGate Mail Gateway. It provided the capability to
act as a SMTP and POP3 server for Internet mail and could be used like an Internet
Service Provider (ISP).
79
Figure 20, FTGate Mail Gateway Properties
When configured properly, FTGate served as an efficient and economical answer
for this small network. The 30-day evaluation version used here was capable of servicing
100 concurrent users. After the 30 days, the user count was lowered to one. The user
configuration was easily accomplished through the built-in mailbox manager. The
network administrator designated accounts with only basic information required. The
userIDs used in this research were created in the format of first initial and last name (e.g.
jcochran).
80
Figure 21, FTGate Mailbox Manager Properties
The final step in setting up FTGate was to fill in the information for the domain
region of the physical server. The domain was considered local, which meant on the
server, instead of remote to an additional ISP. The primary domain name matches the
host and domain name established in the server properties.
81
Figure 22, FTGate Properties
The mail gateway was made operational and available for use by executing the main
FTGate software.
B.2.2.3 Microsoft Personal Web Server
Another software package installed was Microsoft’s Personal Web Server. This
utility provided the capability to establish a web site on the server and add FTP and
HTTP services to the network.
82
Figure 23, Personal Web Server Properties
It was discovered towards the end of the research that this was not actually
needed. However, future research efforts that further exploit web pages and Java code
combined with steganographic images would require this setup.
B.2.3 Client Systems
To complete the testbed network, two client systems were configured to give
researchers the capability to test IW network attacks. Table 4 shows the software that
was loaded on each system.
83
Table 4, Client System Software
Package Version
Microsoft Windows 95 4.00.95B
Microsoft Office 97 Professional w/SR-2
(Outlook 97 only installed) 7.0
Netscape Communicator 4.6
Internet Explorer 5.0
McAfee VirusScan 4.0
Norton Anti-Virus 5.00.01b
Computer Associates-InoculateIT 4.5
Trend Micro-PC-cillin 6.0 The Anti-Virus software tools were loaded so that the testing could see if a known virus
could be embedded and extracted without detection.
B.2.3.1 Network Properties
The network properties for the client PCs were similar to that of the server. The
Microsoft Network client, network interface card definition, and the TCP/IP protocol
service were still the basic requirement for complete communications. The only change
was to the TCP/IP properties. Each PC was given a unique IP address (in this case
101.10.10.10 and 101.10.20.5 for the testbed clients) and the gateway and DNS tabs
remained the same as the server.
84
Appendix C, Vendor Contact Information
The following appendix provides the point of contact information for the software
utilized during this research. Section C.1 summarizes the steganography tools while
section C.2 contains the anti-virus tools.
C.1 Steganography Tools
Contraband HE (824k) and Contraband 3.1 (245k)
Immortalware by Hens Zimmerman and Julius Thyssen http://www.xs4all.nl/~whh/@/che_xmas-beta.zip and http://www.xs4all.nl/~whh/@/contrabd.exe, respectively
Encrypt Pic (442k)
http://members.xoom.com/fredc/encryptpic.html
FFEncode (12k)
http://www.rugeley.demon.co.uk/security/ffencode.zip
Gifshuffle (33 KB)
Matthew Kwan Darkside Technologies Pty Ltd http://www.darkside.com.au/gifshuffle/
Hide and Seek for Win95 (96 KB)
Colin Moroney ftp://ftp.zedz.net/pub/replay/incoming/hideseek95.zip
85
In The Picture (1.8 MB)
http://www.intar.com/ITP/default.htm
JSteg Shell v1.0 (3.9 MB)
By Derek Upham http://www.tiac.net/users/korejwa/jsteg.htm
Pretty Good Envelope v2.0 (16 KB)
http://members.tripod.com/~afn21533/pge20.zip
S-Tools4 (272 KB)
ftp://idea.sec.dsi.unimi.it/pub/security/crypt/code/s-tools4.zip
Snow (27 KB)
Matthew Kwan Darkside Technologies Pty Ltd http://www.darkside.com.au/snow/index.html
SteganoGifPaletteOrder (137 KB)
David Glaude <[email protected]> Didier Barzin <[email protected]> Download at http://www.geocities.com/SiliconValley/Heights/2099/sgpo.htm
Steganos II Security Suite (5.0 MB)
DEMCOM Hansmann/Wildgrube/Yoran Gbr Sophienstr. 28, 60487 Frankfurt, Germany http://www.steganography.com/english/ 1-202-293-5151 to order
Steghide 0.3.1 (330 KB)
Stefan Hetzl <[email protected]> http://www.crosswinds.net/~shetzl/steghide/index.html
86
wbStego99 v3.1 (952 KB)
Werner Bailer Kirchengasse 58 A-2632 Grafenbach http://members.xoom.com/wbailer/wbstego/ U.S.: 1-724-850-8186
C.2 Anti-Virus Tools
McAfee VirusScan
McAfee.com 3965 Freedom Circle Santa Clara, CA 95054 (408) 988-3832 http://www.mcafee.com
Norton Anti Virus
Symantec Corporate Offices 20330 Stevens Creek Blvd. Cupertino, CA 95014 (408) 253-9600 http:///www.norton.com
Computer Associates-InoculateIT
Computer Associates International, Inc. One Computer Associates Plaza Islandia, NY 11749 (516) 342-5224 or 1-800 225-5224 http://antivirus.cai.com/
Trend Micro – PC-cillin
Trend Micro, Inc North American Headquarters 10101 N. De Anza Blvd., Suite 200 Cupertino, CA 95014 (408) 257-1500 or (800) 228-5651 Tech Support: (949) 387-7805 or (888) 608-1009 http://www.antivirus.com/
87
Appendix D, Software Request Form Letter
<<company>> <<address_1>> <<address_2>> <<city>>, <<state>>, <<zip>> Dear <<company>>,
I am writing this letter to solicit your help in completing an approved graduate
research study being conducted at the US Air Force Institute of Technology. I am conducting basic research on the effectiveness of anti-virus tool-kits in detecting steganographic virus attacks. The research involves the analysis of computer viruses hidden in image graphic files in an offline testbed computer environment. The goal is to evaluate the effectiveness of tool-kits in general and NOT any particular government or commercial software package.
Because of favorable reviews in the mainstream computing literature, I feel
<<product>> would be an important part of any anti-viral related research. I would like to include your product in the research; to that end, I am asking the makers of each anti-virus product to assist by providing a full-featured evaluation copy or license of their product. Air Force fiscal funding limitations hinder equipment purchases for thesis students and expendable personal expenses are not available to purchase your product. Nonetheless, I believe that credible scientific research involving your product would be beneficial to both you and the Air Force. Your support would be greatly appreciated.
If you are willing to provide your support, a copy of my summary data will be
sent to you. I also agree that no data developed will be reported in anything other than an aggregate fashion that will ensure that no individual product is identifiable. If you desire, at the end of the study, a copy of your company's individual data can be provided to you. Be assured that beyond my thesis advisor, no other government employees, entities, or organizations will have access to your product's individual ratings.
If you are not willing to provide a copy of your product free of charge, please
consider the fact that it will not be included in this study. Although this will not invalidate the research efforts, it would deprive me from establishing how your product
88
can be used as part of an effective anti-viral program to protect military computing assets from virus-related attacks.
Regardless of your decision, I appreciate your consideration of this request. If
you have any questions that I can answer, please feel free to contact me at the Air Force Institute of Technology. If you prefer, you may also contact my thesis advisor, Dr. Henry Potoczny, at (937) 255-6565. I appreciate your time and consideration and look forward to your response.
Respectfully, Jordon T. Cochran, Captain, USAF Graduate Student, Computer Systems Air Force Institute of Technology Telephone: 937-255-3636, x-6126 E-mail: [email protected]
89
Bibliography
[1] Aerospace Electronic Countermeasures. “A Superficial Look at Information Warfare.” Hangtian Dianzi Duikang: 18. 1997.
[2] Aerospace Electronic Countermeasures. “Computer 'Hacker' and Computer Virus Counter Measures and Information War.” Hangtian Dianzi Duikang: 43. 1997.
[3] Aliroo home page. WitnesSoft and ScarLet security software. April 1997. http://www.aliroo.com/.
[4] Anderson, R., and F. Petitcolas. "On the Limits of Steganography." University of Cambridge, Computer Laboratory: Cambridge, UK. September 1997. Published in IEEE Journal on Special Areas in Communications, v 16 no 4: 463-473. (May 98). http://www.cl.cam.ac.uk/~fapp2/papers/jsac98-limsteg/.
[5] Anderson, R. J. "Why Cryptosystems Fail." Communications of the ACM, vol. 37, no. 11: 32-40. November 1994.
[6] Anonymous. Maximum Security: A Hacker’s Guide to Protecting Your Internet Site and Network. Second Edition. Sams Publishing. 1998.
[7] Cohen, F. B. A Short Course on Computer Viruses. Second Edition. New York: John Wiley & Sons, Inc. 1994.
[8] Cohen, F. B. “Note on the role of deception in information protection.” Computers & Security. Vol. 17, No. 6: 483-506. 1998.
[9] Computer Security Division. "An Abbreviated Bibliography for Computer Viruses and Related Security Issues." http://csrc.nist.gov/training/readlist.txt.
[10] DefenseLINK. U.S. Department of Defense Official Website. http://www.defenselink.mil.
[11] Dennis, S. "Virus Attacks Cost $12Bil." Newsbytes. 20 January 2000.
[12] Dixon, R. C. Spread spectrum systems with commercial applications. New York: John Wiley & Sons, Inc., 3rd ed., 1994. ISBN 0-471-59342-7.
[13] Fites, P., P. Johnson, and M. Kratz. The Computer Virus Crisis. Van Nostrand Reinhold. New York. 1992.
90
[14] Fogle, C. J. "Strategies for Steganalysis of Bitmap Graphics Files." Masters Thesis, AFIT/GCS/ENG/99M-05. School of Engineering, Air Force Institute of Technology (AU), Wright-Patterson AFB, OH, March 1999.
[15] Gertz, B. “Internet Warfare Concerns Admiral.” The Washington Times. 18 November 1999.
[16] Hackers.com. Information Insemination. http://www.hackers.com/.
[17] Harley, D. "Frequently Asked Questions 4/4." 29 November 1996. alt.comp.virus.
[18] Hockett, V. "3M's Virus Policy: A Case Study." National Computer Security Association, InfoSecurity Expo, 2: CV6b - 3 and 6. July 1993.
[19] International Computing Security Association. "Fifth Annual ICSA Computer Virus Prevalence Survey: 1999." http://www.icsa.net.
[20] Johnson, N. F. and S. Jajodia. Exploring Steganography: Seeing the unseen. IEEE Computer, Vol. 31, No. 2: 26-34. February 1998.
[21] Johnson, N. F. and S. Jajodia. Steganalysis of Images Created Using Current Steganography Software. Lecture Notes in Computer Science. Springer-Verlag. Vol. 1525. 1998. http://www.jjtc.com/ihws98/jjgmu.html.
[22] Joint Doctrine for Information Operations. Joint Pub 3-13. 9 October 98.
[23] Kahn, D. The Codebreakers -- The Story of Secret Writing. New York: Scribner: 83, 515-516. 1996. ISBN 0-684-83130-9.
[24] Kirsch, R. A. "Viruses and Other Computer Pathogens: Should DOD Care?" Army War College. 1 April 1997.
[25] Lathrop, D. "Viral Computer Warfare Via Activation Engine Employing Steganography." Masters Thesis, AFIT/GCS/ENG/00M-14. School of Engineering and Management, Air Force Institute of Technology (AU), Wright-Patterson AFB, OH, March 2000.
[26] Levin, R. B. The Computer Virus Handbook. Osborne McGraw-Hill. 1990.
[27] McCormick, J. "GCN Reports nearly 5,000 U.S. Army PCs Have A Virus." Newsbytes Incorporated. 11 December 1990.
[28] Murray, J. D. and W. vanRyper. Encyclopedia of Graphic File Formats. O’Reilly & Associates, Inc.: Sebastopol, CA. 1994.
[29] Newman, B. Secrets of German Espionage. London: Robert Hale Ltd, 1940.
91
[30] Ohlson, K and A. Harrison. "'Melissa' mutates." Computerworld Online News, 29 March 1999.
[31] Pedone, L. H. and K. J. Ziese. "How Effective Are Anti-viral Toolkits in Preventing Computer Virus Attacks?" Masters Thesis, AFIT/GSS/LAR/93D-6. School of Logistics and Acquisition Management, Air Force Institute of Technology (AU), Wright-Patterson AFB, OH, December 1993.
[32] Petitcolas, F. A. P., R. J. Anderson, and M. G. Kuhn. "Information Hiding-A Survey." Proceedings of the IEEE, special issue on protection of multimedia content, 87(7):1062-1078, July 1999.
[33] Seckel, A. "Your mind's eye: illusions & paradoxes of the visual system." Lecture for the National Science Week, University of Cambridge, England, March 1998.
[34] Slade, R. Guide to Computer Viruses. Hamilton Printing Co., Rensselaer, NY. 1996.
[35] Solomon, A. PC Viruses: Detection, Analysis, and Cure. Springer-Verlag. 1991.
[36] -- Dr. Solomon's Software. http://www.drsolomon.com. 1999.
[37] Tacticus, A. How to survive under siege / Aineias the Tactician. Clarendon ancient history series, Oxford, England: Clarendon Press, 1990. ISBN 0-19-814744-9, translated with introduction and commentary by David Whitehead: 84-90, 183-193.
[38] "Understanding Heuristics: Symantec's Bloodhound Technology." Symantec White Paper Series, Volume XXXIV. 1999.
[39] U.S. General Accounting Office. Computer Security - Virus Highlights Need for Improved Internet Management. Report Series GAO/IMTEC-89-57, June 1989. p 43.
[40] "Virus Information." Command AntiVirus, Inc. http://www.commandcom.com/html/virus/virus.html. January 2000.
[41] WildList Organization International. "PC Viruses in the Wild." http://www.wildlist.org/WildList. January 2000.
[42] Wood, Lt Gen (Ret.) C. N. “The World Needs an International Approach to Information Security.” SIGNAL. August 1999. p 14.
92
Vita
Captain Jordon T. Cochran was born on 19 September 1973, in Springfield,
Massachusetts. He graduated from Carroll High School, Ozark, Alabama, in 1991 and
followed on his education at Auburn University, Auburn, Alabama. While at Auburn, he
was very active in the Air Force Reserve Officer Training Corps. He graduated with a
Bachelors of Computer Engineering degree and was commissioned on 30 August 1995.
His assignments include Integrated Computer Aided Software Engineering (I-
CASE) Systems Engineer and Chief, I-CASE Customer Support at the Headquarters
Standard Systems Group, Maxwell AFB-Gunter Annex. In August 1998, he entered the
Computer Systems Masters program of the School of Engineering and Management, Air
Force Institute of Technology. His follow-on assignment is to the Air Intelligence
Agency, 694 Intelligence Group, Ft. George Meade, Maryland.
REPORT DOCUMENTATION PAGE Form ApprovedOMB No. 0704-0188
Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing datasources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any otheraspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations andReports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188),Washington, DC 20503. 1. AGENCY USE ONLY (Leave blank) 2. REPORT DATE
March 20003. REPORT TYPE AND DATES COVERED
Master's Thesis 4. TITLE AND SUBTITLE
STEGANOGRAPHIC COMPUTER WARFARE
5. FUNDING NUMBERS
6. AUTHOR(S)
Jordon T. Cochran, Captain, USAF
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)Air Force Institute of TechnologyGraduate School of Engineering and Management (AFIT/EN)2950 P Street, Building 640WPAFB, OH 45433-7765
9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES)USAF/NAIC/TAIFAttn: Mr. Keith D. Anthony4180 Watson WayWright Patterson, AFB OH 45433-5635(937) 904-0623
8. PERFORMING ORGANIZATION REPORT NUMBER
AFIT/GCS/ENG/00M-03
10. SPONSORING/MONITORING AGENCY REPORT NUMBER
11. SUPPLEMENTARY NOTES
Henry B. Potoczny, Ph.D., ENG, Comm: (937) 255-6565
12a. DISTRIBUTION AVAILABILITY STATEMENT
APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED
12b. DISTRIBUTION CODE
13. ABSTRACT (Maximum 200 words) Computer technology permeates every aspect our daily operations. As this dependence increases, users become moresusceptible to attacks. This threat comes largely from computer viruses, which fall under the Information Warfare domain. Steganography's goal is to conceal information, in plain sight. Although steganography tools have been around for severalyears, their true potential continues to be explored. This resurgence in steganography combined with the aforementionedcomputer virus threat raises potential risks. This research attempts to determine strategies that can be used automatically todecode a steganography file. Emphasis is placed on automated techniques and is not specific to any steganography application. The primary objective of this thesis is to explore and assess computer systems' vulnerability to steganographic virus attacks. The results indicate that steganography tools are not conducive to be sole attack weapons. However, the tools combined withother applications could be used to automatically extract the hidden information with minimal user intervention. The researchexamined the current state of steganography tool capabilities with regard to computer virus implementations. Coupling thesetwo technologies can result in a very deceptive and powerful IW attack. Further, this attack could pose significant risks to theUnited States government and national information infrastructures.
14. SUBJECT TERMSSteganography, computer virus, information warfare, information hiding, covert channels, datasecurity, data embedding, information security
15. NUMBER OF PAGES
10516. PRICE CODE
17. SECURITY CLASSIFICATION OF REPORT
UNCLASSIFIED
18. SECURITY CLASSIFICATION OF THIS PAGE
UNCLASSIFIED
19. SECURITY CLASSIFICATION
OF ABSTRACTUNCLASSIFIED
20. LIMITATION OFABSTRACT
UL
Prescribed by ANSI Std. 239.18Designed using Perform Pro, WHS/DIOR, Oct 94
Standard Form 298 (Rev. 2-89) (EG)
GENERAL INSTRUCTIONS FOR COMPLETING SF 298
The Report Documentation Page (RDP) is used in announcing and cataloging reports. It is important thatthis information be consistent with the rest of the report, particularly the cover and title page. Instructions for filling in each block of the form follow. It is important to stay within the lines to meetoptical scanning requirements.
Block 1. Agency Use Only (Leave blank).
Block 2. Report Date. Full publication dateincluding day, month, and year, if available (e.g. 1 Jan 88). Must cite at least the year.
Block 3. Type of Report and Dates Covered. State whether report is interim, final, etc. Ifapplicable, enter inclusive report dates (e.g. 10 Jun 87 - 30 Jun 88).
Block 4. Title and Subtitle. A title is taken fromthe part of the report that provides the mostmeaningful and complete information. When areport is prepared in more than one volume, repeatthe primary title, add volume number, and includesubtitle for the specific volume. On classifieddocuments enter the title classification inparentheses.
Block 5. Funding Numbers. To include contractand grant numbers; may include program elementnumber(s), project number(s), task number(s), andwork unit number(s). Use the following labels:
Block 12a. Distribution/Availability Statement. Denotes public availability or limitations. Cite anyavailability to the public. Enter additional limitationsor special markings in all capitals (e.g. NOFORN,REL, ITAR).
C - ContractG - GrantPE - Program Element
PR - ProjectTA - TaskWU - Work Unit Accession No.
Block 12b. Distribution Code.
Block 6. Author(s). Name(s) of person(s)responsible for writing the report, performing theresearch, or credited with the content of thereport. If editor or compiler, this should follow thename(s).
Block 7. Performing Organization Name(s) andAddress(es). Self-explanatory.
Block 8. Performing Organization Report Number.Enter the unique alphanumeric report number(s)assigned by the organization performing the report.
Block 9. Sponsoring/Monitoring Agency Name(s)and Address(es). Self-explanatory.
Block 10. Sponsoring/Monitoring Agency ReportNumber. (If known)
Block 11. Supplementary Notes. Enterinformation not included elsewhere such as: Prepared in cooperation with....; Trans. of....; To be published in.... When a report is revised,include a statement whether the new reportsupersedes or supplements the older report.
Block 13. Abstract. Include a brief (Maximum 200words) factual summary of the most significantinformation contained in the report.
Block 14. Subject Terms. Keywords or phrasesidentifying major subjects in the report.
Block 15. Number of Pages. Enter the total numberof pages.
Block 16. Price Code. Enter appropriate price code(NTIS only).
Blocks 17. - 19. Security Classifications. Self-explanatory. Enter U.S. Security Classification inaccordance with U.S. Security Regulations (i.e.,UNCLASSIFIED). If form contains classifiedinformation, stamp classification on the top andbottom of the page.
Block 20. Limitation of Abstract. This block mustbe completed to assign a limitation to the abstract. Enter either UL (unlimited) or SAR (same as report). An entry in this block is necessary if the abstract isto be limited. If blank, the abstract is assumed tobe unlimited.
DOD -
DOE -NASA -NTIS -
See DoDD 5230.24, "DistributionStatements on Technical Documents."See authorities.See Handbook NHB 2200.2.Leave blank.
DOD -DOE -
NASA -NTIS -
Leave blank.Enter DOE distribution categories fromthe Standard Distribution forUnclassified Scientific and TechnicalReports.Leave blank.Leave blank.
Standard Form 298 Back (Rev. 2-89)