October 2010 Meeting

posted in: Meetings | 0

Exploring Font Based Steganography With A Focus On Tool Development

The world of steganography has become stale as the same exfiltration techniques become easier and easier to detect.  Once any major steganalysis tool can find the hidden payload, its game over.  It’s time to look past the JPGs and into new and even stealthier techniques.  In this day and age we already know to look for the malicious PDF, the Macro Word file, and the image file as possible points for leakage, but in this talk we are going to examine just how easy it is to create a program that utilizes a rarely documented steganography technique.  Furthermore, since the attacker always has it easy, we will go the next step and present a tool for detecting this type of anomaly.  Welcome to the world of Font Color Based Steganography.

Font Color Based Steganography is not necessarily a new concept, having a tool in the public domain developed as far back as 2007, as well as being the subject of an IEEE steganalysis white paper.  After looking into these, it seems as if the idea blossomed in 2007 but never matured.  The previously developed tool lacks in several areas: It works with font size and color which is nice, and it can password protect, but it only encodes words.  We, however, want to exfiltrate entire files, as simple text just isn’t sufficient these days.  Unfortunately there are no tools that we are aware of in the wild that can do such a thing.  Let’s take a look at the basic idea.  We have a Word document full of text, and for each character there is a font associated with it.  With the font we have several items we can manipulate, including style, color, size, encoding, underline, etc.  Each of these items becomes a possible steganography vector, but whatever we choose needs to be covert.  In order to encode our file, we are going to need a solution that can be represented as either a “0” or “1”, or differences between two elements.  For instance, we could use font size, as the difference between 12 and 12.5 font is barely noticeable (a vs. a) but there isn’t much room for our data since we only get one bit of data per character. Font Color seems like a better candidate since the difference between (RGB) 000 and 111 is also barely noticeable (a vs. a), and we get three bits per character.

Documents can contain a variety of font sizes and colors.  The variety and occurrence of different sizes and colors depends on the type of document.  Document titles, headers, footnotes, and subscripts can all be a reason for characters in a document to have a different font size and color.  This steganalysis tool will assist the forensic analyst by scanning each character in the document for its font size and color.  Font color steganography only alters the size and color slightly, practically unnoticeable to the human eye.  This tool will help uncover steganography that might have been overlooked through manual examination.  To help limit the number of false positives, a baseline is needed to set a threshold for the frequency of different font sizes and colors.  Random documents from the Internet were used as a test bed to calculate the frequency of colors and sizes.  If this threshold is surpassed, the program will flag the document.

The steganalysis tool will look to discover the anomalies created by steganography. The first step looks at the font color of each character and how often the color occurs in the document.  The two most common font colors found in a Microsoft Word document are “automatic” and “black.”  The “automatic” font color is the default font color for a new document using the default template (normal.dot).  Though “automatic” may appear as black, Windows reads it as a different color code than the standard “Black” color.  The automatic color is determined by the “Windows Text” color set in ControlPanelDisplayAppearance (text for global windows application).  Keep in mind, if this option is altered, the automatic color would appear to whatever the user set the option as.  The default “automatic” color will also change the font color to white for when dark backgrounds are used.  The tool will provide the occurrence of each color code for every character in the document to assist an examiner in visually seeing any frequent abnormal colors used in the document.  The next step of the tool will examine the font size for each character.  The most common font size in a Microsoft Word document is 11 and 12.  Like the font color, the tool will list the occurrence of each font size used in the document.  Again, this allows the examiner to visually see any abnormalities between font sizes.

Both the steganography and steganalysis tool developed for this talk will be released and available for download in compiled as well as open source formats.

Co-Presenters

Co-Presenter: Mr. Cyr has over five years experience in the Department of Defense and commercial information security programs.  He has discovered and publicly disclosed several vulnerabilities and exploits.  His expertise is in network penetration testing, web application assessments, and wireless network auditing.  He holds a Masters degree in Information Assurance from Towson University as well as the following certifications: Certified Information Systems Security Professional (CISSP), Offensive Security Certified Professional (OSCP), Offensive Security Wireless Professional (OSWP), Certified Ethical Hacker (CEH), Nessus Certified, GIAC Certified Penetration Tester (GPEN), FEMA IS-00100. Intro to the Incident Command System.  Mr. Cyr is also part of the www.exploit-db.com exploit verification team.

Co-Presenter: Mr. Pierorazio has over five years of experience in the information systems field, two of which are in the Department of Defense. His expertise is in network penetration testing and digital forensics. He holds a Masters degree in Forensic Studies of Information Systems from Stevenson University, and holds the following certifications: Certified Information Systems Security Professional (CISSP), Offensive Security Certified Professional (OSCP), Offensive Security Wireless Professional (OSWP), and GIAC Certified Penetration Tester (GPEN).

Share