[PDF] 7zip vs winrar speed
[PDF] 7zip vs winrar vs winzip
[PDF] 8 000 btu air conditioner
[PDF] 8 1 multiplying and dividing rational expressions
[PDF] 8 1 practice geometry
[PDF] 8 1 skills practice geometric mean
[PDF] 8 1 skills practice multiplying and dividing rational expressions
[PDF] 8 1 skills practice multiplying and dividing rational expressions answer key
[PDF] 8 1 skills practice multiplying and dividing rational expressions answers
[PDF] 8 1 skills practice multiplying and dividing rational expressions answers with work
[PDF] 8 1 skills practice multiplying and dividing rational expressions page 7
[PDF] 8 1 skills practice multiplying and dividing rational expressions with work
[PDF] 8 1 study guide and intervention angles of polygons
[PDF] 8 1 study guide and intervention answer key
[PDF] 8 1 study guide and intervention functions
HIDING IN THE FAMILIAR:
STEGANOGRAPHYAND VULNERABILITIES IN POPULAR
ARCHIVES FORMATS
Mario Vuksan, TomislavPericin& Brian Karney
BlackHatEurope 2010, Barcelona
Agenda
Introduction to steganographyin archives
àSteganographyimplications
àVulnerability implications
Demonstrations
àQuick and dirty hex editing
ŻHide text and file data
ŻInvent our own file format
Introduction to NyxEngine
concealedwriting.dz
Steganography
Steganography
SteganographyHistory
Ancient Fascination
Rumours& Conspiracies
àFrom Pearl Harbor to Al-Qaida & eBay
2008 arrest
àBritish Muslim, RangziebAhmed used invisible ink to write down Al-Qaida telephone directory
Difference is in the purpose
àMalicious Uses
ŻPrivate communication for illicit purposes, so-called Stego
àLegitimate Uses
ŻWatermarking, DRM, Movies (CAP ȂCoded Anti-Piracy),
Medical Images Tracking
Malicious Angle on Stego
Types
àMessages
àImages
àMedia Files
Open source projects
600+ different tools
Private/commissioned tools
Obscurity is power
Detection
àStegoTool discovery
àBrute Force
Reality
7 ...ǯ- -" "-
stegoin the wild? àIt could be due to the fact it really is not that prevalent in the wild àIt could be that analysts are not really looking so they never find it
àThat most media based approaches have many
weakness and make it hard to hide large amounts of data. àThat the best method to identify stegois to find the tools based off of Hashes
New Paradigms for Forensics
Traditional Steganography
àTypical stegois thought of embedding data into media files (audio files, JPG, BMP, GIF, PNG )
New paradigm for Stego: Shift away from
media
àto archive files (zip,cab..)
àother approaches such as SFS (StegoFile System)
àOther novel approaches
Investigating Stegoin Archives
Why it is relevant from an investigative
perspective? àEasier way to hide larger payloads in plain sight
àNot easy to identify using existing methods
Żblind anomaly-based approach
Żimage analysis using image filters
Żaudio analyzer
ŻSignature analysis (substitution)
àUsing hashes to identify tools is pointless
àMakes you always question what is inside the archive
UnixWindows
Archive formats
Most common file formats found in every Microsoft
Windows, Unix and Mac OS system
File formats are not bindedto operating system
ZIP file format
Most common archive file format in use today
The format was originally created in 1986by Phil Katz for PKZIP Format is fully documented by PKWARE (32k line text file) The PKZIP format is now supported by many software utilities : àMicrosoft Windows has included built-in ZIP support àWinZIP(most popular ZIP archiverprogram) Ȃwww.winzip.com
àPowerArchiver-www.powerarchiver.com
àWinRARȂwww.rarlab.com
à7ZIP-www.7-zip.org
Format supports:
àError recovery, multi-disk spanning, encryption and SFX àMultiple compression algorithms in use (DEFLATE)
RAR file format
Very popular archive file format
The format was as developed by Eugene Roshal
Format is partially documented by developer (TechNote) The RAR format is now supported by many software utilities : àRAR format ships with a free decompressorlibrary (SDK)
àWinRARȂwww.rarlab.com
àWinZIPȂwww.winzip.com
àPowerArchiver-www.powerarchiver.com
à7ZIP-www.7-zip.org
Format supports:
àError recovery, multi-disk spanning, encryption and SFX
àCompression algorithms basedon LZand PPMd
CAB file format
Common installer file format (rarely used by users) CAB is the Microsoft Windows native compressed archive format Format is fully documented by Microsoft (20 page PDF) The cabinet format is now supported by many software utilities : àMicrosoft Windows has included built-in CAB support àPowerArchiver(can compress) -www.powerarchiver.com
àWinZIPȂwww.winzip.com
àWinRARȂwww.rarlab.com
à7ZIP-www.7-zip.org
Format supports:
àMulti-disk spanning, digital signing and SFX
àUses LZX, DEFLATE, Quantum and MsZIPcompression
7Zip file format
Very common archive file format used today
The format was created in 2000 and is developed by Igor Pavlov Format processor is free and open source (LGPL license) Format is fully documented by developer (series of text files) The 7Zip format is now supported by many software utilities :
à7ZIP-www.7-zip.org
àWinZIPȂwww.winzip.com
àPowerArchiver-www.powerarchiver.com
àWinRARȂwww.rarlab.com
Format supports:
àMulti-disk spanning, encryption and SFX
GZipfile format
Most common archive file format in use today (on Unix) Gzipwas created by Jean-Loup Gaillyand Mark Adler in 1992 Format is fully documented in RFC 1952 (few pages from 1996) The Gzipformat is now supported by many software utilities : àWinZIP(most popular ZIP archiverprogram) Ȃwww.winzip.com
àPowerArchiver-www.powerarchiver.com
àWinRARȂwww.rarlab.com
à7ZIP-www.7-zip.org
Format supports:
àSingle file compression (commonly used with TAR)
àUses DEFLATE compression algorithm
File format malformations
All files present on any system are binary files
Malformation goals:
àSteganography
ŻHide file(s) or any other message from view
ŻSteganographyprocess must be reversible
àVulnerability exploiting
Hex Editor
File format malformations
Malformation is achieved by:
àIn-depth knowledge of file format specification
àLoose use of file format specification
àUsage of rarely used file fields
àTry-and-error method
Steganographyis achieved by:
àAll of the above
àInjecting data
0" "i
Archive malformation tests
àLast set of tests performed in 2004 by iDefense
ŻImplications:
compression/decompression software (including WinZip) incorrectly handles compressed files with deliberately damaged header fields, thus, in-fact, allowing creation of the damaged archive files, that could be automatically -ESET
ReversingLabs|Testing
ReversingLabsarchive inspection tests:
1.File format identification
ŻOptimization: Fastest and most accurate methods
2.File format validation
ŻPackage validation: Archive data corruption
ŻVulnerabilities
3.Steganography
ŻInteresting data detection
ŻData self-destruction?
ReversingLabs|Results
ReversingLabsarchive inspection test results:
àSteganographystandpoint:
ŻMultiple ways to hide file(s) and data in all formats
àVulnerability standpoint:
ŻHigh probability of malware detection evasion
x15 reported vulnerabilities (more pending)
Low impact on
protected endpoints
Archive steganography|ZIP
Steganographyis achieved by:
àCompressed file name modification (NULL byte)
àChanges to internal ZIP structures
ŻNumber of packed files decrementing
ŻData camouflage by extra fields utilization
ŻMoving the central directory
ŻInjecting data
Archive steganography|ZIP
Steganographyimplications:
àData can be hidden in ZIP archives
àData can also be hidden in OOXML file format
àData self-destruction:
ŻSteganographydata can be removedby user actions
Archive steganography|ZIP
Steganographyimplementations:
àZipped Steganographyby CorinnaJohn (CPOL)
ŻCan hide multiple files which are stored before central dir
ŻCan encrypt the hidden files with a password
àZJMaskby Vincent Chu (freeware)
ŻCan hide only one file and it is pre-pended to the archive
ŻCan encrypt the hidden file with a password
Archive vulnerabilities|ZIP
Discovered vulnerabilities:
àRLC_VSA_001 ȂExtensive header modification
ŻVulnerability:
ŻImplication:
Archive vulnerabilities|ZIP
Discovered vulnerabilities:
àRLC_VSA_002 ȂPassword only for the first file
ŻImplication:
assuming that the whole archive was password protected
Archive vulnerabilities|ZIP
Discovered vulnerabilities:
àRLC_VSA_006 ȂZIP appended to ZIP SFX
ŻVulnerability:
ŻImplication:
Archive vulnerabilities|ZIP
Discovered vulnerabilities:
àRLC_VSA_011 ȂUtilization of extra field
ŻVulnerability:
ŻImplication:
extra fields in the central ZIP directory
Archive vulnerabilities|ZIP
Discovered vulnerabilities:
àRLC_VSA_012 ȂFake ZIP64 archive
ŻVulnerability:
xZip64 End of central directory record structure xZip64 End of central directory locator structure
ŻImplications:
by the vendor
Archive vulnerabilities|ZIP
Discovered vulnerabilities:
ŻVulnerability:
via local ZIP directory data
ŻImplications:
generic scanners failed to detect local ZIP directory
Archive vulnerabilities|ZIP
Discovered vulnerabilities:
àRLC_VSA_014 ȂUtilization of FileCommentfield
ŻVulnerability:
ŻImplication:
extra comment field in the central ZIP directory
Archive vulnerabilities|ZIP
Discovered vulnerabilities:
àRLC_VSA_015 ȂBad compression algorithm
ŻVulnerability:
added by any archiverprogram other than WinZIP
ŻImplications:
the unsupported compression algorithm was found
Archive vulnerabilities|RAR
Discovered vulnerabilities:
àRLC_VSA_003 ȂHEAD_FLAGS tampering
ŻVulnerability:
ŻImplications:
files whose first block was a temporary block write protected. Adding files to such archive corrupts it.
Archive vulnerabilities|RAR
Discovered vulnerabilities:
àRLC_VSA_005 ȂPassword only for the first file
ŻImplication:
assuming that the whole archive was password protected
Archive vulnerabilities|RAR
Discovered vulnerabilities:
àRLC_VSA_008 ȂBad extract version requirements
ŻVulnerability:
ŻImplications:
meet
Archive vulnerabilities|CAB
Discovered vulnerabilities:
àRLC_VSA_004 ȂIncorrect decompressed size
ŻVulnerability:
some scanners
ŻImplications:
as some scanners tried to allocate the whole 4GB file first. Some skipped over the file due to its size.
Archive vulnerabilities|GZIP
Discovered vulnerabilities:
àRLC_VSA_007 ȂAdding documented extra fields
ŻVulnerability:
ŻImplications:
data and skipped the file inspection
Archive vulnerabilities|7Zip
Discovered vulnerabilities:
àRLC_VSA_009 ȂIncorrect start header CRC
ŻVulnerability:
ŻImplications:
header checksum
Archive vulnerabilities|7Zip
Discovered vulnerabilities:
àRLC_VSA_010 ȂNull out first header block
ŻVulnerability:
xStartHeaderCRC, NextHeaderOffset, NextHeaderSizeand
NextHeaderCRCto NULL
ŻImplications:
format valid archive header
Test|Conclusions
ReversingLabsarchive inspection test conclusions:
1.Files could still be malformed to carry hidden payload
2.Malformed files can be automatically fixed which
making them valid on endpoint PCs
4.Content hidden by steganographyprinciples can have
a self-destruct button
DEMO|Steganography
Demonstration #1:
àHex editing:
ŻHiding existing file(s) inside ZIP archive
ŻInserting hidden message into ZIP archive
ŻInventing file formats
àTool:
ŻZIPInsider
NyxEngine
NyxEngine|Introduction
Introduction to the NyxEngine
àWho is Nyx?
àWhat does it do?
ŻDoes archive pre-processing
ŻInspects archive for viable hidden data
ŻRecovers broken and/or hidden files
ŻActs like an exploit shield
àHow can I use it?
ŻNyxis a free library and it comes with its SDK
ŻNyxConsole, example of SDK implementation
ŻPluginfor TotalCommanderand PowerArchiver
NyxEngine|Functionality
NyxEnginefunctional groups:
àArchive identification
ŻSupports: ZIP, RAR, CAB and GZIP
àPacked content browsing
ŻTransverse the packed content one file at the time
ŻRetrieve information about packed content
ŻExtract selected file slice
àArchive validation
ŻChecks if the archive is corrupted beyond recovering
àArchive inspection
ŻSearch for steganographycontent
àRecover salvageable corrupted content
NyxEngine|Exploitshield
NyxEngineexploit shield
àArchive pre-processing protects from:
ŻStored file name length and content
ŻSuspicious compression ratio (archive bombs)
ŻExtract algorithm requirements
ŻChecksum tampering
ŻMulti-disk tampering
ŻFile entry duplication
àDescription & ReversingLabsVSA for every exploit
NyxEngine|DEMO
NyxEnginedemo
àNyxConsoletested on ReversingLabsVSA
àNyxConsoletested on ZIP steganosolutions
àNyxEnginecorrupted file recovery
Questions?
(What Would You Like to Know)quotesdbs_dbs5.pdfusesText_10