swf data hiding
DESCRIPTION
Hiding information in Facebook and other social networks through [email protected]TRANSCRIPT
“Data Hiding in the SWF Format and Spreading through Social
Network Services”
Alexandros Zaharis, Adamantini I. Martini,
Christos [email protected],
[email protected], [email protected]
~WDFIA 2009~
Index Contribution The SWF Adobe® Flash® Format Social Networks and Illegal
Communities Proposed Data Hiding Techniques Proposed Detection Methodology Future Work & Conclusions Questions
Contribution Present a fresh Data Hiding
Technique by exploiting the popular SWF Flash format.
Spread hidden information through the two most popular Social Networks while unveiling lack of detection.
Present Detection Methodology possibly used in a Forensics Investigation.
The SWF Format (1/2) The file format SWF (standing for "ShockWave Flash“,
later "Small Web Format"), open repository for multimedia and vector graphics, Adobe.
Small enough for publication on the Web, functions as the dominant format for displaying "animated" vector graphics.
Scripting Language ( ActionScript ). SWF files can be generated from within:
1. Adobe products: Flash, Flex Builder.2. Other : open source Motion-Twin ActionScript 2 Compiler
(MTASC), SWiSH Max2 and Flagstone software. SWF files can be played by the Adobe Flash Player, or
be encapsulated with the player, creating a self-running SWF movie called "projector".
Based on an independent study ( Millward Brown ), over 99% of web users have an SWF plugin installed, with around 90% having the latest version.
The SWF Format (2/2)
Supported formats to import inside SWF
Files types included inside an SWF file can be:
1. Image Files
2. Video Files
3. Sound Files
4. Fonts
5. Actionscript
“An SWF is a container of Files”
SWF
SWF and security issuesRedirection by malicious SWF files.
-2% of spam sites vis ited (August 08)-’GetURL’ attack. Hiding malicious payload inside SWF files and attacking Flash Player. Data hiding textual info inside actionscript.Tools:
SWFIntruderSWFDump Flare
Actionscript
Multimedia Resources
Security issues up to date
SWF
Why Hiding in SWF ? Easily Spread.SWF is used for:1. Web pages 2. Banners (easy to exchange)
3. Games (innocent looking, easily spread in Social Networks)
4. Presentations/Galleries5. Applications
No previous detection methodology. Easy to hide and retrieve information. Huge relative hiding ratio. SWF files never altered when uploaded. Game consoles, mobile phones friendly.
1kb 1kb - 10mb of hidden information :SWF file
Actionscript
Multimedia ResourcesOur approach
SWF
Social Network Services
“A social network service focuses on building online communities of people who share interests and/or activities, or who are interested in exploring the interests and activities of others.“
(Credit: Compete.com)
Social Network Services facts Facebook
* No. 1 photo sharing application on the Web * More than 14 million photos uploaded daily* More than 6 million active user groups on the site
Myspace* 1.5 Billion images* 8 Million images being uploaded per day
*10 Billion friend relationships
100 million unique users play thousands of flash games across their network each month.
}“Huge Quantity of data and users to Monitor”
Illegal Communities& Social Networks
Communities have been reported to perform illegal activities such as:1. Spreading illegal ideas/ideologies. (ex. pro-mafia groups)
2. Exchanging documents.3. Recruiting new members. 4. Funding illegal groups.
Why exchanging information through social networks?1. Anonymity. 2. Large amount of legitimate traffic to use as a cover.3. Lack of information international laws.
Who would hide information in a Social Network?
While terrorism (ex. eBay) is the worst scenario today, both good and bad parties, could use social networks and data hiding to keep their communications secret, including:
1. Intelligence services.2. Corporations with trade secrets to protect.3. People concerned about government eavesdropping.4. Organized crime.5. Drug traffickers.6. Money launderers.7. Child pornographers.8. Weapons traffickers.9. Criminal gangs.
Proposed Data Hiding Techniques
Proof of concept SWF game developed. (“TalkmeInto v1.0”) using Adobe Flash CS3
Two Data Hiding Techniques presented & tested.
The total size of the hidden files is 127,2 Kb while the total size of the game is 548 Kb.
Files can be found here:
•http://sites.google.com/site/greekforensicscommunity/Home/talkmeinto.rar
Data hiding Technique 11. Type: “Hiding inside unread SWF key frames”. 2. File types hidden: ai, png, bmp, jpeg, emf, gif, wmf,
pct, qtif, tga, tiff, wav, mp3, aif, mov, avi, mpeg, flv, wmv.
3. Description:-Basic knowledge of Flash development needed.-Performed in any version of Adobe Flash.-Any secret file can be placed in a frame or frames that are not going to be accessible by the gamer/user of the flash application.-Size of hidden data unlimited. (theoretically)
-Secret information hidden in plain site.
Data hiding Technique 1
Secret image (“papergirl.jpg”) is hidden inside: Scene 1 ->Movie Clip Instance ”back” -> “image” Layer -> Frame2
Simple Action script used to stop movie on Frame1
Data Retrieval Step1: Decompile the
SWF file, using a commercial or free SWF decompiler in order to list all the resources.
Step2: Browse the graphic resources, locate and save the previously invisible “papergirl.jpg”.
This steganalysis method can be described as “visual attack”, difficult to automate!
Flash Decompiler Trillix demo version
Data hiding Technique 2
1. Type: “Mp3 steganography imported in SWF files”
2. File types hidden: All file types.3. Description:
Step1: Choose a file (all file types supported) in order to be hidden. Step2: Choose an mp3 file as your stego-carrier file. Step3: Use steganography tools to hide information inside the stego-carrier file. Step4A: Manually import the stego-carrier mp3 file inside an SWF file using any version of Adobe Flash. Step4B: Automatically import the stego-carrier mp3 file inside an SWF file using java code.*
*mp32swfembedder program developed, utilizing Flagstone open source library.
Why Mp3 steganography?
Choosing carrier file types.
1. Files when imported inside Flash are compressed or re-encoded.
2. Importing Steganography inside Flash fails for most of the supported formats.
3. Mp3 format is the only one not altered when imported.*
* Few bytes added at the end of the mp3 file.
Data hiding Technique 2Auto - import
WEB
S
T
E
G
PC
mp32sw
fem
bedder
Multi-Hiding process
Data Retrieval Step1: Decompile the SWF file, using a
commercial or free SWF decompiler to list all the resources.
Step2: Browse the audio resources, view and save the stego-carrier mp3 file.
Step3: “Tweak” the saved mp3 file in a proper way (optional step).
Step4: Apply inverse steganography (extraction) to obtain the secret file.
Delete extra bytes to retrieve proper mp3 files!
Spreading Technique In order to spread a stego-carrier SWF
file <S>:*Step1: Upload <S> on an anonymous web-server or a SWF hosting service without unveiling his IP address. *Step2: Obtain the URL link directing to <S>. Step3: Create an anonymous email account <E> in order to use it to register on social network websites. Step4: Register with fake identity to the social networks which are going to be used to spread hidden information. Step5: Use special applications or html code in order to embed <S> to a profile page or group pages or other user pages. Step6: Invite/inform secretly other users.
Illustration of both embedding techniques
*optional steps
Examples - Facebook
The native Facebook flash player approach:
Using the Flash Player application a user can upload SWF files on a Facebook hosting server.
SWF file is previewedinside the page created, along with other information added by the administrator/creator.
The “TalkmeInto” public page can be accessed through the following URL: http://www.facebook.com/home.php#/pages/TalkmeInto/74719738815 or for direct SWF access here
To make transaction more secure and less suspicious attract legitimate users not aware of the underlying hidden information.
Browser automatically downloads swf file on preview.
Examples - Facebook
Legitimate users as a cover
Examples - MySpace In order to post links to SWF files anywhere inside a
MySpace profile simple html embedding code is used. The SWF file must first be uploaded on a third party
server. Links to SWF files can be posted as comments to users
profile during a conversation making hidden information easy to spread.
A fake Myspace profile containing the “TalkmeInto” SWF game can be accessed through the following URL: http://www.myspace.com/458277409
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" height="200" width="200"> <param name="allowScriptAccess" value="never" /> <param name="allowNetworking" value="internal" /> <param name="movie" value="http://photos-b.ak.fbcdn.net/photos-ak-snc1/genericv2b/284/81/01AwcA9kYVM5kAfakKAAAAEWWku78:.swf" /> <param name="wmode" value="transparent" /> <param name="quality" value="high" />
<embed type="application/x-shockwave-flash" allowScriptAccess="never" allowNetworking="internal" src="http://photos-b.ak.fbcdn.net/photos-ak-snc1/genericv2b/284/81/01AwcA9kYVM5kAfakKAAAAEWWku78:.swf" height="200" width="200" wmode="transparent" quality="high" /></object>
Examples - MySpace
Comment post helps spreading in different profiles
Proposed Detection Methodology Step1: Locate/download suspicious SWF file. Step2: Decompile the SWF file, using a
commercial or free SWF decompiler in order to list all the resources embedded.
Step3: Manually inspect every file resource for suspicious files or evidence. (“visual attack”)
Step4: Check actionscript used by the SWF, to locate suspicious text messages or textual evidence (ex. URL, passwords).
Step5: Collect mp3 files embedded. Step6: Analyze all mp3 files to identify
steganography using steganalysis tools. Step7: Extract hidden data / evidence.
Action script
SWF file
Video
*SWF must be treated as a container of files.
VideoVideoVideo
Images
Sounds
Conclusions & Future Work As from now, SWF format becomes a popular data
hiding medium that must be thoroughly examined during any Forensics Investigation.
Steganography can be uploaded on Social Networks and spread easily.
Future work: A detection tool must be developed in order to
automatically detect steganography contained inside SWF files.
A tool for automatic hiding-posting-retrieving can be developed as a proof of concept.
A specific policy must be described, as far as the content uploaded, embedded and shared by social networks is concerned.
Questions?
Thank you.
Alexandros Zaharis, Adamantini I. Martini, Christos Ilioudis