swfcryptfinal-090702061037-phpapp02

7/29/2019 swfcryptfinal-090702061037-phpapp02

1/27

Data Hiding in the SWF Format

and Spreading through SocialNetwork Services

Alexandros Zaharis,Adamantini I. Martini,

Christos Ilioudis

[email protected],

[email protected],[email protected]

~WDFIA 2009~
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


2/27

Index

Contribution

The SWF Adobe Flash Format

Social Networks and IllegalCommunities

Proposed Data Hiding Techniques

Proposed Detection Methodology Future Work & Conclusions

Questions


3/27

Contribution

Present a fresh Data HidingTechnique by exploiting the popularSWF Flash format.

Spread hidden information throughthe two most popular Social Networkswhile unveiling lack of detection.

Present Detection Methodologypossibly used in a ForensicsInvestigation.


4/27

The SWF Format (1/2) The file format SWF (standing for "ShockWave Flash,

later "Small Web Format"), open repository for multimediaand vector graphics, Adobe.

Small enough for publication on the Web, functions asthe dominant format for displaying "animated" vector

graphics. Scripting Language ( ActionScript ). SWF files can be generated from within:

1. Adobe products: Flash, Flex Builder.2. Other : open source Motion-Twin ActionScript 2 Compiler

(MTASC), SWiSH Max2 and Flagstone software.

SWF files can be played by the Adobe Flash Player, orbe encapsulated with the player, creating a self-runningSWF movie called "projector".

Based on an independent study ( Millward Brown ), over99% of web users have an SWF plugin installed, witharound 90% having the latest version.


5/27

The SWF Format (2/2)

Supported formats to import inside SWF

Files types included insidean SWF file can be:

1. Image Files2. Video Files

3. Sound Files

4. Fonts

5. ActionscriptAn SWF is a container of Files

SWF


6/27

SWF and security issues Redirection by malicious SWF files.

-2% of spam sites visited (August 08)

-GetURL attack.

Hiding malicious payload inside SWF files andattacking Flash Player.

Data hiding textual info inside actionscript.

Tools:1. SWFIntruder

2. SWFDump

3. FlareActionscript

MultimediaResources

Security issues up to date

SWF


7/27

Why Hiding in SWF ? Easily Spread.SWF is used for:1. Web pages2. Banners (easy to exchange)3. Games (innocent looking, easily spread in Social Networks)4. Presentations/Galleries5. Applications

No previous detection methodology. Easy to hide and retrieve information. Huge relative hiding ratio. SWF files never altered when uploaded. Game consoles, mobile phones friendly.

1kb 1kb - 10mb of hidden information :SWF file

Actionscript

MultimediaResourcesOur approach

SWF


8/27

Social Network Services

A social networkservice focuses onbuilding online

communities of peoplewho share interestsand/or activities, orwho are interested in

exploring the interestsand activities ofothers.

(Credit: Compete.com)


9/27

Social Network Services facts

Facebook

* No. 1 photo sharing application on the Web

* More than 14 million photos uploaded daily* More than 6 million active user groups on the site

Myspace* 1.5 Billion images* 8 Million images being uploaded per day

*10 Billion friend relationships

100 million unique users play thousands offlash games across their network eachmonth.

}HugeQuantity ofdata andusers toMonitor


10/27

IllegalCommunities& Social Networks

Communities have been reported to perform illegalactivities such as:1. Spreading illegal ideas/ideologies. (ex. pro-mafia groups)

2. Exchanging documents.3. Recruiting new members.

4. Funding illegal groups.

Why exchanging information through social

networks?1. Anonymity.

2. Large amount of legitimate traffic to use as a cover.

3. Lack of information international laws.


11/27

Who would hide information in aSocial Network?

While terrorism (ex. eBay) is the worst scenario today,both good and bad parties, could use social networks anddata hiding to keep their communications secret,including:

1. Intelligence services.

2. Corporations with trade secrets to protect.

3. People concerned about government eavesdropping.

4. Organized crime.

5.

Drug traffickers.6. Money launderers.

7. Child pornographers.

8. Weapons traffickers.

9. Criminal gangs.


12/27

Proposed Data Hiding Techniques

Proof of concept SWFgame developed.(TalkmeInto v1.0)using Adobe Flash CS3

Two Data HidingTechniques presented& tested.

The total size of thehidden files is 127,2Kb while the total size

of the game is 548 Kb.

Files can be found here:

http://sites.google.com/site/greekforensicscommunity/Home/talkmeinto.rar
http://sites.google.com/site/greekforensicscommunity/Home/talkmeinto.rarhttp://sites.google.com/site/greekforensicscommunity/Home/talkmeinto.rarhttp://sites.google.com/site/greekforensicscommunity/Home/talkmeinto.rar


13/27

Data hiding Technique 11. Type: Hiding inside unread SWF key frames.

2. File types hidden: ai, png, bmp, jpeg, emf, gif, wmf,pct, qtif, tga, tiff, wav, mp3, aif, mov, avi, mpeg, flv,wmv.

3. Description:-Basic knowledge of Flash development needed.

-Performed in any version of Adobe Flash.

-Any secret file can be placed in a frame or framesthat are not going to be accessible by the gamer/user

of the flash application.-Size of hidden data unlimited.(theoretically)

-Secret information hidden in plain site.


14/27

Data hiding Technique 1

Secret image (papergirl.jpg) is hidden inside:

Scene 1 ->Movie Clip Instance back -> image Layer -> Frame2

Simple Actionscript used to stopmovie on Frame1


15/27

Data Retrieval

Step1: Decompile theSWF file, using acommercial or free SWFdecompiler in order tolist all the resources.

Step2: Browse thegraphic resources, locateand save the previouslyinvisible papergirl.jpg.

This steganalysis methodcan be described as

visual attack, difficultto automate!

Flash Decompiler Trillix demo version


16/27

Data hiding Technique 2

1. Type: Mp3 steganography importedin SWF files

2. File types hidden: All file types.

3. Description:Step1: Choose a file (all file types

supported) in order to be hidden.

Step2: Choose anmp3 file as your stego-carrier file.

Step3: Use steganographytools to hide information inside thestego-carrier file.

Step4A: Manually import thestego-carrier mp3 file inside an SWFfile using any version of Adobe Flash.

Step4B: Automatically import the

stego-carrier mp3 file inside an SWFfile using java code.*

*mp32swfembedder program developed, utilizing Flagstone open source library.
http://greekforensicscommunity.blogspot.com/2009/04/mp3-2-swfembedder.htmlhttp://greekforensicscommunity.blogspot.com/2009/04/mp3-2-swfembedder.htmlhttp://greekforensicscommunity.blogspot.com/2009/04/mp3-2-swfembedder.html


17/27

Why Mp3 steganography?

Choosing carrier file types.

1. Files when imported insideFlash are compressed orre-encoded.

2. Importing Steganographyinside Flash fails for mostof the supported formats.

3. Mp3 format is the only onenot altered whenimported.*

* Few bytes added at the end of the mp3file.


18/27

Data hiding Technique 2Auto - import

WEB

S

T

E

G

PC

mp3

2swfembe

dder

Multi-Hiding process


19/27

Data Retrieval Step1: Decompile the SWF file, using a

commercial or free SWF decompiler to listall the resources.

Step2: Browse the audio resources, viewand save the stego-carrier mp3 file.

Step3: Tweak the saved mp3 file in aproper way (optional step).

Step4: Apply inverse steganography(extraction) to obtain the secret file.

Delete extra bytes to retrieve proper mp3 files!


20/27

Spreading Technique In order to spread a stego-carrier SWF

file :*Step1: Upload on an anonymousweb-server or a SWF hosting servicewithout unveiling his IP address.

*Step2: Obtain the URL link directing to.Step3: Create an anonymous emailaccount in order to use it toregister on social network websites.

Step4:Register with fake identity to the social

networks which are going to be used tospread hidden information.Step5: Use special applications

or html code in order to embed toa profile page or group pages or otheruser pages.

Step6: Invite/inform secretly other

users.

Illustration of both embedding techniques

*optional steps
http://www.facebook.com/home.php


21/27

Examples - Facebook

The native Facebookflash player approach:

Using the Flash Playerapplication a user can

upload SWF files on aFacebook hosting server. SWF file is previewed

inside the page created,along with otherinformation added by the

administrator/creator.

The TalkmeIntopublic page can be accessed through the following URL:

http://www.facebook.com/home.php#/pages/TalkmeInto/74719738815or for directSWF access here

To make transaction more secure and less suspiciousattract legitimate users not aware of the underlyinghidden information.

Browser automatically downloads swf file on preview.
http://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://photos-b.ak.fbcdn.net/photos-ak-snc1/genericv2b/284/81/01AwcA9kYVM5kAfakKAAAAEWWku78:.swfhttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://photos-b.ak.fbcdn.net/photos-ak-snc1/genericv2b/284/81/01AwcA9kYVM5kAfakKAAAAEWWku78:.swfhttp://www.facebook.com/home.phphttp://www.facebook.com/home.php


22/27

Examples - Facebook

Legitimate users as a cover


23/27

Examples - MySpace In order to post links to SWF files anywhere inside a

MySpace profile simple html embedding code is used. The SWF file must first be uploaded on a third party

server. Links to SWF files can be posted as comments to users

profile during a conversation making hidden informationeasy to spread.

A fake Myspace profile containing the TalkmeIntoSWFgame can be accessed through the following URL:http://www.myspace.com/458277409

l
http://www.myspace.com/458277409http://www.myspace.com/458277409


24/27

Examples - MySpace

Comment posthelps spreading indifferent profiles


25/27

Proposed Detection Methodology Step1: Locate/download suspicious SWF file. Step2: Decompile the SWF file, using a

commercial or free SWF decompiler in orderto list all the resources embedded.

Step3: Manually inspect every file resourcefor suspicious files or evidence. (visualattack)

Step4: Check actionscript used by the SWF,to locate suspicious text messages or textual

evidence (ex. URL, passwords). Step5: Collect mp3 files embedded. Step6: Analyze all mp3 files to identify

steganography using steganalysis tools. Step7: Extract hidden data / evidence.

Action script

SWF file

Video

*SWF must be treatedas a container of files.

VideoVideoVideo

Images

Sounds


26/27

Conclusions & Future Work As from now, SWF format becomes a popular data

hiding medium that must be thoroughly examinedduring any Forensics Investigation.

Steganography can be uploaded on Social Networksand spread easily.

Future work: A detection tool must be developed in order to

automatically detect steganography contained insideSWF files.

A tool for automatic hiding-posting-retrieving can be

developed as a proof of concept. A specific policy must be described, as far as thecontent uploaded, embedded and shared by socialnetworks is concerned.


27/27

Questions?

Thank you.

Alexandros Zaharis, Adamantini I.Martini, Christos Ilioudis

[email protected],[email protected],

[email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]

swfcryptfinal-090702061037-phpapp02

Documents