swfcryptfinal-090702061037-phpapp02
TRANSCRIPT
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
1/27
Data Hiding in the SWF Format
and Spreading through SocialNetwork Services
Alexandros Zaharis,Adamantini I. Martini,
Christos Ilioudis
[email protected],[email protected]
~WDFIA 2009~
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
7/29/2019 swfcryptfinal-090702061037-phpapp02
2/27
Index
Contribution
The SWF Adobe Flash Format
Social Networks and IllegalCommunities
Proposed Data Hiding Techniques
Proposed Detection Methodology Future Work & Conclusions
Questions
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
3/27
Contribution
Present a fresh Data HidingTechnique by exploiting the popularSWF Flash format.
Spread hidden information throughthe two most popular Social Networkswhile unveiling lack of detection.
Present Detection Methodologypossibly used in a ForensicsInvestigation.
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
4/27
The SWF Format (1/2) The file format SWF (standing for "ShockWave Flash,
later "Small Web Format"), open repository for multimediaand vector graphics, Adobe.
Small enough for publication on the Web, functions asthe dominant format for displaying "animated" vector
graphics. Scripting Language ( ActionScript ). SWF files can be generated from within:
1. Adobe products: Flash, Flex Builder.2. Other : open source Motion-Twin ActionScript 2 Compiler
(MTASC), SWiSH Max2 and Flagstone software.
SWF files can be played by the Adobe Flash Player, orbe encapsulated with the player, creating a self-runningSWF movie called "projector".
Based on an independent study ( Millward Brown ), over99% of web users have an SWF plugin installed, witharound 90% having the latest version.
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
5/27
The SWF Format (2/2)
Supported formats to import inside SWF
Files types included insidean SWF file can be:
1. Image Files2. Video Files
3. Sound Files
4. Fonts
5. ActionscriptAn SWF is a container of Files
SWF
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
6/27
SWF and security issues Redirection by malicious SWF files.
-2% of spam sites visited (August 08)
-GetURL attack.
Hiding malicious payload inside SWF files andattacking Flash Player.
Data hiding textual info inside actionscript.
Tools:1. SWFIntruder
2. SWFDump
3. FlareActionscript
MultimediaResources
Security issues up to date
SWF
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
7/27
Why Hiding in SWF ? Easily Spread.SWF is used for:1. Web pages2. Banners (easy to exchange)3. Games (innocent looking, easily spread in Social Networks)4. Presentations/Galleries5. Applications
No previous detection methodology. Easy to hide and retrieve information. Huge relative hiding ratio. SWF files never altered when uploaded. Game consoles, mobile phones friendly.
1kb 1kb - 10mb of hidden information :SWF file
Actionscript
MultimediaResourcesOur approach
SWF
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
8/27
Social Network Services
A social networkservice focuses onbuilding online
communities of peoplewho share interestsand/or activities, orwho are interested in
exploring the interestsand activities ofothers.
(Credit: Compete.com)
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
9/27
Social Network Services facts
Facebook
* No. 1 photo sharing application on the Web
* More than 14 million photos uploaded daily* More than 6 million active user groups on the site
Myspace* 1.5 Billion images* 8 Million images being uploaded per day
*10 Billion friend relationships
100 million unique users play thousands offlash games across their network eachmonth.
}HugeQuantity ofdata andusers toMonitor
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
10/27
IllegalCommunities& Social Networks
Communities have been reported to perform illegalactivities such as:1. Spreading illegal ideas/ideologies. (ex. pro-mafia groups)
2. Exchanging documents.3. Recruiting new members.
4. Funding illegal groups.
Why exchanging information through social
networks?1. Anonymity.
2. Large amount of legitimate traffic to use as a cover.
3. Lack of information international laws.
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
11/27
Who would hide information in aSocial Network?
While terrorism (ex. eBay) is the worst scenario today,both good and bad parties, could use social networks anddata hiding to keep their communications secret,including:
1. Intelligence services.
2. Corporations with trade secrets to protect.
3. People concerned about government eavesdropping.
4. Organized crime.
5.
Drug traffickers.6. Money launderers.
7. Child pornographers.
8. Weapons traffickers.
9. Criminal gangs.
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
12/27
Proposed Data Hiding Techniques
Proof of concept SWFgame developed.(TalkmeInto v1.0)using Adobe Flash CS3
Two Data HidingTechniques presented& tested.
The total size of thehidden files is 127,2Kb while the total size
of the game is 548 Kb.
Files can be found here:
http://sites.google.com/site/greekforensicscommunity/Home/talkmeinto.rar
http://sites.google.com/site/greekforensicscommunity/Home/talkmeinto.rarhttp://sites.google.com/site/greekforensicscommunity/Home/talkmeinto.rarhttp://sites.google.com/site/greekforensicscommunity/Home/talkmeinto.rar -
7/29/2019 swfcryptfinal-090702061037-phpapp02
13/27
Data hiding Technique 11. Type: Hiding inside unread SWF key frames.
2. File types hidden: ai, png, bmp, jpeg, emf, gif, wmf,pct, qtif, tga, tiff, wav, mp3, aif, mov, avi, mpeg, flv,wmv.
3. Description:-Basic knowledge of Flash development needed.
-Performed in any version of Adobe Flash.
-Any secret file can be placed in a frame or framesthat are not going to be accessible by the gamer/user
of the flash application.-Size of hidden data unlimited.(theoretically)
-Secret information hidden in plain site.
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
14/27
Data hiding Technique 1
Secret image (papergirl.jpg) is hidden inside:
Scene 1 ->Movie Clip Instance back -> image Layer -> Frame2
Simple Actionscript used to stopmovie on Frame1
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
15/27
Data Retrieval
Step1: Decompile theSWF file, using acommercial or free SWFdecompiler in order tolist all the resources.
Step2: Browse thegraphic resources, locateand save the previouslyinvisible papergirl.jpg.
This steganalysis methodcan be described as
visual attack, difficultto automate!
Flash Decompiler Trillix demo version
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
16/27
Data hiding Technique 2
1. Type: Mp3 steganography importedin SWF files
2. File types hidden: All file types.
3. Description:Step1: Choose a file (all file types
supported) in order to be hidden.
Step2: Choose anmp3 file as your stego-carrier file.
Step3: Use steganographytools to hide information inside thestego-carrier file.
Step4A: Manually import thestego-carrier mp3 file inside an SWFfile using any version of Adobe Flash.
Step4B: Automatically import the
stego-carrier mp3 file inside an SWFfile using java code.*
*mp32swfembedder program developed, utilizing Flagstone open source library.
http://greekforensicscommunity.blogspot.com/2009/04/mp3-2-swfembedder.htmlhttp://greekforensicscommunity.blogspot.com/2009/04/mp3-2-swfembedder.htmlhttp://greekforensicscommunity.blogspot.com/2009/04/mp3-2-swfembedder.html -
7/29/2019 swfcryptfinal-090702061037-phpapp02
17/27
Why Mp3 steganography?
Choosing carrier file types.
1. Files when imported insideFlash are compressed orre-encoded.
2. Importing Steganographyinside Flash fails for mostof the supported formats.
3. Mp3 format is the only onenot altered whenimported.*
* Few bytes added at the end of the mp3file.
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
18/27
Data hiding Technique 2Auto - import
WEB
S
T
E
G
PC
mp3
2swfembe
dder
Multi-Hiding process
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
19/27
Data Retrieval Step1: Decompile the SWF file, using a
commercial or free SWF decompiler to listall the resources.
Step2: Browse the audio resources, viewand save the stego-carrier mp3 file.
Step3: Tweak the saved mp3 file in aproper way (optional step).
Step4: Apply inverse steganography(extraction) to obtain the secret file.
Delete extra bytes to retrieve proper mp3 files!
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
20/27
Spreading Technique In order to spread a stego-carrier SWF
file :*Step1: Upload on an anonymousweb-server or a SWF hosting servicewithout unveiling his IP address.
*Step2: Obtain the URL link directing to.Step3: Create an anonymous emailaccount in order to use it toregister on social network websites.
Step4:Register with fake identity to the social
networks which are going to be used tospread hidden information.Step5: Use special applications
or html code in order to embed toa profile page or group pages or otheruser pages.
Step6: Invite/inform secretly other
users.
Illustration of both embedding techniques
*optional steps
http://www.facebook.com/home.php -
7/29/2019 swfcryptfinal-090702061037-phpapp02
21/27
Examples - Facebook
The native Facebookflash player approach:
Using the Flash Playerapplication a user can
upload SWF files on aFacebook hosting server. SWF file is previewed
inside the page created,along with otherinformation added by the
administrator/creator.
The TalkmeIntopublic page can be accessed through the following URL:
http://www.facebook.com/home.php#/pages/TalkmeInto/74719738815or for directSWF access here
To make transaction more secure and less suspiciousattract legitimate users not aware of the underlyinghidden information.
Browser automatically downloads swf file on preview.
http://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://photos-b.ak.fbcdn.net/photos-ak-snc1/genericv2b/284/81/01AwcA9kYVM5kAfakKAAAAEWWku78:.swfhttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://www.facebook.com/home.phphttp://photos-b.ak.fbcdn.net/photos-ak-snc1/genericv2b/284/81/01AwcA9kYVM5kAfakKAAAAEWWku78:.swfhttp://www.facebook.com/home.phphttp://www.facebook.com/home.php -
7/29/2019 swfcryptfinal-090702061037-phpapp02
22/27
Examples - Facebook
Legitimate users as a cover
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
23/27
Examples - MySpace In order to post links to SWF files anywhere inside a
MySpace profile simple html embedding code is used. The SWF file must first be uploaded on a third party
server. Links to SWF files can be posted as comments to users
profile during a conversation making hidden informationeasy to spread.
A fake Myspace profile containing the TalkmeIntoSWFgame can be accessed through the following URL:http://www.myspace.com/458277409
l
http://www.myspace.com/458277409http://www.myspace.com/458277409 -
7/29/2019 swfcryptfinal-090702061037-phpapp02
24/27
Examples - MySpace
Comment posthelps spreading indifferent profiles
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
25/27
Proposed Detection Methodology Step1: Locate/download suspicious SWF file. Step2: Decompile the SWF file, using a
commercial or free SWF decompiler in orderto list all the resources embedded.
Step3: Manually inspect every file resourcefor suspicious files or evidence. (visualattack)
Step4: Check actionscript used by the SWF,to locate suspicious text messages or textual
evidence (ex. URL, passwords). Step5: Collect mp3 files embedded. Step6: Analyze all mp3 files to identify
steganography using steganalysis tools. Step7: Extract hidden data / evidence.
Action script
SWF file
Video
*SWF must be treatedas a container of files.
VideoVideoVideo
Images
Sounds
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
26/27
Conclusions & Future Work As from now, SWF format becomes a popular data
hiding medium that must be thoroughly examinedduring any Forensics Investigation.
Steganography can be uploaded on Social Networksand spread easily.
Future work: A detection tool must be developed in order to
automatically detect steganography contained insideSWF files.
A tool for automatic hiding-posting-retrieving can be
developed as a proof of concept. A specific policy must be described, as far as thecontent uploaded, embedded and shared by socialnetworks is concerned.
-
7/29/2019 swfcryptfinal-090702061037-phpapp02
27/27
Questions?
Thank you.
Alexandros Zaharis, Adamantini I.Martini, Christos Ilioudis
[email protected],[email protected],
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]