SWF Data hiding

  • View

  • Download

Embed Size (px)


Hiding information in Facebook and other social networks through Flash.alexzaharis@gmail.com


  • 1. ~WDFIA 2009~ Data Hiding in the SWF Formatand Spreading through Social Network ServicesAlexandros Zaharis,Adamantini I. Martini, Christos Ilioudis alzahari@inf.uth.gr,admartin@inf.uth.gr, iliou@it.teithe.gr

2. Index Contribution The SWF Adobe Flash Format Social Networks and Illegal Communities Proposed Data Hiding Techniques Proposed Detection Methodology Future Work & Conclusions Questions 3. Contribution Present a fresh Data Hiding Technique by exploiting the popular SWF Flash format. Spread hidden information through the two most popular Social Networks while unveiling lack of detection. Present Detection Methodology possibly used in a Forensics Investigation. 4. The SWF Format (1/2) The file format SWF (standing for "ShockWave Flash, later "Small Web Format"), open repository for multimedia and vector graphics, Adobe. Small enough for publication on the Web, functions as the dominant format for displaying "animated" vector graphics. Scripting Language ( ActionScript ). SWF files can be generated from within: Adobe products: Flash, Flex Builder. Other : open source Motion-Twin ActionScript 2 Compiler (MTASC), SWiSH Max2 and Flagstone software. SWF files can be played by the Adobe Flash Player, or be encapsulated with the player, creating a self-running SWF movie called "projector". Based on an independent study ( Millward Brown ), over 99% of web users have an SWF plugin installed, with around 90% having the latest version. 5. The SWF Format (2/2)Files types included insidean SWF file can be:SWF1. Image Files2. Video Files3. Sound Files4. Fonts5. Actionscript An SWF is a container of FilesSupported formats to import inside SWF 6. SWF and security issues Redirection by malicious SWF files.-2% of spam sites visited (August 08)-GetURL attack. Hiding malicious payload inside SWF files andattacking Flash Player. Data hiding textual info inside actionscript. Tools: SWF 1. SWFIntruderMultimedia 2. SWFDumpResources 3. Flare Security issues up to date Actionscript 7. Why Hiding in SWF ? Easily Spread. SWF is used for:Multimedia Web pages Our approach Resources Banners (easy to exchange) Games (innocent looking, easily spread in Social Networks) Actionscript Presentations/Galleries ApplicationsSWFNo previous detection methodology. Easy to hide and retrieve information. Huge relative hiding ratio. SWF files never altered when uploaded. Game consoles, mobile phones friendly. 1kb 1kb - 10mb of hidden information:SWF file 8. Social Network Services A social network service focuses on building online communities of people who share interests and/or activities, or who are interested in exploring the interests and activities of others. (Credit: Compete.com) 9. Social Network Services facts } Facebook * No. 1 photo sharing application on the Web Huge * More than 14 million photos uploaded daily Quantity of * More than 6 million active user groups on the site data and Myspaceusers to * 1.5 Billion images Monitor * 8 Million images being uploaded per day *10 Billion friend relationships 100 million unique users play thousands of flash games across their network each month. 10. Illegal Communities & Social Networks Communities have been reported to perform illegalactivities such as: Spreading illegal ideas/ideologies. (ex. pro-mafia groups) Exchanging documents. Recruiting new members. Funding illegal groups.Why exchanging information through socialnetworks? 1. Anonymity. 2. Large amount of legitimate traffic to use as a cover. 3. Lack of information international laws. 11. Who would hide information in a Social Network?While terrorism (ex. eBay) is the worst scenario today,both good and bad parties, could use social networks anddata hiding to keep their communications secret,including: 1. Intelligence services.2. Corporations with trade secrets to protect.3. People concerned about government eavesdropping.4. Organized crime.5. Drug traffickers.6. Money launderers.7. Child pornographers.8. Weapons traffickers.9. Criminal gangs. 12. Proposed Data Hiding Techniques Proof of concept SWFgame developed.(TalkmeInto v1.0)using Adobe Flash CS3 Two Data HidingTechniques presented& tested. The total size of thehidden files is 127,2Kb while the total sizeof the game is 548 Kb.Files can be found here: http://sites.google.com/site/greekforensicscommunity/Home/talkmeinto.rar 13. Data hiding Technique 1 Type: Hiding inside unread SWF key frames. File types hidden: ai, png, bmp, jpeg, emf, gif, wmf, pct, qtif, tga, tiff, wav, mp3, aif, mov, avi, mpeg, flv, wmv. Description: -Basic knowledge of Flash development needed. -Performed in any version of Adobe Flash. -Any secret file can be placed in a frame or frames that are not going to be accessible by the gamer/user of the flash application. -Size of hidden data unlimited. (theoretically) -Secret information hidden in plain site. 14. Data hiding Technique 1 Simple Action script used to stop movie on Frame1 Secret image (papergirl.jpg) is hidden inside: Scene 1 ->Movie Clip Instance back -> image Layer -> Frame2 15. Data Retrieval Step1: Decompile the SWF file, using a commercial or free SWF decompiler in order to list all the resources. Step2: Browse the graphic resources, locate and save the previously invisible papergirl.jpg. This steganalysis method can be described as visual attack, difficult to automate!Flash Decompiler Trillix demo version 16. Data hiding Technique 2 Type: Mp3 steganography imported in SWF files File types hidden: All file types. Description: Step1: Choose a file (all file types supported) in order to be hidden.Step2: Choose an mp3 file as your stego-carrier file. Step3: Use steganography tools to hide information inside the stego-carrier file. Step4A: Manually import the stego-carrier mp3 file inside an SWF file using any version of Adobe Flash.Step4B: Automatically import the stego-carrier mp3 file inside an SWF *mp32swfembedder program developed, utilizing Flagstone open source library. file using java code.* 17. Why Mp3 steganography? Files when imported inside Flash are compressed or re-encoded. Importing Steganography inside Flash fails for most of the supported formats. Mp3 format is the only one not altered when imported.* * Few bytes added at the end of the mp3 Choosing carrier file types.file. 18. Data hiding Technique 2 Auto - importWEBSr d deTbemfeE2 swGp3 mMulti-Hiding process PC 19. Data Retrieval Step1: Decompile the SWF file, using a commercial or free SWF decompiler to list all the resources. Step2: Browse the audio resources, view and save the stego-carrier mp3 file. Step3: Tweak the saved mp3 file in a proper way (optional step). Step4: Apply inverse steganography (extraction) to obtain the secret file.Delete extra bytes to retrieve proper mp3 files! 20. Spreading Technique In order to spread a stego-carrier SWF file : *Step1: Upload on an anonymous web-server or a SWF hosting service without unveiling his IP address.*Step2: Obtain the URL link directing to . Step3: Create an anonymous email account in order to use it to register on social network websites.Step4: Register with fake identity to the social networks which are going to be used to spread hidden information.Step5: Use special applications or html code in order to embed to Illustration of both embedding techniques a profile page or group pages or other user pages. Step6: Invite/inform secretly other users. *optional steps 21. Examples - Facebook The native Facebook flash player approach: Using the Flash Player application a user can upload SWF files on a Facebook hosting server. SWF file is previewed inside the page created, along with other information added by the administrator/creator. To make transaction more secure and less suspicious attract legitimate users not aware of the underlying hidden information. Browser automatically downloads swf file on preview. The TalkmeInto public page can be accessed through the following URL: http://www.facebook.com/home.php#/pages/TalkmeInto/74719738815 or for direct SWF access here 22. Examples - Facebook Legitimate users as a cover 23. Examples - MySpace In order to post links to SWF files anywhere inside aMySpace profile simple html embedding code is used. The SWF file must first be uploaded on a third partyserver. Links to SWF files can be posted as comments to usersprofile during a conversation making hidden informationeasy to spread. A fake Myspace profile containing the TalkmeInto SWFgame can be accessed through the following URL:http://www.myspace.com/458277409 24. Examples - MySpaceComment posthelps spreading indifferent profiles 25. Proposed Detection Methodology Step1: Locate/download suspicious SWF file. Step2: Decompile the SWF file, using a commercial or free SWF decompiler in order Images to list all the resources embedded.Sounds Step3: Manually inspect every file resource for suspicious files or evidence. (visualVideo attack) Step4: Check actionscript used by the SWF,Action script to locate suspicious text messages or textual evidence (ex. URL, passwords). SWF file Step5: Collect mp3 files embedded. Step6: Analyze all mp3 files to identify*SWF must be treated as a container of files. steganography using steganalysis tools. Step7: Extract hidden data / evidence. 26. Conclusions & Future Work As from now, SWF format becomes a popular datahiding medium that must be thoroughly examinedduring any Forensics Investigation. Steganography can be uploaded on Social Networksand spread easily. Future work: A detection tool must be developed in order toautomatically detect steganography contained insideSWF files. A tool for automatic hiding-posting-retrieving can bedeveloped as a proof of concept. A specific policy must be described, as far as thecontent uploaded, embedded and shared by socialnetworks is concerned. 27. Questions? Thank you.Alexandros Zaharis, Adamantini I