Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
SWF Data hiding
1. ~WDFIA 2009~
“Data Hiding in the SWF Format
and Spreading through Social
Network Services”
Alexandros Zaharis,
Adamantini I. Martini,
Christos Ilioudis
alzahari@inf.uth.gr,
admartin@inf.uth.gr,
iliou@it.teithe.gr
2. Index
Contribution
The SWF Adobe® Flash® Format
Social Networks and Illegal
Communities
Proposed Data Hiding Techniques
Proposed Detection Methodology
Future Work & Conclusions
Questions
3. Contribution
Present a fresh Data Hiding
Technique by exploiting the popular
SWF Flash format.
Spread hidden information through
the two most popular Social Networks
while unveiling lack of detection.
Present Detection Methodology
possibly used in a Forensics
Investigation.
4. The SWF Format (1/2)
The file format SWF (standing for "ShockWave Flash“,
later "Small Web Format"), open repository for multimedia
and vector graphics, Adobe.
Small enough for publication on the Web, functions as
the dominant format for displaying "animated" vector
graphics.
Scripting Language ( ActionScript ).
SWF files can be generated from within:
Adobe products: Flash, Flex Builder.
Other : open source Motion-Twin ActionScript 2 Compiler
(MTASC), SWiSH Max2 and Flagstone software.
SWF files can be played by the Adobe Flash Player, or
be encapsulated with the player, creating a self-running
SWF movie called "projector".
Based on an independent study ( Millward Brown ), over
99% of web users have an SWF plugin installed, with
around 90% having the latest version.
5. The SWF Format (2/2)
Files types included inside
an SWF file can be:
SWF
1. Image Files
2. Video Files
3. Sound Files
4. Fonts
5. Actionscript
“An SWF is a container of Files”
Supported formats to import inside SWF
6. SWF and security issues
Redirection by malicious SWF files.
-2% of spam sites visited (August 08)
-’GetURL’ attack.
Hiding malicious payload inside SWF files and
attacking Flash Player.
Data hiding textual info inside actionscript.
Tools:
SWF
1. SWFIntruder Multimedia
2. SWFDump Resources
3. Flare Security issues up to date
Actionscript
7. Why Hiding in SWF ?
Easily Spread.
SWF is used for: Multimedia
Web pages Our approach Resources
Banners (easy to exchange)
Games (innocent looking, easily spread in Social Networks) Actionscript
Presentations/Galleries
Applications SWF
No previous detection methodology.
Easy to hide and retrieve information.
Huge relative hiding ratio.
SWF files never altered when uploaded.
Game consoles, mobile phones friendly.
1kb 1kb - 10mb of hidden information :SWF file
8. Social Network Services
“A social network
service focuses on
building online
communities of people
who share interests
and/or activities, or
who are interested in
exploring the interests
and activities of
others.“
(Credit: Compete.com)
9. Social Network Services facts
}
Facebook
* No. 1 photo sharing application on the Web “Huge
* More than 14 million photos uploaded daily Quantity of
* More than 6 million active user groups on the site data and
Myspace users to
* 1.5 Billion images Monitor”
* 8 Million images being uploaded per day
*10 Billion friend relationships
100 million unique users play thousands of
flash games across their network each
month.
10. Illegal Communities
& Social Networks
Communities have been reported to perform illegal
activities such as:
Spreading illegal ideas/ideologies. (ex. pro-mafia groups)
Exchanging documents.
Recruiting new members.
Funding illegal groups.
Why exchanging information through social
networks?
1. Anonymity.
2. Large amount of legitimate traffic to use as a cover.
3. Lack of information international laws.
11. Who would hide information in a
Social Network?
While terrorism (ex. eBay) is the worst scenario today,
both good and bad parties, could use social networks and
data hiding to keep their communications secret,
including:
1. Intelligence services.
2. Corporations with trade secrets to protect.
3. People concerned about government eavesdropping.
4. Organized crime.
5. Drug traffickers.
6. Money launderers.
7. Child pornographers.
8. Weapons traffickers.
9. Criminal gangs.
12. Proposed Data Hiding Techniques
Proof of concept SWF
game developed.
(“TalkmeInto v1.0”)
using Adobe Flash CS3
Two Data Hiding
Techniques presented
& tested.
The total size of the
hidden files is 127,2
Kb while the total size
of the game is 548 Kb.
Files can be found here:
•http://sites.google.com/site/greekforensicscommunity/Home/talkmeinto.rar
13. Data hiding Technique 1
Type: “Hiding inside unread SWF key frames”.
File types hidden: ai, png, bmp, jpeg, emf, gif, wmf,
pct, qtif, tga, tiff, wav, mp3, aif, mov, avi, mpeg, flv,
wmv.
Description:
-Basic knowledge of Flash development needed.
-Performed in any version of Adobe Flash.
-Any secret file can be placed in a frame or frames
that are not going to be accessible by the gamer/user
of the flash application.
-Size of hidden data unlimited. (theoretically)
-Secret information hidden in plain site.
14. Data hiding Technique 1
Simple Action
script used to stop
movie on Frame1
Secret image (“papergirl.jpg”) is hidden inside:
Scene 1 ->Movie Clip Instance ”back” -> “image” Layer -> Frame2
15. Data Retrieval
Step1: Decompile the
SWF file, using a
commercial or free SWF
decompiler in order to
list all the resources.
Step2: Browse the
graphic resources, locate
and save the previously
invisible “papergirl.jpg”.
This steganalysis method
can be described as
“visual attack”, difficult
to automate!
Flash Decompiler Trillix demo version
16. Data hiding Technique 2
Type: “Mp3 steganography imported
in SWF files”
File types hidden: All file types.
Description:
Step1: Choose a file (all file types
supported) in order to be hidden.
Step2: Choose an
mp3 file as your stego-carrier file.
Step3: Use steganography
tools to hide information inside the
stego-carrier file.
Step4A: Manually import the
stego-carrier mp3 file inside an SWF
file using any version of Adobe Flash.
Step4B: Automatically import the
stego-carrier mp3 file inside an SWF
*mp32swfembedder program developed, utilizing Flagstone open source library.
file using java code.*
17. Why Mp3 steganography?
Files when imported inside
Flash are compressed or
re-encoded.
Importing Steganography
inside Flash fails for most
of the supported formats.
Mp3 format is the only one
not altered when
imported.*
* Few bytes added at the end of the mp3 Choosing carrier file types.
file.
18. Data hiding Technique 2
Auto - import
WEB
S r
d de
T be
m
fe
E
2 sw
G p3
m
Multi-Hiding process PC
19. Data Retrieval
Step1: Decompile the SWF file, using a
commercial or free SWF decompiler to list
all the resources.
Step2: Browse the audio resources, view
and save the stego-carrier mp3 file.
Step3: “Tweak” the saved mp3 file in a
proper way (optional step).
Step4: Apply inverse steganography
(extraction) to obtain the secret file.
Delete extra bytes to retrieve proper mp3 files!
20. Spreading Technique
In order to spread a stego-carrier SWF
file <S>:
*Step1: Upload <S> on an anonymous
web-server or a SWF hosting service
without unveiling his IP address.
*Step2: Obtain the URL link directing to
<S>.
Step3: Create an anonymous email
account <E> in order to use it to
register on social network websites.
Step4:
Register with fake identity to the social
networks which are going to be used to
spread hidden information.
Step5: Use special applications
or html code in order to embed <S> to Illustration of both embedding techniques
a profile page or group pages or other
user pages.
Step6: Invite/inform secretly other
users.
*optional steps
21. Examples - Facebook
The native Facebook
flash player approach:
Using the Flash Player
application a user can
upload SWF files on a
Facebook hosting server.
SWF file is previewed
inside the page created,
along with other
information added by the
administrator/creator.
To make transaction more secure and less suspicious
attract legitimate users not aware of the underlying
hidden information.
Browser automatically downloads swf file on preview.
The “TalkmeInto” public page can be accessed through the following URL:
http://www.facebook.com/home.php#/pages/TalkmeInto/74719738815 or for direct
SWF access here
23. Examples - MySpace
In order to post links to SWF files anywhere inside a
MySpace profile simple html embedding code is used.
The SWF file must first be uploaded on a third party
server.
Links to SWF files can be posted as comments to users
profile during a conversation making hidden information
easy to spread.
A fake Myspace profile containing the “TalkmeInto” SWF
game can be accessed through the following URL:
http://www.myspace.com/458277409
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" height="200" width="200">
<param name="allowScriptAccess" value="never" />
<param name="allowNetworking" value="internal" />
<param name="movie" value="http://photos-b.ak.fbcdn.net/photos-ak-
snc1/genericv2b/284/81/01AwcA9kYVM5kAfakKAAAAEWWku78:.swf" />
<param name="wmode" value="transparent" />
<param name="quality" value="high" />
<embed type="application/x-shockwave-flash" allowScriptAccess="never"
allowNetworking="internal" src="http://photos-b.ak.fbcdn.net/photos-ak-
snc1/genericv2b/284/81/01AwcA9kYVM5kAfakKAAAAEWWku78:.swf" height="200" width="200"
wmode="transparent" quality="high" />
</object>
25. Proposed Detection Methodology
Step1: Locate/download suspicious SWF file.
Step2: Decompile the SWF file, using a
commercial or free SWF decompiler in order Images
to list all the resources embedded.
Sounds
Step3: Manually inspect every file resource
for suspicious files or evidence. (“visual Video
attack”)
Step4: Check actionscript used by the SWF, Action script
to locate suspicious text messages or textual
evidence (ex. URL, passwords).
SWF file
Step5: Collect mp3 files embedded.
Step6: Analyze all mp3 files to identify *SWF must be treated
as a container of files.
steganography using steganalysis tools.
Step7: Extract hidden data / evidence.
26. Conclusions & Future Work
As from now, SWF format becomes a popular data
hiding medium that must be thoroughly examined
during any Forensics Investigation.
Steganography can be uploaded on Social Networks
and spread easily.
Future work:
A detection tool must be developed in order to
automatically detect steganography contained inside
SWF files.
A tool for automatic hiding-posting-retrieving can be
developed as a proof of concept.
A specific policy must be described, as far as the
content uploaded, embedded and shared by social
networks is concerned.