SlideShare ist ein Scribd-Unternehmen logo

SWF Data hiding

Als PPT, PDF herunterladen
A
alexzaharis

Hiding information in Facebook and other social networks through Flash. alexzaharis@gmail.com

TechnologieBusiness
1 von 27
~WDFIA 2009~ “Data Hiding in the SWF Format and Spreading through Social Network Services” Alexandros Zaharis, Adamantini I. Martini, Christos Ilioudis alzahari@inf.uth.gr, admartin@inf.uth.gr, iliou@it.teithe.gr
Index  Contribution  The SWF Adobe® Flash® Format  Social Networks and Illegal Communities  Proposed Data Hiding Techniques  Proposed Detection Methodology  Future Work & Conclusions  Questions
Contribution  Present a fresh Data Hiding Technique by exploiting the popular SWF Flash format.  Spread hidden information through the two most popular Social Networks while unveiling lack of detection.  Present Detection Methodology possibly used in a Forensics Investigation.
The SWF Format (1/2)  The file format SWF (standing for "ShockWave Flash“, later "Small Web Format"), open repository for multimedia and vector graphics, Adobe.  Small enough for publication on the Web, functions as the dominant format for displaying "animated" vector graphics.  Scripting Language ( ActionScript ).  SWF files can be generated from within:  Adobe products: Flash, Flex Builder.  Other : open source Motion-Twin ActionScript 2 Compiler (MTASC), SWiSH Max2 and Flagstone software.  SWF files can be played by the Adobe Flash Player, or be encapsulated with the player, creating a self-running SWF movie called "projector".  Based on an independent study ( Millward Brown ), over 99% of web users have an SWF plugin installed, with around 90% having the latest version.
The SWF Format (2/2) Files types included inside an SWF file can be: SWF 1. Image Files 2. Video Files 3. Sound Files 4. Fonts 5. Actionscript “An SWF is a container of Files” Supported formats to import inside SWF
SWF and security issues  Redirection by malicious SWF files. -2% of spam sites visited (August 08) -’GetURL’ attack.  Hiding malicious payload inside SWF files and attacking Flash Player.  Data hiding textual info inside actionscript.  Tools: SWF 1. SWFIntruder Multimedia 2. SWFDump Resources 3. Flare Security issues up to date Actionscript
Why Hiding in SWF ?  Easily Spread. SWF is used for: Multimedia  Web pages Our approach Resources  Banners (easy to exchange)  Games (innocent looking, easily spread in Social Networks) Actionscript  Presentations/Galleries  Applications SWF  No previous detection methodology.  Easy to hide and retrieve information.  Huge relative hiding ratio.  SWF files never altered when uploaded.  Game consoles, mobile phones friendly. 1kb 1kb - 10mb of hidden information :SWF file
Social Network Services  “A social network service focuses on building online communities of people who share interests and/or activities, or who are interested in exploring the interests and activities of others.“ (Credit: Compete.com)
Social Network Services facts }  Facebook * No. 1 photo sharing application on the Web “Huge * More than 14 million photos uploaded daily Quantity of * More than 6 million active user groups on the site data and  Myspace users to * 1.5 Billion images Monitor” * 8 Million images being uploaded per day *10 Billion friend relationships  100 million unique users play thousands of flash games across their network each month.
Illegal Communities & Social Networks  Communities have been reported to perform illegal activities such as:  Spreading illegal ideas/ideologies. (ex. pro-mafia groups)  Exchanging documents.  Recruiting new members.  Funding illegal groups.  Why exchanging information through social networks? 1. Anonymity. 2. Large amount of legitimate traffic to use as a cover. 3. Lack of information international laws.
Who would hide information in a Social Network? While terrorism (ex. eBay) is the worst scenario today, both good and bad parties, could use social networks and data hiding to keep their communications secret, including: 1. Intelligence services. 2. Corporations with trade secrets to protect. 3. People concerned about government eavesdropping. 4. Organized crime. 5. Drug traffickers. 6. Money launderers. 7. Child pornographers. 8. Weapons traffickers. 9. Criminal gangs.
Proposed Data Hiding Techniques  Proof of concept SWF game developed. (“TalkmeInto v1.0”) using Adobe Flash CS3  Two Data Hiding Techniques presented & tested.  The total size of the hidden files is 127,2 Kb while the total size of the game is 548 Kb. Files can be found here: •http://sites.google.com/site/greekforensicscommunity/Home/talkmeinto.rar
Data hiding Technique 1  Type: “Hiding inside unread SWF key frames”.  File types hidden: ai, png, bmp, jpeg, emf, gif, wmf, pct, qtif, tga, tiff, wav, mp3, aif, mov, avi, mpeg, flv, wmv.  Description: -Basic knowledge of Flash development needed. -Performed in any version of Adobe Flash. -Any secret file can be placed in a frame or frames that are not going to be accessible by the gamer/user of the flash application. -Size of hidden data unlimited. (theoretically) -Secret information hidden in plain site.
Data hiding Technique 1 Simple Action script used to stop movie on Frame1  Secret image (“papergirl.jpg”) is hidden inside: Scene 1 ->Movie Clip Instance ”back” -> “image” Layer -> Frame2
Data Retrieval  Step1: Decompile the SWF file, using a commercial or free SWF decompiler in order to list all the resources.  Step2: Browse the graphic resources, locate and save the previously invisible “papergirl.jpg”.  This steganalysis method can be described as “visual attack”, difficult to automate! Flash Decompiler Trillix demo version
Data hiding Technique 2  Type: “Mp3 steganography imported in SWF files”  File types hidden: All file types.  Description: Step1: Choose a file (all file types supported) in order to be hidden. Step2: Choose an mp3 file as your stego-carrier file. Step3: Use steganography tools to hide information inside the stego-carrier file. Step4A: Manually import the stego-carrier mp3 file inside an SWF file using any version of Adobe Flash. Step4B: Automatically import the stego-carrier mp3 file inside an SWF *mp32swfembedder program developed, utilizing Flagstone open source library. file using java code.*
Why Mp3 steganography?  Files when imported inside Flash are compressed or re-encoded.  Importing Steganography inside Flash fails for most of the supported formats.  Mp3 format is the only one not altered when imported.* * Few bytes added at the end of the mp3 Choosing carrier file types. file.
Data hiding Technique 2 Auto - import WEB S r d de T be m fe E 2 sw G p3 m Multi-Hiding process PC
Data Retrieval  Step1: Decompile the SWF file, using a commercial or free SWF decompiler to list all the resources.  Step2: Browse the audio resources, view and save the stego-carrier mp3 file.  Step3: “Tweak” the saved mp3 file in a proper way (optional step).  Step4: Apply inverse steganography (extraction) to obtain the secret file. Delete extra bytes to retrieve proper mp3 files!
Spreading Technique  In order to spread a stego-carrier SWF file <S>: *Step1: Upload <S> on an anonymous web-server or a SWF hosting service without unveiling his IP address. *Step2: Obtain the URL link directing to <S>. Step3: Create an anonymous email account <E> in order to use it to register on social network websites. Step4: Register with fake identity to the social networks which are going to be used to spread hidden information. Step5: Use special applications or html code in order to embed <S> to Illustration of both embedding techniques a profile page or group pages or other user pages. Step6: Invite/inform secretly other users. *optional steps
Examples - Facebook The native Facebook flash player approach:  Using the Flash Player application a user can upload SWF files on a Facebook hosting server.  SWF file is previewed inside the page created, along with other information added by the administrator/creator.  To make transaction more secure and less suspicious attract legitimate users not aware of the underlying hidden information.  Browser automatically downloads swf file on preview. The “TalkmeInto” public page can be accessed through the following URL: http://www.facebook.com/home.php#/pages/TalkmeInto/74719738815 or for direct SWF access here
Examples - Facebook Legitimate users as a cover
Examples - MySpace  In order to post links to SWF files anywhere inside a MySpace profile simple html embedding code is used.  The SWF file must first be uploaded on a third party server.  Links to SWF files can be posted as comments to users profile during a conversation making hidden information easy to spread.  A fake Myspace profile containing the “TalkmeInto” SWF game can be accessed through the following URL: http://www.myspace.com/458277409 <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" height="200" width="200"> <param name="allowScriptAccess" value="never" /> <param name="allowNetworking" value="internal" /> <param name="movie" value="http://photos-b.ak.fbcdn.net/photos-ak- snc1/genericv2b/284/81/01AwcA9kYVM5kAfakKAAAAEWWku78:.swf" /> <param name="wmode" value="transparent" /> <param name="quality" value="high" /> <embed type="application/x-shockwave-flash" allowScriptAccess="never" allowNetworking="internal" src="http://photos-b.ak.fbcdn.net/photos-ak- snc1/genericv2b/284/81/01AwcA9kYVM5kAfakKAAAAEWWku78:.swf" height="200" width="200" wmode="transparent" quality="high" /> </object>
Examples - MySpace Comment post helps spreading in different profiles
Proposed Detection Methodology  Step1: Locate/download suspicious SWF file.  Step2: Decompile the SWF file, using a commercial or free SWF decompiler in order Images to list all the resources embedded. Sounds  Step3: Manually inspect every file resource for suspicious files or evidence. (“visual Video attack”)  Step4: Check actionscript used by the SWF, Action script to locate suspicious text messages or textual evidence (ex. URL, passwords). SWF file  Step5: Collect mp3 files embedded.  Step6: Analyze all mp3 files to identify *SWF must be treated as a container of files. steganography using steganalysis tools.  Step7: Extract hidden data / evidence.
Conclusions & Future Work  As from now, SWF format becomes a popular data hiding medium that must be thoroughly examined during any Forensics Investigation.  Steganography can be uploaded on Social Networks and spread easily. Future work:  A detection tool must be developed in order to automatically detect steganography contained inside SWF files.  A tool for automatic hiding-posting-retrieving can be developed as a proof of concept.  A specific policy must be described, as far as the content uploaded, embedded and shared by social networks is concerned.
Questions?  Thank you. Alexandros Zaharis, Adamantini I. Martini, Christos Ilioudis alzahari@inf.uth.gr, admartin@inf.uth.gr, iliou@it.teithe.gr

Empfohlen

Introduction to Internet Browsers
Introduction to Internet BrowsersIntroduction to Internet Browsers
Introduction to Internet Browsers
Prof Ansari
 
WWW and web browser
WWW and web browserWWW and web browser
WWW and web browser
Yansi Keim
 
Danger on Your Desktop
Danger on Your DesktopDanger on Your Desktop
Danger on Your Desktop
Andy Smith
 
browsers MEZH
browsers MEZHbrowsers MEZH
browsers MEZH
Paula Mogollón García
 
Web browser
Web browserWeb browser
Web browser
titigarcia
 
Hacking 09 2010
Hacking 09 2010Hacking 09 2010
Hacking 09 2010
Felipe Prado
 
Research on Web Browsers
Research on Web BrowsersResearch on Web Browsers
Research on Web Browsers
Sagar Agarwal
 
Internet Security
Internet SecurityInternet Security
Internet Security
Nicholas Davis
 

Empfohlen

Introduction to Internet Browsers
Introduction to Internet BrowsersIntroduction to Internet Browsers
Introduction to Internet Browsers
Prof Ansari
 
WWW and web browser
WWW and web browserWWW and web browser
WWW and web browser
Yansi Keim
 
Danger on Your Desktop
Danger on Your DesktopDanger on Your Desktop
Danger on Your Desktop
Andy Smith
 
browsers MEZH
browsers MEZHbrowsers MEZH
browsers MEZH
Paula Mogollón García
 
Web browser
Web browserWeb browser
Web browser
titigarcia
 
Hacking 09 2010
Hacking 09 2010Hacking 09 2010
Hacking 09 2010
Felipe Prado
 
Research on Web Browsers
Research on Web BrowsersResearch on Web Browsers
Research on Web Browsers
Sagar Agarwal
 
Internet Security
Internet SecurityInternet Security
Internet Security
Nicholas Davis
 
Modern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelModern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panel
Ramsés Gallego
 
Operating Systems: Computer Security
Operating Systems: Computer SecurityOperating Systems: Computer Security
Operating Systems: Computer Security
Damian T. Gordon
 
Basic Internet Concepts
Basic Internet ConceptsBasic Internet Concepts
Basic Internet Concepts
Kiran Budhrani
 
The process of computer security
The process of computer securityThe process of computer security
The process of computer security
WritingHubUK
 
TH3 Professional Developper google hacking
TH3 Professional Developper google hackingTH3 Professional Developper google hacking
TH3 Professional Developper google hacking
th3prodevelopper
 
Ratzan2
Ratzan2Ratzan2
Ratzan2
MAFANTIRI SELLO
 
Ratzan2
Ratzan2Ratzan2
Ratzan2
haneefvf1
 
Methods Hackers Use
Methods Hackers UseMethods Hackers Use
Methods Hackers Use
brittanyjespersen
 
Internet tools for students
Internet tools for studentsInternet tools for students
Internet tools for students
Benjamin Garcia
 
Empowerment Technology Lesson 2
Empowerment Technology Lesson 2Empowerment Technology Lesson 2
Empowerment Technology Lesson 2
alicelagajino
 
Browsers
BrowsersBrowsers
Browsers
RamonMendoza20
 
Web browser
Web browserWeb browser
Web browser
Abhijeet Shah
 
Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flash
joepangus
 
Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna)
ClubHack
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
Aditya K Sood
 
Flash Lite, un’occasione da 1.3 Miliardi di mobile phones
Flash Lite, un’occasione da 1.3 Miliardi di mobile phonesFlash Lite, un’occasione da 1.3 Miliardi di mobile phones
Flash Lite, un’occasione da 1.3 Miliardi di mobile phones
biskero
 
Malware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingMalware Goes to the Movies - Briefing
Malware Goes to the Movies - Briefing
Aleksandr Yampolskiy
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp Forensic
Animesh Shaw
 
Unit 4,5, 62 ass 1 task 1
Unit 4,5, 62 ass 1 task 1Unit 4,5, 62 ass 1 task 1
Unit 4,5, 62 ass 1 task 1
inwill12
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptx
DrMajidMumtaz
 
My Media at University of Toronto Libraries
My Media at University of Toronto LibrariesMy Media at University of Toronto Libraries
My Media at University of Toronto Libraries
University of Toronto Libraries - Information Technology Services
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
NowSecure
 

Weitere ähnliche Inhalte

Was ist angesagt?

Basic Internet Concepts
Basic Internet ConceptsBasic Internet Concepts
Basic Internet Concepts
Kiran Budhrani
 

Was ist angesagt? (12)

Modern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelModern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panel
 
Operating Systems: Computer Security
Operating Systems: Computer SecurityOperating Systems: Computer Security
Operating Systems: Computer Security
 
Basic Internet Concepts
Basic Internet ConceptsBasic Internet Concepts
Basic Internet Concepts
 
The process of computer security
The process of computer securityThe process of computer security
The process of computer security
 
TH3 Professional Developper google hacking
TH3 Professional Developper google hackingTH3 Professional Developper google hacking
TH3 Professional Developper google hacking
 
Ratzan2
Ratzan2Ratzan2
Ratzan2
 
Ratzan2
Ratzan2Ratzan2
Ratzan2
 
Methods Hackers Use
Methods Hackers UseMethods Hackers Use
Methods Hackers Use
 
Internet tools for students
Internet tools for studentsInternet tools for students
Internet tools for students
 
Empowerment Technology Lesson 2
Empowerment Technology Lesson 2Empowerment Technology Lesson 2
Empowerment Technology Lesson 2
 
Browsers
BrowsersBrowsers
Browsers
 
Web browser
Web browserWeb browser
Web browser
 

Ähnlich wie SWF Data hiding

Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flash
joepangus
 
Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna)
ClubHack
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
Aditya K Sood
 
Malware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingMalware Goes to the Movies - Briefing
Malware Goes to the Movies - Briefing
Aleksandr Yampolskiy
 
Unit 4,5, 62 ass 1 task 1
Unit 4,5, 62 ass 1 task 1Unit 4,5, 62 ass 1 task 1
Unit 4,5, 62 ass 1 task 1
inwill12
 
A MEDIA SHARING PLATFORM BUILT WITH OPEN SOURCE SOFTWARE
A MEDIA SHARING PLATFORM BUILT WITH OPEN SOURCE SOFTWAREA MEDIA SHARING PLATFORM BUILT WITH OPEN SOURCE SOFTWARE
A MEDIA SHARING PLATFORM BUILT WITH OPEN SOURCE SOFTWARE
vrt-medialab
 
Sunil-Hacking_firefox
Sunil-Hacking_firefoxSunil-Hacking_firefox
Sunil-Hacking_firefox
guest66dc5f
 
Максим Ткаченко "Flash platform: Tools, Frameworks, Clients"
Максим Ткаченко "Flash platform: Tools, Frameworks, Clients"Максим Ткаченко "Flash platform: Tools, Frameworks, Clients"
Максим Ткаченко "Flash platform: Tools, Frameworks, Clients"
Lviv Startup Club
 

Ähnlich wie SWF Data hiding (20)

Hacking The World With Flash
Hacking The World With FlashHacking The World With Flash
Hacking The World With Flash
 
Firefox security (prasanna)
Firefox security (prasanna) Firefox security (prasanna)
Firefox security (prasanna)
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
 
Flash Lite, un’occasione da 1.3 Miliardi di mobile phones
Flash Lite, un’occasione da 1.3 Miliardi di mobile phonesFlash Lite, un’occasione da 1.3 Miliardi di mobile phones
Flash Lite, un’occasione da 1.3 Miliardi di mobile phones
 
Malware Goes to the Movies - Briefing
Malware Goes to the Movies - BriefingMalware Goes to the Movies - Briefing
Malware Goes to the Movies - Briefing
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp Forensic
 
Unit 4,5, 62 ass 1 task 1
Unit 4,5, 62 ass 1 task 1Unit 4,5, 62 ass 1 task 1
Unit 4,5, 62 ass 1 task 1
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptx
 
My Media at University of Toronto Libraries
My Media at University of Toronto LibrariesMy Media at University of Toronto Libraries
My Media at University of Toronto Libraries
 
Mobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic MenaceMobile Penetration Testing: Episode 1 - The Forensic Menace
Mobile Penetration Testing: Episode 1 - The Forensic Menace
 
Semantic Windows
Semantic WindowsSemantic Windows
Semantic Windows
 
Css- 2nd quarter.pptx
Css- 2nd quarter.pptxCss- 2nd quarter.pptx
Css- 2nd quarter.pptx
 
A MEDIA SHARING PLATFORM BUILT WITH OPEN SOURCE SOFTWARE
A MEDIA SHARING PLATFORM BUILT WITH OPEN SOURCE SOFTWAREA MEDIA SHARING PLATFORM BUILT WITH OPEN SOURCE SOFTWARE
A MEDIA SHARING PLATFORM BUILT WITH OPEN SOURCE SOFTWARE
 
empowerment technologies
empowerment technologies empowerment technologies
empowerment technologies
 
Chapter 8
Chapter 8Chapter 8
Chapter 8
 
Web browser pdf
Web browser pdfWeb browser pdf
Web browser pdf
 
Staying Safe - Overview of FREE Encryption Tools
Staying Safe - Overview of FREE Encryption ToolsStaying Safe - Overview of FREE Encryption Tools
Staying Safe - Overview of FREE Encryption Tools
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
Sunil-Hacking_firefox
Sunil-Hacking_firefoxSunil-Hacking_firefox
Sunil-Hacking_firefox
 
Максим Ткаченко "Flash platform: Tools, Frameworks, Clients"
Максим Ткаченко "Flash platform: Tools, Frameworks, Clients"Максим Ткаченко "Flash platform: Tools, Frameworks, Clients"
Максим Ткаченко "Flash platform: Tools, Frameworks, Clients"
 

Kürzlich hochgeladen

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Kürzlich hochgeladen (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

SWF Data hiding

  • 1. ~WDFIA 2009~ “Data Hiding in the SWF Format and Spreading through Social Network Services” Alexandros Zaharis, Adamantini I. Martini, Christos Ilioudis alzahari@inf.uth.gr, admartin@inf.uth.gr, iliou@it.teithe.gr
  • 2. Index  Contribution  The SWF Adobe® Flash® Format  Social Networks and Illegal Communities  Proposed Data Hiding Techniques  Proposed Detection Methodology  Future Work & Conclusions  Questions
  • 3. Contribution  Present a fresh Data Hiding Technique by exploiting the popular SWF Flash format.  Spread hidden information through the two most popular Social Networks while unveiling lack of detection.  Present Detection Methodology possibly used in a Forensics Investigation.
  • 4. The SWF Format (1/2)  The file format SWF (standing for "ShockWave Flash“, later "Small Web Format"), open repository for multimedia and vector graphics, Adobe.  Small enough for publication on the Web, functions as the dominant format for displaying "animated" vector graphics.  Scripting Language ( ActionScript ).  SWF files can be generated from within:  Adobe products: Flash, Flex Builder.  Other : open source Motion-Twin ActionScript 2 Compiler (MTASC), SWiSH Max2 and Flagstone software.  SWF files can be played by the Adobe Flash Player, or be encapsulated with the player, creating a self-running SWF movie called "projector".  Based on an independent study ( Millward Brown ), over 99% of web users have an SWF plugin installed, with around 90% having the latest version.
  • 5. The SWF Format (2/2) Files types included inside an SWF file can be: SWF 1. Image Files 2. Video Files 3. Sound Files 4. Fonts 5. Actionscript “An SWF is a container of Files” Supported formats to import inside SWF
  • 6. SWF and security issues  Redirection by malicious SWF files. -2% of spam sites visited (August 08) -’GetURL’ attack.  Hiding malicious payload inside SWF files and attacking Flash Player.  Data hiding textual info inside actionscript.  Tools: SWF 1. SWFIntruder Multimedia 2. SWFDump Resources 3. Flare Security issues up to date Actionscript
  • 7. Why Hiding in SWF ?  Easily Spread. SWF is used for: Multimedia  Web pages Our approach Resources  Banners (easy to exchange)  Games (innocent looking, easily spread in Social Networks) Actionscript  Presentations/Galleries  Applications SWF  No previous detection methodology.  Easy to hide and retrieve information.  Huge relative hiding ratio.  SWF files never altered when uploaded.  Game consoles, mobile phones friendly. 1kb 1kb - 10mb of hidden information :SWF file
  • 8. Social Network Services  “A social network service focuses on building online communities of people who share interests and/or activities, or who are interested in exploring the interests and activities of others.“ (Credit: Compete.com)
  • 9. Social Network Services facts }  Facebook * No. 1 photo sharing application on the Web “Huge * More than 14 million photos uploaded daily Quantity of * More than 6 million active user groups on the site data and  Myspace users to * 1.5 Billion images Monitor” * 8 Million images being uploaded per day *10 Billion friend relationships  100 million unique users play thousands of flash games across their network each month.
  • 10. Illegal Communities & Social Networks  Communities have been reported to perform illegal activities such as:  Spreading illegal ideas/ideologies. (ex. pro-mafia groups)  Exchanging documents.  Recruiting new members.  Funding illegal groups.  Why exchanging information through social networks? 1. Anonymity. 2. Large amount of legitimate traffic to use as a cover. 3. Lack of information international laws.
  • 11. Who would hide information in a Social Network? While terrorism (ex. eBay) is the worst scenario today, both good and bad parties, could use social networks and data hiding to keep their communications secret, including: 1. Intelligence services. 2. Corporations with trade secrets to protect. 3. People concerned about government eavesdropping. 4. Organized crime. 5. Drug traffickers. 6. Money launderers. 7. Child pornographers. 8. Weapons traffickers. 9. Criminal gangs.
  • 12. Proposed Data Hiding Techniques  Proof of concept SWF game developed. (“TalkmeInto v1.0”) using Adobe Flash CS3  Two Data Hiding Techniques presented & tested.  The total size of the hidden files is 127,2 Kb while the total size of the game is 548 Kb. Files can be found here: •http://sites.google.com/site/greekforensicscommunity/Home/talkmeinto.rar
  • 13. Data hiding Technique 1  Type: “Hiding inside unread SWF key frames”.  File types hidden: ai, png, bmp, jpeg, emf, gif, wmf, pct, qtif, tga, tiff, wav, mp3, aif, mov, avi, mpeg, flv, wmv.  Description: -Basic knowledge of Flash development needed. -Performed in any version of Adobe Flash. -Any secret file can be placed in a frame or frames that are not going to be accessible by the gamer/user of the flash application. -Size of hidden data unlimited. (theoretically) -Secret information hidden in plain site.
  • 14. Data hiding Technique 1 Simple Action script used to stop movie on Frame1  Secret image (“papergirl.jpg”) is hidden inside: Scene 1 ->Movie Clip Instance ”back” -> “image” Layer -> Frame2
  • 15. Data Retrieval  Step1: Decompile the SWF file, using a commercial or free SWF decompiler in order to list all the resources.  Step2: Browse the graphic resources, locate and save the previously invisible “papergirl.jpg”.  This steganalysis method can be described as “visual attack”, difficult to automate! Flash Decompiler Trillix demo version
  • 16. Data hiding Technique 2  Type: “Mp3 steganography imported in SWF files”  File types hidden: All file types.  Description: Step1: Choose a file (all file types supported) in order to be hidden. Step2: Choose an mp3 file as your stego-carrier file. Step3: Use steganography tools to hide information inside the stego-carrier file. Step4A: Manually import the stego-carrier mp3 file inside an SWF file using any version of Adobe Flash. Step4B: Automatically import the stego-carrier mp3 file inside an SWF *mp32swfembedder program developed, utilizing Flagstone open source library. file using java code.*
  • 17. Why Mp3 steganography?  Files when imported inside Flash are compressed or re-encoded.  Importing Steganography inside Flash fails for most of the supported formats.  Mp3 format is the only one not altered when imported.* * Few bytes added at the end of the mp3 Choosing carrier file types. file.
  • 18. Data hiding Technique 2 Auto - import WEB S r d de T be m fe E 2 sw G p3 m Multi-Hiding process PC
  • 19. Data Retrieval  Step1: Decompile the SWF file, using a commercial or free SWF decompiler to list all the resources.  Step2: Browse the audio resources, view and save the stego-carrier mp3 file.  Step3: “Tweak” the saved mp3 file in a proper way (optional step).  Step4: Apply inverse steganography (extraction) to obtain the secret file. Delete extra bytes to retrieve proper mp3 files!
  • 20. Spreading Technique  In order to spread a stego-carrier SWF file <S>: *Step1: Upload <S> on an anonymous web-server or a SWF hosting service without unveiling his IP address. *Step2: Obtain the URL link directing to <S>. Step3: Create an anonymous email account <E> in order to use it to register on social network websites. Step4: Register with fake identity to the social networks which are going to be used to spread hidden information. Step5: Use special applications or html code in order to embed <S> to Illustration of both embedding techniques a profile page or group pages or other user pages. Step6: Invite/inform secretly other users. *optional steps
  • 21. Examples - Facebook The native Facebook flash player approach:  Using the Flash Player application a user can upload SWF files on a Facebook hosting server.  SWF file is previewed inside the page created, along with other information added by the administrator/creator.  To make transaction more secure and less suspicious attract legitimate users not aware of the underlying hidden information.  Browser automatically downloads swf file on preview. The “TalkmeInto” public page can be accessed through the following URL: http://www.facebook.com/home.php#/pages/TalkmeInto/74719738815 or for direct SWF access here
  • 22. Examples - Facebook Legitimate users as a cover
  • 23. Examples - MySpace  In order to post links to SWF files anywhere inside a MySpace profile simple html embedding code is used.  The SWF file must first be uploaded on a third party server.  Links to SWF files can be posted as comments to users profile during a conversation making hidden information easy to spread.  A fake Myspace profile containing the “TalkmeInto” SWF game can be accessed through the following URL: http://www.myspace.com/458277409 <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" height="200" width="200"> <param name="allowScriptAccess" value="never" /> <param name="allowNetworking" value="internal" /> <param name="movie" value="http://photos-b.ak.fbcdn.net/photos-ak- snc1/genericv2b/284/81/01AwcA9kYVM5kAfakKAAAAEWWku78:.swf" /> <param name="wmode" value="transparent" /> <param name="quality" value="high" /> <embed type="application/x-shockwave-flash" allowScriptAccess="never" allowNetworking="internal" src="http://photos-b.ak.fbcdn.net/photos-ak- snc1/genericv2b/284/81/01AwcA9kYVM5kAfakKAAAAEWWku78:.swf" height="200" width="200" wmode="transparent" quality="high" /> </object>
  • 24. Examples - MySpace Comment post helps spreading in different profiles
  • 25. Proposed Detection Methodology  Step1: Locate/download suspicious SWF file.  Step2: Decompile the SWF file, using a commercial or free SWF decompiler in order Images to list all the resources embedded. Sounds  Step3: Manually inspect every file resource for suspicious files or evidence. (“visual Video attack”)  Step4: Check actionscript used by the SWF, Action script to locate suspicious text messages or textual evidence (ex. URL, passwords). SWF file  Step5: Collect mp3 files embedded.  Step6: Analyze all mp3 files to identify *SWF must be treated as a container of files. steganography using steganalysis tools.  Step7: Extract hidden data / evidence.
  • 26. Conclusions & Future Work  As from now, SWF format becomes a popular data hiding medium that must be thoroughly examined during any Forensics Investigation.  Steganography can be uploaded on Social Networks and spread easily. Future work:  A detection tool must be developed in order to automatically detect steganography contained inside SWF files.  A tool for automatic hiding-posting-retrieving can be developed as a proof of concept.  A specific policy must be described, as far as the content uploaded, embedded and shared by social networks is concerned.
  • 27. Questions?  Thank you. Alexandros Zaharis, Adamantini I. Martini, Christos Ilioudis alzahari@inf.uth.gr, admartin@inf.uth.gr, iliou@it.teithe.gr