Anonymous and Steganography - Blindly Distributing Terrorist Messages?

As previously warned multiple times by Th3J35t3r and myself - Anonymous may be unwitting pawns in a much larger chess game.

While their public support of terrorist organizations is being dismissed with "anyone can claim to be Anonymous" their blind distribution of encrypted files containing information from outside entities may not even be known to the inner-most circles of the organization.

What encrypted files? One of the most common means of distributing Anonymous related information is through social media - especially through the distribution of image files.  Little known to many outside the security field is that images can be used to hide information through a process called Steganography.  For those not familiar with the topic here is an excellent whitepaper on how Steganography works as well as how to detect it.  I have started using the StegDetect program from Outguess.org and have found some interesting results.

I recently started analyzing several images being re-posted by the Twitter handle @YourAnonNews.  Out of 51 images analyzed I found two images which returned "positive" as having embedded data, as well as two additional images which generated errors during analysis (possibly obfuscated?).

The first picture with a positive hit was an internet meme of the TV show "Game of Thrones".



The picture was re-posted by @YourAnonNews here: https://twitter.com/i/#!/YourAnonNews/media/slideshow?url=http%3A%2F%2Ftwitpic.com%2Fbqiggl

However the image originated from @57UN here: http://twitpic.com/bqiggl

Below is the image re-posted by @YourAnonNews

Picture re-posted by @YourAnonNews - Click to Enlarge
And here is a similar meme picture which is "almost" the exact same size as found on http://whosin.com/pg/whois/24118207/Maine+Memes

Similar Meme Picture - Click to Enlarge
Running StegDetect against the "Gym" picture above produces a hit for embedded data using "jphide" while running against the "Sandy" picture does not.

Similarities between the two pictures:
Both are of the same content - with only a slight variation (text at the bottom)
Both are 72 dpi resolution
Both are 24-bit color depth

There are also some interesting differences between the two pictures.

The "Gym" picture is 600x461 pixels while the "Sandy" picture is 600x460 (Gym is one pixel taller)
The "Gym" picture is 69,919 bytes while the "Sandy" picture is 51,416 bytes (26% difference)

Error Level Analysis (ELA) using FotoForensics produces some interesting results.

ELA - @YourAnonNews Reposted Image
ELA - "Sandy" image
Areas in while indicate the image has possibly been altered from its original (see FotoForensics Tutorial).  As you can see above there has been significant altering of the first image while the second remains fairly uniform.  You would expect that the images would display the same ELA pattern - the fact that they are drastically different indicates something has definitely been altered.

So the question remains - is there something embedded inside this image?  I believe so.  Unfortunately all of my attempts to crack the password failed.  Whatever secret this image holds we may never know.  But I believe it definitely holds a secret.

UPDATE 1:
It was suggested in the comments below that this is simply a result of resizing or cropping the image.  As such I cropped both images as suggested...and this provided some rather interesting results.

Suspect steganography image "Gym" cropped
ELA of cropped "Gym" image
As you can see above the ELA for the cropped "Gym" image suspected of containing steganography doesn't change much.

More interesting is that StegDetect now throws an error instead of a negative/positive hit for steganography. "error: Quantization table 0x01 was not defined"

Image "Sandy" cropped

ELA of Image "Sandy" cropped
The baseline "Sandy" image ELA does change slightly - but still not as profound as the suspected ELA image above.  This image also produces the same message when performing StegDetect: "error: Quantization table 0x01 was not defined"

Therefore I believe it is safe to conclude that the positive detection for steganography is not a result of resizing or cropping the image.
 

Related Reading:
Al-Qaeda uses steganography - documents hidden in porn videos found on memory stick - http://www.infosecurity-magazine.com/view/25524/alqaeda-uses-steganography-documents-hidden-in-porn-videos-found-on-memory-stick/
Hidden Pictures: Steganography, Al-Qaeda and Anonymous - http://sofrep.com/15858/hidden-pictures-steganography-al-qaeda-anonymous/

5 comments:

  1. Okay.. but you have to know that tons of people have used and re-used this photo so the text gets erased every time.

    ReplyDelete
  2. Kim - exactly why I found the closest match to the original image as I could - to confirm the detection wasn't a false positive.

    Also - when you modify without resizing an image which has Steganography inside it - you will corrupt the embedded file.

    If you resize the image - the image is completely re-sampled by the photo editor and the embedded file is completely erased.

    ReplyDelete
  3. I dont mean to be "that guy", but I feel it's necessary to note that first you must prove there is a message. Then once that has been proven there still isn't enough to say that the message has anything to do with terrorists at all. The title of this article seems VERY premature.

    ReplyDelete
  4. Brandon - I agree 100% that we need to prove there's a message. That's why I've published this...in hopes that someone out there can crack the steganography and reveal the contents.

    The only reason I brought up the possibility of terrorist messages being contained within the file is that the signs have been out there that Anonymous is being manipulated by outside entities including Hamas.

    I felt that the fact that this image has multiple "indicators" of embedded content was worth enough to post.

    You'll notice I said I had two positive hits - the second hit I did not post because I'm unable to find any indicators outside of StegDetect that the image has embedded content. This is because I have no "baseline" image for comparison...unlink the meme image above.

    ReplyDelete
  5. Ben - Thanks for the suggestion.

    I just tried cropping the image - and upon doing so StegDetect now returns the following error instead of saying the file contains imbedded data:
    "error: Quantization table 0x01 was not defined"

    That's actually pretty interesting. This would possibly explain the errors I'm receiving with two other suspect files.

    As for the ELA of the images...

    The ELA of the suspect "Gym" image doesn't change much when cropping:
    http://fotoforensics.com/analysis.php?id=d410702b1b58ab1847c1997beecba66873d5472c.68090

    The ELA of the "Sandy" image does change slightly...but not nearly as significantly as the "Gym" image:
    http://fotoforensics.com/analysis.php?id=6f335aa0b46e9796ff9d750cd3f23ee19ea71fbe.67962

    I believe this may reinforce my theory that ELA does detect steganography images.

    I've updated my post above to reflect this new data.

    ReplyDelete