I have finally successfully cracked open one of the Anonymous related images suspected of containing Steganography...and I'm quite intrigued by its contents. As far as I know, this is only the second Steganographic image found in the wild which has been successfully cracked. The first image was posted online by NBC back in 2001 as part of a news story, and had a very simple password of "abc".
First, a little background. In my previous post, I revealed that a suspected steganography image had been posted by the twitter user @57UN, who was very involved and influential with anonymous.
Ever since, I've been keeping tabs on @57UN, looking for unusual behavior. Well wouldn't you know it, they didn't disappoint me!
Recently @57UN switched their account name to @TechoPirate, then shortly after disappeared completely. Since then, a new @57UN account has appeared, but I suspect it is not the original @57UN.
Anonymous discussing @57UN aka @TechoPirate |
Shortly after I noticed @TechoPirate had disappeared, I immediately began archiving and analyzing his/her twitpic files before they disappeared from the web for good.
Running Stegdetect, I found several additional files with suspected embedded data which I had originally overlooked. Interestingly enough, two of the files were embedded using Outguess, instead of jphide as previous files were found using.
I was actually able to crack both files. The first file to be cracked is the image below, which used the password " sophia" (note the space at the beginning).
Original image as posted on Twitpic |
- C:\Users\Ken\Projects\stegdetect>stegbreak.exe -r rules.ini -f "C:\Users\Ken\Pro
- jects\dictionary\eNtr0pY_ALL_sort_uniq.dic" -t o "C:\Users\Ken\Projects\stegdete
- ct\target\687336425.jpg"
- Loaded 1 files...
- C:\Users\Ken\Projects\stegdetect\target\687336425.jpg : outguess[v0.13b]( sophia)
- [Encore unsupported executable not stripped][U.`$..$......H..]
- Processed 1 files, found 1 embeddings.
- Time: 0 seconds: Cracks: 2584, Inf c/s
Since this file had such a weak password, I was able to crack it in under one second.
...but that's where the real mystery begins!
You see, the embedded file itself is unintelligible, but detected by both Stegdetect and VirusTotal as an "Encore unsupported executable not stripped".
I'm not familiar with this type of file, so if anyone would care to enlighten me, please feel free to post in the comments section below. I really need some help figuring out just what this file is - and doing so may crack the case wide open of who's really pulling the strings behind Anonymous?
For those interested in trying to figure out what the file is/does, I have it uploaded here:
https://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/steg/687336425.txt
CAUTION: This file is an unknown type, and of unknown origin. It could be malicious in nature, be wary. I have given the file a .txt extension in case it is malicious.
Note that a second file was also cracked. However, attempts to extract the data using Outguess have shown that the embedded data is corrupt, and irretrievable. Should future attempts to extract the data be successful, I will post on the blog. The second file has a password of "15March1009".
Now, here's a few questions which need to be answered, besides the obvious "what is this file?"
- Does Anonymous know they're distributing files with embedded data?
- Is Anonymous adding this data, or is it being added by a 3rd party, using Anonymous as mules?
- How long has this been going on? The file above is almost a year old.
- Are there other accounts distributing steganography images?
- Why did @57UN suddenly disappear? Rumors are that he/she was hacked, but was it something else?
- Finally, just who is pulling the strings behind Anonymous?
If you'd like to replicate my results, the original image file has been uploaded to http://i.imgur.com/JR26qcb.jpg in case the original (http://twitpic.com/bd806h) goes down.
Stegdetect is freely available from http://www.outguess.org/
The version of Outguess used to extract the embedded file is available for download at http://www.mirrorservice.org/sites/ftp.wiretapped.net/pub/security/steganography/outguess/
Many thanks to @heinbrian, @phra95w17ch, and @Impatient4truth for helping me locate the old version of Outguess needed to extract the file contents.
Alternatively to posting a comment, you can also contact me through email: CaffSecBlog <at> Gmail <dot> com.
UPDATE 1: I've received some comments stating that this might be a false positive.
As such, I've used FotoForensics to do some additional analysis.
First, I located the top photo in the original image file, and ran it through FotoForensics.
Next I performed a FotoForensics on the Steganography image.
No comments:
Post a Comment