Fighting steganography detection
(benign viri as defence against sniffing)
Reverser's Anonymity Academy
by Fabian Hansmann
(04 January 1997, slightly edited by reverser+)
Courtesy of reverser's page
of reverse engineering
Well, for once I'm hosting an essay of a person that does not use handles
nor avatars nor nicknames: Fabian Hansmann, the Author of Steganos, one of
the most interesting Stenographical applications on the scene. His idea of using
a benign virus in order to spread noise is interesting, yet not new (some
+masters have already prepared long ago a 'benign' cracking virus -antibil7.com-
that registers Micro$oft's timelimited targets WITHOUT NOTICING the owner
of the PCs where these targets are found :-)
So Fabian's idea can be implemented, moreover we will of course begin ourselves,
during 1998, to 'deepen' (in a reversing sense) our knowledge of the whole
steganographical existing bazaar... and I'm happy that we'll work hand in hand
with steganographical experts (and nette Leute) like Fabian (and maybe
other Authors as well as it seems)
Fighting steganography detection
by Fabian Hansmann
During the last years steganography was well known among academic people
and hackers only.
Meanwhile - especially in 1997 - the situation changed: steganography
software started to enter the mass market e.g. via freeware and shareware.
Computer magazines discovered this interesting topic.
People trust Steganographic systems since they just do not see or hear
any difference between a file carrying information and one that does not.
Computer based steganography implementations are a very new technology
which has never passed a dialectic process comparable to the one which
encryption has passed.
Nobody knows whether secret services have already developed steganography
scanners which are searching the net for images or sounds containing hidden
data in the very same moment you are reading this article.
Cryptographic methods became very good in the last decades since
algorithms which had been secret during the years before were analyzed
by the academic community.
One of the newer cryptography goals for instance is the public key system,
which was -officially - invented in the seventies of this century.
However the ideas used in 'modern' steganography programs
are partly ancient - some ideas are described in books of the 17th
As mentioned above mass media started to write about steganography,
but the articles written about it are on a level far below the cryptography
There doesn't even exist any speculation about the existence of
Comparisons of existing steganography products in most cases are
limited to the supported carrier-files and the quality of the user
interface. In more serious articles the used encryption is discussed,
but I didn't read any article with helpful information about the
most essential point: the algorithm's resistance against detection.
I searched for information about the detection of carrier-files
and asked many people -programmers, hackers and academics - if they
have got knowledge about usable results but it seems that scientific
research is concentrating on watermarking-techniques at the
There are only a few books about the type of steganography we are
The people I asked said they would start by checking out the noise-theory
-but this is a complex topic.
A simple trick to find out whether a file is encrypted is trying to
compress it - of course compressed files are also 'detected' this way.
Programmers know this fact -when you implement a compression algorithm
in an encryption program you must compress the data before(!) you encrypt
I think one could modify a known compression algorithm to check a
potential carrier-file for simple steganographic algorithms. If the
steganography program hides data in a file without filling the rest of
the carrier-file with random data one could do some fuzzy logic and
compare the results of the spectral analysis for different parts of the
potential carrier-file and guess whether the file carries hidden
information or not.
If you compress two bitmap files, the original and the same file used as
a carrier-file by using a standard compression software - for example
pkzip - the original picture can be compressed better.
A good example is the pair of pictures on Reverser's Steganography Page .
He labelled purposedly the two files in the wrong way, but the truth was
relatively obvious since the compressed carrier-file is in most cases
bigger than the compressed original. Of course in 'real life reversing'
nobody has the original version of a carrier-file if this has been well
Since we just don't know how steganography scanners - if they exist -
work, a pretty unorthodox method to irritate such scanners without the
need of knowing how they are working came into my mind: faked carrier-files
which contain non sensitive data.
A good possibility for creating and spreading such files would be a
computer virus which replaces everywhere the least significant bits ('LSB')
of sound and image files by pseydo random (and self-reproduces itself
of course). The LSBs will look like encrypted data.
This is very interesting in countries which have cryptography
restrictions. Think about France for instance! Nobody can tell if
sensitive information has been hidden in a file or if you'll find
there after a long work just some crap.
Nobody can prove if you use steganography (and you are the criminal) or
if you have been infected by a nasty virus (and you are the victim).
The consequences of a virus like that would be a well spreaded
steganography noise (I will call this from now on 'stego-noise') on
Personal Computers all over the world and on the Internet.
Imagine the scenario: even supporters of the anti-crypto-campaigns and
members of the law-enforcement agencies would increase the stego-noise
and confuse scanners by false alarms without even recognizing that their
computer systems have been infected.
After some weeks or months, when a high level of stego-noise has been
established by the virus, this could deinstall itself - probably before
it has been detected and without having damaged the system.
We know that the heuristic virus scanners sold nowadays are far from
being perfect. With some well-known tricks we can write a selfencrypting
virus (a 'benign' one of the sort discussed above, that is) of a kind
which won't be detected too fast.
This virus would confuse a steganography detection - even a perfect
But one must keep in mind that even non-destructive viruses can damage
the system, because of unforeseen bugs and unexpected environments -
that's definitely not what we want to achieve!
Creating extra noise is not a very elegant way. The idea behind our
science, steganography, is hiding information inside noise which already
exists - for example in the chaotic background noise of a recorded
I think the best solution to defend us against steganography detectors is
attacking existing steganography algorithms, which is a highly interesting
project, and improving at the same time the existing steganography
The possibility to detect carrier-files does not break the
cryptographic barrier, but that's a different topic and comparatively
The Contraband  cracker 'anti-contraband' , for example, extracts
a hidden file out of a carrier-file when you use it. This only works for
steganography programs using a bad cryptography algorithm or
implementation, badly chosen passwords, or if massive brute force
is available. Even if you are able to crack a single file you can't use
this method if you do not know which file contains the hidden
information you are after.
If nobody has written a steganography detector yet people will do it
as soon as cracking steganography algorithms becomes more interesting -
because of financial/commercial reasons for instance.
They probably will succeed... yet we will always be ahead of any
commercial oriented mind :-)
 Gaspari Schotti, "Schola steganographica", 1680,
 Bruce Schneier, "Applied Cryptography" (Chapter 10.7), 1996, Wiley
 Reverser, "Reverser's Steganography Page", 1997,
 Hens Zimmerman and Julius Thyssen,
"Contraband", 1997, http://www.xs4all.nl/~jult/4u/contrabd.exe
 Massimiliano, "anti-contraband", 1997,
Written in 1997/1998 by Fabian Hansmann, author of the
steganography program Steganos for DOS
and coauthor of Steganos for Windows 95
_ _ _ _ _ _ _ _ _ _
Back to the Advanced Stego page ___Back to the Stego 'normal' page
antismut CGI tricks
Is software reverse engineering illegal?
reverser December 1997 ~ January 1998