Cisco Blogs

I’m Looking Thru You

- March 17, 2010 - 0 Comments

There are a bunch of reasons to hide info. Normally, if you REALLY want to hide data you just encrypted it with folks in your key circle and its Newcastle time. However, sharing stuff with folks outside of the “circle of trust” meant hiding it in plain site. We still do it for practice to see if folks could find any clues to keep our skills sharp. Kinda like a Paul McCartney is dead thing for us geek type folks. Back in the day, we used to hide URL or code in plain site by using Based64 encoding then hide them in the common URL and slip thru just about everything. Things have sure changed big time. 

A few months back I took a fantastic class called Urban Escape and Evasion. You can read about it here. One of the principles taught in that class was the art of hiding in the open. The trick is looking like the things folks naturally look away from and have done it so often, that it is a normal part of our routine to not process this information. Folks like construction workers, civil servants, bikers, Joe business douche bag, etc…slip in and out of our day with near invisibility.

Malware jockeys are hiding data in plain site by encoding it is multiple places but then having Java Script assemble it at runtime. This vector is harder to find then an empty seat at a Jek Porkins autograph signing.  I started working with the Windows based tool; Malzilla to look for malware hiding in plain site.

 Malzilla’s small footprint is about this size an average Python script for Linux; around 3Meg. It is very easy to use, just copy the URL into the URL box at the bottom of the first tab and you’re off to the races baby! You go need to understand coding principles to get the hang of the info but it’s not that bad. They have a nice collection of tutorials on the website to get you going. Although, Malzilla does a good job of sandboxing your machine, as a best practice, I never ever analyze malware without using a dedicated sandbox machine running Virtual Box If you are looking for a good malware analyzer with a nice supply of decoders and access to the full source code that runs on Windows, it’s hard to beat Malzilla. I keep it in my tool box for sure.

 Talking about hiding stuff without giving a node to steganography is like going to Germany and not driving on the Autobahn. There are a ton of methods of hiding data inside of all types of files. Hey, talk about being ignored; spam emails are ignored more then a suggestion to have a tofu night at karaoke bar. I have blogged before about a great tool to use here;  But what about stuff for hiding files inside of files? I need proggies better than and not as noisy as STREAMS by Microsoft via their ADS subsystem. Stuff like Hydan, the ultra easy to use Data Stash, Xidie, etc…one of my favs is StegaNote. It’s a little older Windows tool but it is still hard to beat, ultra simple to use and nearly impossible to recover data from. With these tools I can hide the secret of life…the Komani Code (↑, ↑, ↓, ↓, ←, →, ←, →, B, A) The flip side of the coin here is it is very difficult to detect and even recover the hidden info. I have had some luck with StegDetect but it is still a very tough job, so pack a lunch. Why should you care about this stuff? Understanding Steg (as it is called by then cool crowd) is like learning lock picking. Many locked doors are now open and you can see a whole new world of communication on the Internet. Things like malware results will almost never be posted in an Excel spreadsheet, notepad file or ftp server. They will be hidden in stuff you that you ignore by design…like a web site logo…perhaps…

 Finally, on this road to finding hidden stuff, let’s take a quick look at hard drives. Security is really getting better and better each software roll. Hackers/Malwarriors are looking at other vectors to get into systems. One of the best ways to scrap info is purchasing used systems and harvesting the hard drive. It is very difficult to get rid of data once it has been magnetically written to a drive. Deleting data does not work, even if you run defrag afterwards or delete a partition or even reformat the drive. The data is not removed, it is just reflagged for use. I wrote a program a few years back that looks for Windows deleted files by simply looking for any data flagged E5h in the first bit position then recover and replace it with the letter Z. It still works great!

 Many folks, when they get a system ready for resell they will not take the time to run disk wiping software because that normally also means reinstalling the OS and all of the driver packs. So they either manually delete data files and run disk defrag or they delete a partition and believe that has covered their tails. IF they are lucky, they will only make headlines. However, most of the time this mistake is a gold mine of info that is a closely guarded secret. There are many ways to mine for that gold, but here is the easiest. When it comes to scrapping an old hard drive, I use the BlacX external disk reader from Thermaltake and the fantastic recovery software from DiskInternals; Partition Recovery  and the data reappears like it never left. That’s because it never did. If it is an older system, I run GRC’s SpinRite first, and then I use Partition Recovery. Be careful with older hard drives. Hey man, hard drives are cheap and I consider them a loss and not included with a used system.  Then I smash my platters with a hammer. Not only is it secure but it’s therapeutic as well! Well, it’s time for my marathon conf calls to begin. If you know of a class that can help me disappear on these please forward the info to me!

Jimmy Ray Purser

Trivia File Transfer Protocol

Surfing the Internet may help delay dementia because it creates stimulation that exercises portions of the brain. YES!



In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.