Steganalysis of Hydan

  • Jorge Blasco
  • Julio C. Hernandez-Castro
  • Juan M. E. Tapiador
  • Arturo Ribagorda
  • Miguel A. Orellana-Quiros
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 297)

Abstract

Hydan is a steganographic tool which can be used to hide any kind of information inside executable files. In this work, we present an efficient distinguisher for it: We have developed a system that is able to detect executable files with embedded information through Hydan. Our system uses statistical analysis of instruction set distribution to distinguish between files with no hidden information and files that have been modified with Hydan. We have tested our algorithm against a mix of clean and stego-executable files. The proposed distinguisher is able to tell apart these files with a 0 ratio of false positives and negatives, thus detecting all files with hidden information through Hydan.

References

  1. 1.
    Anckaert, B., De Sutter, B., Chanet, D., De Bosschere, K.: Steganography for executables and code transformation signatures. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 425–439. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    El-Khalil, R.: Hydan: Hiding information in program binaries. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 187–199. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Hernandez-Castro, J.C., Lopez, I.B., Tapiador, J.M.E., Ribagorda, A.: Steganography in Games. Computers and Security 25(1), 64–71 (2006)CrossRefGoogle Scholar
  4. 4.
    Johnson, N.F., Jajodia, S.: Exploring steganography: Seeing the unseen. Computer 31(2), 26–34 (1998)CrossRefGoogle Scholar
  5. 5.
    Kipper, G.: Investigator’s Guide to Steganography. CRC Press, Boca Raton (2004)Google Scholar
  6. 6.
    Murdoch, S.J., Lewis, S.: Embedding Covert Channels into TCP/IP. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds.) IH 2005. LNCS, vol. 3727, pp. 247–261. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Naor, M., Yung, M.: Universal One-Way Hash Functions and Their Cryptographic Applications. In: Proceedings of the twenty-first annual ACM symposium on Theory of computing, pp. 33–43. ACM, New York (1989)Google Scholar
  8. 8.
    Peterson, W., Brown, D.: Cyclic Codes for Error Detection. Proceedings of the IRE 49(1), 228–235 (1961)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Petitcolas, F.A.P., Anderson, R.J., Kuhn, M.G.: Information Hiding:A Survey. Proceedings of the IEEE 87(7), 1062–1078 (1999)CrossRefGoogle Scholar
  10. 10.
    Petitcolas, F.A.P.: MP3Stego (2006) (Cited October 20, 2008), http://www.petitcolas.net/fabien/steganography
  11. 11.
    Shirali-Shahreza, M., Shirali-Shahreza, M.H.: Text Steganography In SMS. In: Int. Conference on Convergence Information Technology, pp. 2260–2265 (2007)Google Scholar
  12. 12.
    Simmons, G.J.: The History of Subliminal Channels. IEEE Journal on Selected Areas in Communications 16(4), 452–462 (1998)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Zhu, W., Thomborson, C.: Recognition in Software Watermarking. In: Proceedings of the 4th ACM international workshop on Contents protection and security, pp. 29–36. ACM, New York (2006)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2009

Authors and Affiliations

  • Jorge Blasco
    • 1
  • Julio C. Hernandez-Castro
    • 1
  • Juan M. E. Tapiador
    • 1
  • Arturo Ribagorda
    • 1
  • Miguel A. Orellana-Quiros
    • 2
  1. 1.Carlos III University of MadridLeganésSpain
  2. 2.Ministry of EconomyMadridSpain

Personalised recommendations