A Picture is Worth a Thousand Viruses

November 22, 2017

A close-up on an abstract design of a display, which is warning about a cyber attack. Multiple rows of hexadecimal code are interrupted by red glowing warning text. Part of the display is reflected on a shiny surface. The image can represent a variety of threats in the digital world: data theft, data leak, security breach, intrusion, etc...

In the videogame called Plague Inc., a player tries to destroy all of humanity by creating a super pathogen. The secret to winning (spoiler alert) is to make your plague hyper infectious but with no obvious symptoms. The minute people start exhibiting symptoms, the Centers for Disease Control (CDC) and the World Health Organization (WHO) rush to cure the disease. Certain countries will shut down, stopping all travel into the country, and prevent the infection from spreading. If you can stay under the radar long enough, you can evolve your pathogen to infect the entire world.


Staying off the radar is the concept behind a relatively new form of cyberattack, called stegware. The name comes from steganography, which is an ancient form of conveying secret messages in plain sight. Steganography has been with us since the time of Herodotus. Classic examples of steganography include messages knitted into clothing worn by couriers and POWs blinking in Morse code to convey messages to the folks back home.


While cryptography can be used to protect the contents of a message, steganography conceals the fact that a message is even being sent.


This ancient form of secret communication has become a modern threat thanks to computers. Electronic communications and/or viruses can easily be hidden in documents and images. Images are especially effective for steganographic transmission because of their large size. You can replace the color of every hundredth pixel to correspond to a letter in the alphabet, and no one will notice the difference.


According to the cybersecurity company McAfee, stegware provides “one big advantage to cybercriminals: it exponentially multiplies the success rate of the attack. For example: without steganography, security researchers may be able to tackle a malvertising campaign within the range of days or weeks. However, a campaign launched with the stealthy help of steganography could be running for months or years before it is detected.”


“Steganography has been successfully used for data exfiltration, espionage, concealed communications, C2/botnets orchestration, malvertising and ransomware propagation, among others,” says McAfee. Here are a few examples:


  • Employees have used stegware to steal information. The sensitive files are encoded into images and uploaded to social networks to avoid detection.
  • Groups of cybercriminals have used stegware to coordinate attacks from different countries by hiding secret messages in profile pictures and emulating chat services.
  • Successfully deployed botnets have been configured to periodically download steganographic images from a public social account, in order to carry out instructions.
  • Cybercriminals can conceal malicious code in advertising images, which allows them to quickly reach large audiences.


This is a relatively new area of cybercrime, and security companies are rushing to keep up. You can see how easily cybercriminals can exploit seemingly benign images and files. One way to try to keep your company safe is to let your employees know this kind of crime is on the rise, remind them to never download images (or anything) from unknown sources, and to try to keep them off of social media while using work computers. Of course that won’t work for every situation. McAfee is launching a new Steganography Defense Initiative that even features a way to test images for stegware. It’s still in Beta, but a good link to keep handy.


For more information on cybersecurity, contact Vanguard Resources.