Intensive Image Malware Analysis and Least Significant Bit Matching Steganalysis
share
Malware as defined by Kaspersky Labs is a type of computer program designed to infect a legitimate user’s computer and inflict harm on it in multiple ways. The exponential growth of the internet has led to a significant escalation in malware attacks which affect the multitude often leading to disastrous consequences. One of the most minacious methods of malware unfurling is through images. In this paper we analyze the following methods of embedding malicious payloads in images: 1) Disguising PHP/ASM web shells inside Exchangeable Image File Format i.e. EXIF data of an image. 2) An injection vulnerability that conceals Cross-Site Scripting (XSS) in the EXIF data to execute malicious payloads when the image is uploaded to a browser. 3) Feigning a malicious executable file in a zipped .sfx file format as an image. 4) Splitting the attack payload into safe decoder and pixel encoded code. 5) Least Significant Bit (LSB) Matching Steganography technique used for pernicious payload embedding in image pixel data. After extensive analysis of these malware embedding techniques, we present ‘AnImAYoung’, an image malware analysis framework that thoroughly examines given images for the presence of any kind of anomalous content. Our framework utilizes ensemble methods to detect miniature statistical changes in images using machine learning, where the LSB Matching Steganography technique was used for payload embedding, which increases the accuracy of the framework. The framework achieves excellent performance by applying sophisticated computing algorithms and can be easily integrated with organizations working with Big Data providing them with a robust malware security option. This study describes the need and a practical approach to tackle this novel method of malware dissemination.
READ FULL TEXT