Saint Louis Software Banner

Abyss Dropper

First and foremost, if there's anything I've learned in recent years, it's that security projects need cool names and logos (see: Heartbleed, Shellshock, Stagefright, etc), or else people will be bored to death with all the technical details. Everyone remembers Heartbleed, but nobody remembers CVE-2014-0160 (even though they're the same thing). You need to make it seem more interesting and easy to remember, or else it might not get much attention. Abyss Dropper is a multi-stage dropper which coincides with some semi-related security research I conducted on my own.

I made a file steganography tool called FileHider, which is a tool for hiding files within other files. I decided to test files I made using this tool on a number of websites. The result was very surprising. Many websites don't properly validate image uploads. This means you can upload arbitrary files to many public, well-known, fast, high-availability, highly-trusted websites.

Some sites use something like imagemagick in order to compress images, and they sometimes get rid of exif metadata as well. But some just leave an image as-is, and even leave any trailing data too. But recompression isn't enough. There are a few different methods of steganography, such as least significant bit, but that changes the image slightly, and can be thwarted by simple recompression.

This issue pertains specifically to JPGs, PNGs, and GIFs. I could go more into detail about why that's the case, but that might enable bad people to use this same basic concept. Each of these can have files embedded within them without corrupting the image. If you try to add arbitrary data to a word document, for example, it will become corrupt and MS Office will complain when you open it.

But when you hide files within image files, the image is still valid, and can even be completely unchanged if you use my particular method of steganography. However, it is possible to hide files within image files that are stored in other files, such as having a FileHider image inside of a word document, but LibreOffice seems to be better for steganography than Microsoft Word, for some reason.

There are many problems with the way a lot of sites handle image file uploads, but instead of leaving the potential for misuse up to someone's imagination, I decided to come up with a proof-of-concept malware dropper that can be used in conjunction with FileHider and the steganographic file upload vulnerability. A dropper is a piece of malware whose only purpose is to be compact and look relatively benign and then download and execute a payload when it's executed. Some potential attack vectors could be a maldoc, trojanized software on a torrent tracker, PDF reader code execution CVE, or something like that.

But in many cases, it's easy to see when a dropper is downloading its next stage from a malicious domain. Some malware uses domain-generating algorithms, which can have suspicious-looking second level and even top level domains. Some malware uses hacked sites, though they are often small businesses or relatively unknown sites. Definitely not Alexa/Moz top 500 sites. What separates Abyss Dropper from other forms of payload delivery is that Abyss Dropper uses domains and file types that are generally trusted and thought to be non-malicious. Another idea I had related to this concept is writing an image parser that can check for post-EOI/post-IEND/post-trailer data in image formats (which would be capable of detecting Abyss Dropper stages).

Malware with no dropper is considered single-stage, since everything happens at once. But droppers can be multi-stage. A typical dropper might only be two stages: running the dropper, then downloading everything else. Or it can be as many stages as you want. An abyss is really deep or even endless, and that's why I called my dropper Abyss Dropper.

How Abyss Dropper works is that you take your payload and break it up into smaller pieces (I might make a tool to automate this process, but for now, it's manual), and then you use FileHider to hide the encrypted pieces of the payload within image files that you will manually upload to various trusted websites that have this file upload issue.

From there, you use Abyss Dropper to generate a dropper that will download the pieces of the payload, put them back together, and execute it.

I plan on eventually adding pseudo-polymorphic features to it, at least basic stuff like string randomization. That will thwart basic IOC stuff.

The point of this project is to show that a certain kind of file upload vulnerablity I found needs to be taken seriously. Because it's not as obvious as other kinds of security issues, this steganographic upload problem might not be fixed unless I show how it can be used for bad things.

Abyss Dropper is only intended to be used for educational or demonstrative purposes, and for that reason I am not making it public. I am sharing it with people I know in person. For example, if I'm networking with someone or going to a job/internship interview, I don't mind letting someone see it. But I don't want to make it available to just any old person because of how it can be used maliciously.

I am a benevolent security researcher and I mean no harm, which is why I take responsible disclosure seriously, and why not all of my security projects are available online right now.

If you are interested in Abyss Dropper, please contact me here.

Abyss Dropper will be available on GitHub here in the near future.