Recently a friend who is also a host asked me about any new compression types. They seem to have several users on their free service uploading what looks like picutres, but are around 40-80k, and of such poor quality that they cannot be that large.

When you try to open the image in an image editor it will crash most of the time. The images have no tag line like you would see from a compression tool, or an image editor. So this leads me to beleive this is a custom tool...

All traffic on these accounts are ftp, so no referral address, and they always use proxies...

This as I understand is slowly spreading accross the internet, so this could make its way to paid hosts soon....

I won't post a link up to the image in public, because it does have porn on it... But if you want to have a look at it, feel free to PM me, and I'll provide you with a copy.....

I believe what you are reffering to is steganography. If you say that the size is around 80kb, then no actual software is in there. It is either some serial numbers or at the most software cracks. I really don't think there is a way you can find out what is actually in them unless you have the password for decryption.

I don't really care about finding out whats inside, but I'd just like to find out how to find these files every few minutes and eliminate them from the servers....

Hi The Prohacker,

The person who own the website might be hosting some porn movie,I've seen this kind of thing else where.The person use a program to split 1 big movie file into small parts,those splitted file will act like an ordinary image file.

Best Regards

You confused me.

They look like pictures, but you can't open them, yet they're low quality pictures?

Originally posted by bitserve
You confused me.

They look like pictures, but you can't open them, yet they're low quality pictures?


You can view the pictures via things like IE, and they will be fine, but if you open them in something like ACDsee, the program will lock up, same with Photoshop...

Hi,

Yes, these images is very low quality even though its extension is JPG or PNG (The extension can be anything), also the pixel is very low like 50x50.

In summary, the binary for the picture might take up something like 5kb of file (e.g. a low quality pornpgraphic jpeg) and the remainder of file is some sort of binary which could be encrypted warez. IE will read the 5kb of the file which is an image and disregard the other 75kb of what it thinks is nonsense, most people won't suspect a thing. Whereas it sounds as if ACDSEE and Photoshop are trying to use this extra information in the file (perhaps thinking its metadata) and hence crash because it's non-standard. The special warez decrypt, downloader, dezip program will disregard the 5kb of which is an image and retrieve/decyrpt the other 75kb into some useful warez.

Wow. Thanks for such a detailed explaination, Matt.

That helps a lot. :)

This is not steganography by the way.

Steganography is the embedding of hidden data within the data that makes up the picture. This data can be anything - another image, text, a program - it doesn't differentiate.

Photoshop doesn't recognize this extra data is not part of the image, and will display the image just fine.

The extra information can be viewed if you know the key for the image.

Steganographic techniques are often used for ditigal watermarking - and are quite effective in most cases.

Here's a nice introduction to the technique.

http://www.jjtc.com/stegdoc/stegdoc.html

-t

That's interesting. You'd think, if they really wanted to hide the files, and make them appear to be images, that they would use cute pictures of fuzzy little kittens and puppies, and not porn.

Because porn is going to get deleted by the free space providers, too. Oh well, it's not like I ever assumed that the warez kiddies were smart.

bitserve, we are an ADULT freehost, I'd delete accounts with cute kitties in them for straying into beastiality.

Seems now, running locate /. for the hell of it, is turning up a lot of hidden directories and hidden files.

Can anyone point me to a coder/ready made solution for a script that would constantly crawl our servers and delete this stuff?

You can check the file to see if it's really an image, but it looks like it technically is, sort of. I wonder if you can check the end of the file to see if it still appears to be? Well, nonetheless, something to check to make sure there's nothing inside that file. I assume there's nothing like this out there? Is there any common pattern that the file can be checked for? If so, there's something to go on. Basically, assuming that can be done, you can check all the files initially, and just have a cron job check any newly uploaded files that are 24 hours or newer old, each 24 hours -- as there's no need to recheck the same files again, unless they have been modified or whatever. If there's anything common to these types of tricks, it can be defeated. I don't know enough about it to know if that's the case though.

Originally posted by aus
I'd delete accounts with cute kitties in them for straying into beastiality.



Hahhah.... Only you aussy, only you... :D

Hey guys,

This software you are talking about is called Camouflage ...

You can find it at :

http://www.camouflage.freeserve.co.uk/

Those kiddies are using it to put MP3's in a cloacked way
on their free webspace.

WHen I did free hosting we got this all the time. I remember the small thumbnail pics. Hates em so much

davidb -
Yup agree with ya there, we put up a message on the join page, applet upload page (yes we do offer that as well as ftp) and in the welcome email warning that we sniff for, suspend and report accounts that have illegal content, cloaked, uncloaked, hidden, whatever. Account sign ups dropped, but we have found only 1 suspect account since. We still look for this **** 3 to 4 times a day to be sure.

dot.K -
You're a legend, thank you.

Originally posted by aus
dot.K -
You're a legend, thank you.

*blush* .. Glad I could help :)