Theory

Introduction to Steganography

Steganography is the practice of concealing messages or information within other non-secret, ordinary files or data, making the presence of the hidden content less noticeable. Unlike cryptography, which protects the content of a message from being understood, steganography hides the very existence of the message. This makes it especially useful in situations where secrecy is crucial, such as private communication, digital watermarking, or malware communication.

Common steganographic methods use media files such as images, videos, and audio as carriers to embed hidden data. These types of files are chosen due to their large size and complex structure, which allows for minor changes to go unnoticed. For example, an image file contains millions of pixels, each of which can carry a tiny amount of hidden data without visibly altering the image.

The LSB algorithm is one of the simplest and most widely used techniques in image steganography. It involves modifying the least significant bit (the rightmost bit) of each pixel's color value to store a piece of hidden data. Since the change in this bit causes very minimal difference in the pixel's appearance, the image looks almost the same to the human eye.

For example, in an 8-bit RGB color system, each color channel (Red, Green, Blue) has 256 levels. Changing a value from 100 (binary 01100100) to 101 (01100101) affects only the least significant bit and is visually imperceptible. By modifying these bits across a large number of pixels, entire messages or files can be embedded in the image.

Using the LSB method, a wide range of data types can be hidden:

• Plain text – secret messages or passwords
• Compressed files – ZIP, RAR, or any archived formats
• Executable files – potentially malicious code or scripts

While LSB steganography has legitimate applications such as digital watermarking and secure communication, it has also been adopted by cybercriminals. Advanced malware such as DNSChanger and Vawtrak have used steganographic methods to hide command-and-control (C2) URLs or payloads inside innocent-looking images. These malware families download images from the internet, extract the embedded information, and execute malicious instructions without triggering standard antivirus detection.

To help students understand how LSB can be used in cybersecurity attacks, this experiment includes a simulation where a document file (e.g., Word) with an embedded VBScript extracts a hidden C2 URL from an image. The VBScript then downloads a payload and executes it, mimicking the behavior of a real malware. This hands-on simulation provides insight into how attackers may bypass traditional security measures.