Parasitic Storage

[Symantec]

Parasitic Storage
<p>The Internet is home to billions of computers, all of which perform the jobs they have been programmed to do. Each of these computers has a hard drive and RAM. It’s a rare case that either is completely full. A billion computers, each with a couple spare megabytes, works out to a few terabytes in a very conservative estimate. </p>

<p>There are several ways that this space can be harnessed to varying degrees, depending on what the ultimate goal of an attacker is. A tiny bit of RAM on a large number of computers can be used to store secret data that an attacker wants to hide, while a lot of information can be stored on some servers at the risk of being found and removed. Harnessing this space is often referred to as "parasitic storage."</p>

<p>One parasitic storage technique, called "juggling," can be used for extremely sensitive or illegal information. The goal for the attacker is to ensure that the complete body of information is never on their computer all at once, but that part of it is always traversing the Internet. This can be accomplished in several ways, but one common way is to use the ping functionality. The attacker finds a large number of slow and stable servers, and sends an encrypted piece of the information to each of them. When the information comes back, it's immediately re-transmitted to another random server in the group. Another method is to use SMTP (email) servers. The initial command sent to an SMTP server is "HELO", followed by any number of bytes, then a newline. When the newline is sent, those bytes are echoed back to the user. By maintaining the connection and not sending the newline, an attacker can store a decent amount of data in the SMTP server's buffer. </p>

<p>What is the point of juggling? Because the information is encrypted and the complete body of information doesn't exist in any one place, it's nearly impossible for an attacker to retrieve the data, unless someone manages to take control of the juggling program. If the computer is powered off or unplugged, the data is lost forever. Although losing data this easily may be seen as a drawback to some, it's an advantage when the attacker wants plausible deniability. As far as anyone such as parents or law enforcement can tell, the data never even existed. </p>

<p>Another method of storing data in this way is to combine stenography (encoding text within images) with free image hosting. On the Internet there are many sites that allow users to upload full-size images, and even more that let users upload small avatars. An attacker can make use of thousands of these sites to hide a considerable amount of data. It may even be possible to encode the location of the next chunk of data in the current chunk, which means that only a small amount of data would have to be stored online. As long as this data is encrypted and spread out enough, it may not be possible to determine that the data even exists, let alone find it. <br />
</p>
http://www.symantec.com/enterprise/security_response/weblog/2007/05/parasitic_storage.html
http://www.symantec.com/enterprise/security_response/weblog/2007/05/parasitic_storage.html
Fri, 25 May 2007 05:00:00 -0800