- Training
- Training Live Events
- Training Without Travel
- SANS Courses
- Certified Instructors
- Career Roadmap
- Training Calendars
- SANS @Home
- SANS OnDemand
- Community SANS
- SANS Mentor Program
- SANS Onsite
- SANS SelfStudy
- SANS Partnership Series
- SANS Workshop Series
- Webcasts
- Work Study
- Events Archive
- DoD 8570
- Voucher Credit Program
- group discounts
- Certification
- Resources
- Vendor
- Portal
- Storm Center
- College
- Developer
- About
the most trusted source for computer security training, certification and research
Detecting Hydan: Statistical Methods For Classifying The Use Of Hydan Based Stegonagraphy In Executable Files
- Abstract
- It is known that HYDAN changes the statistical distribution of Sub and Add calls in the assembly code to embed the "hidden data". Before this paper, there were no publicly released tools or methods available to detect HYDAN. The methods previously used to detect HYDAN have been inefficient and involved extensive manual processes that could not be easily automated. This paper presents a method to take the assembly code (using a disassembler) and to feed this into a statistical language, in order to detect if the file has been altered steganographically.