Controlling Bots with Steganography

My friend John Ward posted a discussion of controlling bots with steganography:

So basically, all this does is open a Bitmap file, decode the stenography message, and pass the resulting message to the protocol class for handling. More sophisticated techniques can be employed, and steganography has grown as a field, so different graphics formats, MP3 files, or even specially encoded HTML headers can contain the message.

This deviates from the traditional botnet where the client connects to an IRC channel or some other central media to receive commands in real time. In this method, the attacker loses real-time response and gains stealth. With a reasonable interval of time set for the clients, the attacker can have their nefarious commands executed in a short amount of time.

By combining this code with some disguised distribution method, lets say an image thumb-nail browser for an online graphics catalog, the program can be distributed widely, and its online image grabbing behavior would never be suspect until the mass traffic adding to a DDOS attack came from the client machine. And even if it were, your normal Net-Sec analyst would only see an image file and have no clue that the image file contained a steganography-encoded message.

Neat idea John -- is anyone seeing this in the wild?


Anonymous said…

It's a very interesting idea, and I'm going to avoid any discussion of "...but the bad guys are already doing this."

In response to your question, I think that we've seen enough infected systems (ie, botnets) to know that most folks are simply not seeing that systems are infected. How, then, would they recognize a bot using stego, if they don't even recognize that they *have* a bot in the first place?

H. Carvey
"Windows Forensics and Incident Recovery"
Anonymous said… has a response to John's post. Basically the Xot bot used a similar technique a while ago...

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4