Steganography and Malware: Final Thoughts
Steganography will only become more popular, especially among the more industrious malware groups out there. For an attacker, the ability to hide stuff in plain sight is like peanut butter on chocolate: it makes their favorite thing even better.
In the first two entries of this series, we explored which steganographic techniques are used by attackers to keep malware from being detected, and how they are used to hide command-and-control (C&C) commands, as well as executable code. This time, we’ll discuss the impact of steganography use in the future.
But first, let me call out several things that came out in the last couple of weeks:
- Banking Trojan uses Pinterest as a C&C communication channel – Again, this is not purely steganography, but this is an interesting case since it shows how cybercriminals will try to use common yet unexpected traffic as communication channels. In this case, the banker client is just reading comments in certain pins and decoding them to get the botmaster’s commands.
- Janicab Trojan uses YouTube comments as C&C communication channel – This one is self-explanatory. It’s so similar to the previous one that they might even belong to the same criminals, except that this doesn’t have any clear ties with South Korea. Who knows, perhaps steganography is in fashion in the Far East?
- Operation Tropic Trooper downloads executable images embedded in image files – This is similar to what we talked about in the last two blog posts of this series, with the main difference being that steganography was used in a targeted attack against organizations sitting in very specific geographical areas. This goes to show that all sorts of attackers are using the very techniques we’ve been discussing here. And the more they do so, the more popular these techniques get. You can get more information on Operation Tropic Trooper in our white paper.
So when is steganography especially useful for attackers?
The full impact of steganography use is most felt in targeted attacks. By definition, these kind of attacks aren’t widespread; their specificity may take researchers some time to discover any new techniques used. In a sense, we can think of steganography use in a targeted attack as a zero-day vulnerability: the longer it stays undiscovered, the more useful it is to the attacker. In the case of an actual zero-day vulnerability, it’s also more damaging to the victim.
Until then, what can we researchers do to try and find new unknown steganographic attacks in the wild?
The main weakness of steganography in malware is that the “client” software—the part that looks for the data that’s being concealed in unexpected places—is public. And with cybercriminals trying to spread their malware far and wide, it will eventually fall into the hands of good guys like me and other researchers. At that point, it is only a matter of whether or not the researcher knows where and how to look, decode, and decrypt the data. In essence, steganography only helps the malware stay undetected until security researchers get a sample.
By their very design, these techniques hide stuff in unexpected places. Therefore, we researchers must look in data files and data streams for stuff that’s out of place. Double-checking for protocol messages that are longer than usual, trying to find extraneous encoded data, or even applying machine learning rules to network trace datasets can all be starting points.
None of this is easy, and we may even receive the malware sample before we spot the hidden data stream. However, if we never try, we will never know. This is my bottom line: searching regular data and trying to find irregularities or anomalies is the only way to beat the attackers. This may not seem doable (or even worth our time) but it’s certainly a good challenge to tackle. Improvements in available algorithms may help in reducing the burden down the road.
You can check the previous 2 parts of this blog series here: