Stories
Slash Boxes
Comments

SoylentNews is people

posted by Dopefish on Friday February 21 2014, @06:30PM   Printer-friendly
from the zeus-favored-the-greeks dept.

Keldrin writes:

"Zeus is a trojan designed to steal banking credentials, and has been declared one of the most successful pieces of malware currently seen in the wild. A new variant is making detection far more difficult for anti-virus companies by hiding configuration settings inside pictures. At the moment, the malware simply encodes the configuration with Base64, passes them through XOR and RC4, then attaches them to the end of an image file. This makes for an 'infected' file that is much larger than the original. There is speculation that future releases of the malware will be able to detect minuscule changes to the colors of individual pixels, making the affected files much harder to detect."

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by RobotMonster on Friday February 21 2014, @06:40PM

    by RobotMonster (130) on Friday February 21 2014, @06:40PM (#4451) Journal

    I don't think appending encoded data to the end of a picture file should count as stenography.

    Stenographic messages are supposed to be hidden in plain sight; if you load an image file and find you're not at the end of the file after decoding the whole image, the presence of extra data is obvious.

    Manipulating the bottom bits of some of the pixels, now that's stenography, as there's no way to tell that this has been done unless you know the exact scheme in use.

    • (Score: 1, Informative) by RobotMonster on Friday February 21 2014, @06:49PM

      by RobotMonster (130) on Friday February 21 2014, @06:49PM (#4454) Journal

      Sorry; not Steganography. It's late. That's my excuse and I'm sticking to it.
       

      • (Score: 4, Funny) by EvilSS on Friday February 21 2014, @07:11PM

        by EvilSS (1456) Subscriber Badge on Friday February 21 2014, @07:11PM (#4474)

        Well technically you were right on both counts...

      • (Score: 4, Funny) by WillR on Friday February 21 2014, @07:16PM

        by WillR (2012) on Friday February 21 2014, @07:16PM (#4478)
        You could have gotten away with it, everyone who replied so far has gone along with "stenography".
    • (Score: 3, Insightful) by NovelUserName on Friday February 21 2014, @06:55PM

      by NovelUserName (768) on Friday February 21 2014, @06:55PM (#4457)

      I always understood that Stenography was disguising data/communication as something else, while cryptography was mangling the information in a way that only the intended recipient could recover. From that perspective this seems like a pretty simple form of stenography as it's essentially just calling itself an image file and putting on a 'hat' of real image data to hide it from antivirus scanners.

      • (Score: 4, Funny) by dwywit on Friday February 21 2014, @09:57PM

        by dwywit (1166) on Friday February 21 2014, @09:57PM (#4566)

        What do court recorders and secretaries have to do with this?

        --
        They sentenced me to twenty years of boredom
        • (Score: 2) by mrbluze on Friday February 21 2014, @10:17PM

          by mrbluze (49) on Friday February 21 2014, @10:17PM (#4576) Journal

          A secretary under your desk is stenography. A secretary which has been turned into a desk is cryptography.

          --
          Do it yourself, 'cause no one else will do it yourself.
          • (Score: 3, Funny) by Gaaark on Saturday February 22 2014, @01:14AM

            by Gaaark (41) on Saturday February 22 2014, @01:14AM (#4645) Journal

            A secretary under your desk is pornography... and yes, pics or it didn't happen. :)

            --
            --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    • (Score: 3, Interesting) by dave on Friday February 21 2014, @06:58PM

      by dave (1351) on Friday February 21 2014, @06:58PM (#4461)

      This seems like an improbable attack vector, as the malware would need to store the original image somewhere, or the original pixel values, in order to compare the changes that were made. Storing this information "in the open" would defeat the covert nature of the exploit, since you could simply look for that instead of the manipulated images, IMHO.

      --
      Nothing about you is permanent.
      • (Score: 3, Interesting) by tynin on Friday February 21 2014, @07:05PM

        by tynin (2013) on Friday February 21 2014, @07:05PM (#4469) Journal

        Indeed, also having some running process open up specific pictures and inspecting them would eventually get noticed as well. Still, an interesting concept.

      • (Score: 1) by DeathMonkey on Friday February 21 2014, @07:24PM

        by DeathMonkey (1380) on Friday February 21 2014, @07:24PM (#4486) Journal

        This seems like an improbable attack vector, as the malware would need to store the original image somewhere, or the original pixel values, in order to compare the changes that were made.
         
        I don't think this is true. It sounds like they are appending the malicous data to the end of the file. So they can retreive it either by knowing how large the original file is. Or, if the image format has some sort of end-of-image-data code then they can parse anyting after that.
         
        As other posters have noted this is a fairly weak version of steganography. The evolution of this technique should be interesting...

        • (Score: 1) by SMI on Friday February 21 2014, @07:45PM

          by SMI (333) on Friday February 21 2014, @07:45PM (#4497)

          Just wanted to point out that if the config file appended to the image was of a static size, i.e. with neutral values in place of unconfigured options, then that should also be all they needed to know (in terms of size).

      • (Score: 4, Insightful) by dmc on Friday February 21 2014, @08:39PM

        by dmc (188) on Friday February 21 2014, @08:39PM (#4528)

        This seems like an improbable attack vector, as the malware would need to store the original image somewhere, or the original pixel values, in order to compare the changes that were made.

        No, I think the simple obvious steganography is to just use the low order bits and ignore the high order bits. No need to have a copy of the original image for that. (but I agree with the improbable assertion, from a passing-non-RTFA attitude explained in another comment)

      • (Score: 2, Informative) by Fnord666 on Saturday February 22 2014, @02:54AM

        by Fnord666 (652) on Saturday February 22 2014, @02:54AM (#4661) Homepage

        This seems like an improbable attack vector, as the malware would need to store the original image somewhere, or the original pixel values, in order to compare the changes that were made. Storing this information "in the open" would defeat the covert nature of the exploit, since you could simply look for that instead of the manipulated images, IMHO.

        The key for the steganography can tell you where the next bit in the encoded message is located within the image. To encode you replace the lower order bit at that location with your next payload bit. To decode you just grab the low order bit at that location. No need to have the original image to compare against. In fact it's better if the original image is not available so that a cryptanalyst doesn't have it available as a crib.

      • (Score: 1) by Nikker on Saturday February 22 2014, @09:04AM

        by Nikker (227) on Saturday February 22 2014, @09:04AM (#4748)

        You could put a magic value in the exif data that would provide a multiplier and a colour channel. This would also allow optimization on a picture by picture basis, the most saturated channel can be used.

    • (Score: 3, Informative) by randmcnatt on Friday February 21 2014, @07:00PM

      by randmcnatt (671) on Friday February 21 2014, @07:00PM (#4463)
      Digital stenography can include "data in ignored sections of a file, such as after the logical end of the carrier file." [wikipedia.org]

      Photoshop always stuffs in a lot of extra bytes that I didn't put there, and some of them don't show up except in hexadecimal editors.
      --
      The Wright brothers were not the first to fly: they were the first to land.
      • (Score: 5, Insightful) by RobotMonster on Friday February 21 2014, @07:51PM

        by RobotMonster (130) on Friday February 21 2014, @07:51PM (#4500) Journal

        Some guy who edited Wikipedia might call that Steganography, but I disagree.

        Appending data to a file is akin to writing a message on the back of a painting, or adding an extra page to the end of a book.

        If it is trivial to detect the presence of the message, it shouldn't count as Steganography, IMO.

        • (Score: 1) by Rob The Bold on Friday February 21 2014, @09:27PM

          by Rob The Bold (1459) on Friday February 21 2014, @09:27PM (#4556)

          Like with the painting with the message on the back, it's trivial to detect if you have any reason to look.

          I just added "This is a secret message" to the end of a ,png file. Gwenview, KolourPaint and showFoto all display the original image just fine without any error or warning about the excess bytes. And Firefox displays it without complaint. Not being a malware author, I don't know what I'd do with that "trick" to infect a computer -- maybe I could hide new code for an existing virus, trojan, etc. I suppose such a scheme wouldn't make it past any email attachment virus scanner, but you might be able to get a browser to save it in a temp location at least for a while without detection.

  • (Score: 0, Offtopic) by linsane on Friday February 21 2014, @07:12PM

    by linsane (633) on Friday February 21 2014, @07:12PM (#4476)

    I promise this is not a troll effort, of course the thing that was bugging me was that I was certain that there was a 'Zeus Trojan' variant but evidently (as far as my Google fu dares take things) this is must my mind playing tricks:

    http://www.bluezeus.co.uk/ [bluezeus.co.uk] and http://www.trojancondoms.com/ [trojancondoms.com] were somehow merged in my head.

    Probably not SN material but hey, SN folk are allowed out of the basement on occasion.

    • (Score: 0, Offtopic) by linsane on Friday February 21 2014, @07:39PM

      by linsane (633) on Friday February 21 2014, @07:39PM (#4494)

      Off-topic??? Fair enough.

      Well I hope this http://memegenerator.net/instance/36244795 [memegenerator.net] Stenography Condom brings it back on-topic and covers off the bit of the title that I missed out first time around.

  • (Score: 5, Interesting) by dmc on Friday February 21 2014, @07:51PM

    by dmc (188) on Friday February 21 2014, @07:51PM (#4501)

    I'm not amazed yet (though can't say I bothered to RTFA). It doesn't sound different enough from just having an encrypted config file. Sure the image file may look innocuous, but the trojan has to *itself* 'hide' somewhere. Why not just store its configuration as an encrypted chunk of its own executable? What makes these or any steganographed config files more sneaky than that scenario?

  • (Score: 3, Informative) by bilborg on Friday February 21 2014, @08:54PM

    by bilborg (2526) on Friday February 21 2014, @08:54PM (#4533) Homepage

    The "fine article" itself, and the SN headline both imply that the Zeus Trojan is in the image file. The first paragraph, though, notes that it's the configuration file that's been hidden. Using stegnographic techniques to communicate config updates is one more way to get your stuff past the Goog's (and other vendors) "BAD SITE" filters for a bit longer.

    But most headlines are written to get eyeballs, eh? Config file? Boring. Sigh.

    --
    Time enough to sleep after I'm dead.
    • (Score: 2) by dmc on Friday February 21 2014, @11:33PM

      by dmc (188) on Friday February 21 2014, @11:33PM (#4605)

      communicate config updates

      I agree with your comment but you can just drop the word config there. And one would imagine any form of encryption would get past the Goog's "BAD SITE" filters. Though your comment combined with the NSA's invocation immediately post snowden of "big bad steganography" makes me imagine the real issue is using steg in images passed via Goog to communicate. Perhaps because Goog is on some locked down sites whitelist of remote hosts it is allowed to talk to. (just echoing Goog, not meaning to single them out. Replace with whatever other well known site that scrapes and retransmits other sites contents as desired)

  • (Score: 0) by Anonymous Coward on Saturday February 22 2014, @07:27AM

    by Anonymous Coward on Saturday February 22 2014, @07:27AM (#4724)

    Wikipedia: Zeus, ZeuS, or Zbot is Trojan horse computer malware that runs on computers running under versions of the Microsoft Windows operating system...

  • (Score: 1) by acid andy on Saturday February 22 2014, @10:07AM

    by acid andy (1683) on Saturday February 22 2014, @10:07AM (#4764) Homepage Journal

    OK so they're hiding configuration information in the image and theoretically they could hide code in there too, but the executable part of the trojan still has to kick off the process of extracting that data, probably decrypting it, and then executing that.

    Why isn't that initial part of the code detectable?

    --
    If a cat has kittens, does a rat have rittens, a bat bittens and a mat mittens?
  • (Score: 1) by thoughtlover on Tuesday February 25 2014, @09:39PM

    by thoughtlover (3247) on Tuesday February 25 2014, @09:39PM (#6960) Journal

    Why not hash pictures and compare them to known images currently in Google's massive database?

    Even if they are able to hide config changes via slight changes in pixel color, you could write a program to compare suspects with originals via difference blend mode --any changes will be just over #000; easily detectable by a program where the human eye can't see any change.

    Or am I missing something else?