SoylentNews is people
SoylentNews
Keldrin writes:
"Zeus is a trojan designed to steal banking credentials, and has been declared one of the most successful pieces of malware currently seen in the wild. A new variant is making detection far more difficult for anti-virus companies by hiding configuration settings inside pictures. At the moment, the malware simply encodes the configuration with Base64, passes them through XOR and RC4, then attaches them to the end of an image file. This makes for an 'infected' file that is much larger than the original. There is speculation that future releases of the malware will be able to detect minuscule changes to the colors of individual pixels, making the affected files much harder to detect."
This discussion has been archived.
No new comments can be posted.
New Zeus Trojan Variant Using Steganography
|
Log In/Create an Account
| Top
| 26 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 3, Interesting) by dave on Friday February 21 2014, @06:58PM
This seems like an improbable attack vector, as the malware would need to store the original image somewhere, or the original pixel values, in order to compare the changes that were made. Storing this information "in the open" would defeat the covert nature of the exploit, since you could simply look for that instead of the manipulated images, IMHO.
Nothing about you is permanent.
(Score: 3, Interesting) by tynin on Friday February 21 2014, @07:05PM
Indeed, also having some running process open up specific pictures and inspecting them would eventually get noticed as well. Still, an interesting concept.
(Score: 1) by DeathMonkey on Friday February 21 2014, @07:24PM
This seems like an improbable attack vector, as the malware would need to store the original image somewhere, or the original pixel values, in order to compare the changes that were made.
I don't think this is true. It sounds like they are appending the malicous data to the end of the file. So they can retreive it either by knowing how large the original file is. Or, if the image format has some sort of end-of-image-data code then they can parse anyting after that.
As other posters have noted this is a fairly weak version of steganography. The evolution of this technique should be interesting...
(Score: 1) by SMI on Friday February 21 2014, @07:45PM
Just wanted to point out that if the config file appended to the image was of a static size, i.e. with neutral values in place of unconfigured options, then that should also be all they needed to know (in terms of size).
(Score: 4, Insightful) by dmc on Friday February 21 2014, @08:39PM
No, I think the simple obvious steganography is to just use the low order bits and ignore the high order bits. No need to have a copy of the original image for that. (but I agree with the improbable assertion, from a passing-non-RTFA attitude explained in another comment)
(Score: 2, Informative) by Fnord666 on Saturday February 22 2014, @02:54AM
The key for the steganography can tell you where the next bit in the encoded message is located within the image. To encode you replace the lower order bit at that location with your next payload bit. To decode you just grab the low order bit at that location. No need to have the original image to compare against. In fact it's better if the original image is not available so that a cryptanalyst doesn't have it available as a crib.
(Score: 1) by Nikker on Saturday February 22 2014, @09:04AM
You could put a magic value in the exif data that would provide a multiplier and a colour channel. This would also allow optimization on a picture by picture basis, the most saturated channel can be used.