Stories
Slash Boxes
Comments

SoylentNews is people

New Zeus Trojan Variant Using Steganography

posted by Dopefish on Friday February 21 2014, @06:30PM   Printer-friendly
from the zeus-favored-the-greeks dept.

Keldrin writes:

"Zeus is a trojan designed to steal banking credentials, and has been declared one of the most successful pieces of malware currently seen in the wild. A new variant is making detection far more difficult for anti-virus companies by hiding configuration settings inside pictures. At the moment, the malware simply encodes the configuration with Base64, passes them through XOR and RC4, then attaches them to the end of an image file. This makes for an 'infected' file that is much larger than the original. There is speculation that future releases of the malware will be able to detect minuscule changes to the colors of individual pixels, making the affected files much harder to detect."

 
This discussion has been archived. No new comments can be posted.
New Zeus Trojan Variant Using Steganography | Log In/Create an Account | Top | 26 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by randmcnatt on Friday February 21 2014, @07:00PM

    by randmcnatt (671) on Friday February 21 2014, @07:00PM (#4463)
    Digital stenography can include "data in ignored sections of a file, such as after the logical end of the carrier file." [wikipedia.org]

    Photoshop always stuffs in a lot of extra bytes that I didn't put there, and some of them don't show up except in hexadecimal editors.
    --
    The Wright brothers were not the first to fly: they were the first to land.
    Starting Score:    1  point
    Moderation   +2  
       Informative=3, Overrated=1, Total=4
    Extra 'Informative' Modifier   0  
    Total Score:   3  

  • (Score: 5, Insightful) by RobotMonster on Friday February 21 2014, @07:51PM

    by RobotMonster (130) on Friday February 21 2014, @07:51PM (#4500) Journal

    Some guy who edited Wikipedia might call that Steganography, but I disagree.

    Appending data to a file is akin to writing a message on the back of a painting, or adding an extra page to the end of a book.

    If it is trivial to detect the presence of the message, it shouldn't count as Steganography, IMO.

    • (Score: 1) by Rob The Bold on Friday February 21 2014, @09:27PM

      by Rob The Bold (1459) on Friday February 21 2014, @09:27PM (#4556)

      Like with the painting with the message on the back, it's trivial to detect if you have any reason to look.

      I just added "This is a secret message" to the end of a ,png file. Gwenview, KolourPaint and showFoto all display the original image just fine without any error or warning about the excess bytes. And Firefox displays it without complaint. Not being a malware author, I don't know what I'd do with that "trick" to infect a computer -- maybe I could hide new code for an existing virus, trojan, etc. I suppose such a scheme wouldn't make it past any email attachment virus scanner, but you might be able to get a browser to save it in a temp location at least for a while without detection.