Stories
Slash Boxes
Comments

SoylentNews is people

New Zeus Trojan Variant Using Steganography

posted by Dopefish on Friday February 21 2014, @06:30PM   Printer-friendly
from the zeus-favored-the-greeks dept.

Keldrin writes:

"Zeus is a trojan designed to steal banking credentials, and has been declared one of the most successful pieces of malware currently seen in the wild. A new variant is making detection far more difficult for anti-virus companies by hiding configuration settings inside pictures. At the moment, the malware simply encodes the configuration with Base64, passes them through XOR and RC4, then attaches them to the end of an image file. This makes for an 'infected' file that is much larger than the original. There is speculation that future releases of the malware will be able to detect minuscule changes to the colors of individual pixels, making the affected files much harder to detect."

 
This discussion has been archived. No new comments can be posted.
New Zeus Trojan Variant Using Steganography | Log In/Create an Account | Top | 26 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by bilborg on Friday February 21 2014, @08:54PM

    by bilborg (2526) on Friday February 21 2014, @08:54PM (#4533) Homepage

    The "fine article" itself, and the SN headline both imply that the Zeus Trojan is in the image file. The first paragraph, though, notes that it's the configuration file that's been hidden. Using stegnographic techniques to communicate config updates is one more way to get your stuff past the Goog's (and other vendors) "BAD SITE" filters for a bit longer.

    But most headlines are written to get eyeballs, eh? Config file? Boring. Sigh.

    --
    Time enough to sleep after I'm dead.
    Starting Score:    1  point
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  
    Total Score:   3  

  • (Score: 2) by dmc on Friday February 21 2014, @11:33PM

    by dmc (188) on Friday February 21 2014, @11:33PM (#4605)

    communicate config updates

    I agree with your comment but you can just drop the word config there. And one would imagine any form of encryption would get past the Goog's "BAD SITE" filters. Though your comment combined with the NSA's invocation immediately post snowden of "big bad steganography" makes me imagine the real issue is using steg in images passed via Goog to communicate. Perhaps because Goog is on some locked down sites whitelist of remote hosts it is allowed to talk to. (just echoing Goog, not meaning to single them out. Replace with whatever other well known site that scrapes and retransmits other sites contents as desired)