Steganography in Botnet Command & Control
Sunday, April 2. 2006
In his blog entry "Security/C#: Demonstration of Steganography Messages to Evade IDS Detection", John Ware explains a technique how botnet C&C could use steganography to enable stealth communication. To quote him:
Nice idea, however this is nothing really new. Back in 2001, a bot called Xot introduced a technique called DRSS (Dynamic Remote Settings Stub). With DRSS, the botnet controller embedded (actually appended) the information about the central botnet C&C server to an image file. This file is then uploaded to a web site and the bots just retrieve it to obtain their configuration. Not as sophisticated as the method from the blog entry - but hey, it's 5 years ago. And really stealth communication can presumably be reached with a custom protocol and some other techniques, but more on that in a later blog entry...
You can read more about this feature at http://www.megasecurity.org/trojans/x/xot/Xot0.5b2.html or in an article I wrote a while ago entitled "A Short Visit to the Bot Zoo".
"This technique uses steganography to embed a simple command protocol into image files. When combined with methods for determining proxy configurations (Windows stores this internally, you can set them under Internet Explorer under Tool, Internet Options, Connections, and Lan Settings, or under the Control Panel), clients can use the existing egress rules to retrieve said embedded file remotely through approved outbound ports and proxy servers. To any passive observer, this is simple web traffic retrieving graphics that are embedded into everyday web pages. Clients than can be set to retrieve graphics from a location or locations at random or set intervals."
Nice idea, however this is nothing really new. Back in 2001, a bot called Xot introduced a technique called DRSS (Dynamic Remote Settings Stub). With DRSS, the botnet controller embedded (actually appended) the information about the central botnet C&C server to an image file. This file is then uploaded to a web site and the bots just retrieve it to obtain their configuration. Not as sophisticated as the method from the blog entry - but hey, it's 5 years ago. And really stealth communication can presumably be reached with a custom protocol and some other techniques, but more on that in a later blog entry...
You can read more about this feature at http://www.megasecurity.org/trojans/x/xot/Xot0.5b2.html or in an article I wrote a while ago entitled "A Short Visit to the Bot Zoo".
Continue reading "Steganography in Botnet Command & Control"
".
