< MISC #3: How Leurré.com Observes the Internet | Detecting Honeypots and other Suspicious Environments >

Steganography in Botnet Command & Control

In his blog entry "Security/C#: Demonstration of Steganography Messages to Evade IDS Detection", John Ware explains a technique how botnet C&C could use steganography to enable stealth communication. To quote him:

"This technique uses steganography to embed a simple command protocol into image files. When combined with methods for determining proxy configurations (Windows stores this internally, you can set them under Internet Explorer under Tool, Internet Options, Connections, and Lan Settings, or under the Control Panel), clients can use the existing egress rules to retrieve said embedded file remotely through approved outbound ports and proxy servers. To any passive observer, this is simple web traffic retrieving graphics that are embedded into everyday web pages. Clients than can be set to retrieve graphics from a location or locations at random or set intervals."


Nice idea, however this is nothing really new. Back in 2001, a bot called Xot introduced a technique called DRSS (Dynamic Remote Settings Stub). With DRSS, the botnet controller embedded (actually appended) the information about the central botnet C&C server to an image file. This file is then uploaded to a web site and the bots just retrieve it to obtain their configuration. Not as sophisticated as the method from the blog entry - but hey, it's 5 years ago. And really stealth communication can presumably be reached with a custom protocol and some other techniques, but more on that in a later blog entry...

You can read more about this feature at http://www.megasecurity.org/trojans/x/xot/Xot0.5b2.html or in an article I wrote a while ago entitled "A Short Visit to the Bot Zoo". 


@Article{Holz:2005:SVB,

  author     = {Thorsten Holz},

  title      = {A Short Visit to the Bot Zoo},

  year       = {2005},

  journal    = {IEEE Security \& Privacy},

  volume    = {3},

  number    = {3},

  pages      = {76--79},

}
This entry was posted by Thorsten Holz on Sunday, April 2. 2006 at 14:39. and is filed under honeynets. You can leave a response, or trackback from your own blog.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA