Malware Steganography

6 years ago (yikes!) I wrote about image steganography as a concept. At the moment there are a couple of pieces of malware that use steganography, such as Vawtrak (aka Neverquest) and ZeuS, to hide the command and control servers (C&C) or configuration files in images. This means that the malware does not need to contain a static list of C&Cs which will become old quickly, but can just download an innocent looking image from the internet; decode the hidden message and then connect out. The advantages are that the image can be refreshed with C&C data without having to recompile the malware; and the images can be hidden in plain sight; e.g. on legitimate message boards.

Vawtrak uses steganography to hide C&C lists inside favicons. Even though favicons are only 4KB in size, that’s enough to hide IP addresses in the least-significant bits. According to the AVG report, Vawtrak even encrypts the hidden data, and the server lists contained in the images are digitally signed (the signature of MD5 hash is stored in the first 128 bits) and verified by an RSA public key that is stored in Vawtrak’s binary. Only the correctly signed messages are accepted; probably to avoid hijacking of its botnet by someone sending a fake server list.

A version of ZeuS, dubbed ZeusVM, appends encrypted data at the bottom of a random image file. According to MalwareBytes, the data is encrypted with Base64, RC4 and XOR and reveals the malware’s set of banks and financial institution configuration details.

I have modified the script I supplied in my last steganography post to something that hides 1 or 2 lines of text within a favicon (PNG). It also encrypts the hidden text with AES encryption; so even if the very simple steganography is uncovered, the actual text should be very hard to decrypt. Here is the script and here is a favicon with hidden data, can you get the contents? All you need to do is run the script (first download a few libraries): python decode steg_malware.png

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s