Stegobot: A Covert Social Network Botnet

We propose Stegobot, a new generation botnet that communicates over probabilistically unobservable communication channels. It is designed to spread via social malware attacks and steal information from its victims. Unlike conventional botnets, Stegobot traffic does not introduce new communication endpoints between bots. Instead, it is based on a model of covert communication over a social-network overlay - bot to botmaster communication takes place along the edges of a social network. Further, bots use image steganography to hide the presence of communication within image sharing behavior of user interaction. We show that it is possible to design such a botnet even with a less than optimal routing mechanism such as restricted flooding. We analyzed a real-world dataset of image sharing between members of an online social network. Analysis of Stegobot's network throughput indicates that stealthy as it is, it is also functionally powerful - capable of channeling fair quantities of sensitive data from its victims to the botmaster at tens of megabytes every month.

[1]  Andreas Pfitzmann,et al.  Attacks on Steganographic Systems , 1999, Information Hiding.

[2]  Albert-László Barabási,et al.  Error and attack tolerance of complex networks , 2000, Nature.

[3]  Andreas Westfeld,et al.  F5-A Steganographic Algorithm , 2001, Information Hiding.

[4]  Andreas Westfeld,et al.  F5—A Steganographic Algorithm High Capacity Despite Better Steganalysis , 2001 .

[5]  Ira S. Moskowitz,et al.  A Steganographic Embedding Undetectable by JPEG Compatibility Steganalysis , 2002, Information Hiding.

[6]  Phil Sallee,et al.  Model-Based Steganography , 2003, IWDW.

[7]  Niels Provos,et al.  Hide and Seek: An Introduction to Steganography , 2003, IEEE Secur. Priv..

[8]  Ingemar J. Cox,et al.  Digital Watermarking , 2003, Lecture Notes in Computer Science.

[9]  Mark E. J. Newman,et al.  The Structure and Function of Complex Networks , 2003, SIAM Rev..

[10]  On estimation of secret message length in JSteg-like steganography , 2004, Proceedings of the 17th International Conference on Pattern Recognition, 2004. ICPR 2004..

[11]  T. Tan,et al.  On estimation of secret message length in JSteg-like steganography , 2004, ICPR 2004.

[12]  Massimo Marchiori,et al.  Error and attacktolerance of complex network s , 2004 .

[13]  Jessica J. Fridrich,et al.  Perturbed quantization steganography , 2005, Multimedia Systems.

[14]  Sangjin Lee,et al.  Category Attack for LSB Steganalysis of JPEG Images , 2006, IWDW.

[15]  Dana S. Richards,et al.  Modified Matrix Encoding Technique for Minimal Distortion Steganography , 2006, Information Hiding.

[16]  B. S. Manjunath,et al.  Provably Secure Steganography: Achieving Zero K-L Divergence using Statistical Restoration , 2006, 2006 International Conference on Image Processing.

[17]  Suresh Singh,et al.  An Algorithm for Anomaly-based Botnet Detection , 2006, SRUTI.

[18]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[19]  Anindya Sarkar,et al.  YASS: Yet Another Steganographic Scheme That Resists Blind Steganalysis , 2007, Information Hiding.

[20]  Phillip A. Porras,et al.  A Multi-perspective Analysis of the Storm ( Peacomm ) Worm , 2007 .

[21]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[22]  Sangjin Lee,et al.  Generalised Category Attack - Improving Histogram-Based Attack on JPEG LSB Embedding , 2007, Information Hiding.

[23]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[24]  Tomás Pevný,et al.  Statistically undetectable jpeg steganography: dead ends challenges, and opportunities , 2007, MM&Sec.

[25]  Sven Dietrich,et al.  Analysis of the Storm and Nugache Trojans: P2P Is Here , 2007, login Usenix Mag..

[26]  Dawn Stover Never fear, Bear is here to help , 2007 .

[27]  Michael K. Reiter,et al.  Traffic Aggregation for Malware Detection , 2008, DIMVA.

[28]  Pavel Laskov,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment: 19th International Conference, DIMVA 2022, Cagliari, Italy, June 29 –July 1, 2022, Proceedings , 2022, International Conference on Detection of intrusions and malware, and vulnerability assessment.

[29]  Sungdo Ha,et al.  Computer-Human Interaction, 8th Asia-Pacific Conference, APCHI 2008, Seoul, Korea, July 6-9, 2008, Proceedings , 2008, Asia-Pacific Computer and Human Interaction.

[30]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[31]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2009, CACM.

[32]  Ross J. Anderson,et al.  The snooping dragon: social-malware surveillance of the Tibetan movement , 2009 .

[33]  Hassen Saïdi,et al.  A Foray into Conficker's Logic and Rendezvous Points , 2009, LEET.

[34]  Prateek Mittal,et al.  BotGrep: Finding P2P Bots with Structured Graph Analysis , 2010, USENIX Security Symposium.

[35]  Marco Balduzzi,et al.  Take a Deep Breath: A Stealthy, Resilient and Cost-Effective Botnet Using Skype , 2010, DIMVA.