Stegobot: building unobservable communication networks using social network behavior

We propose the construction of an unobservable communications network using social networks. The communication endpoints are vertices on a social network. Probabilistically unobservable communication channels are built by leveraging image steganography and the social image sharing behavior of users. All communication takes place along the edges of a social network overlay connecting friends. We show that such a network can provide decent bandwidth even with a far from optimal routing mechanism such as restricted flooding. We show that such a network is indeed usable by constructing a botnet on top of it, called Stegobot. It is designed to spread via social malware attacks and steal information from its victims. Unlike conventional botnets, Stegobot traffic does not introduce new communication endpoints between bots. We analyzed a real-world dataset of image sharing between members of an online social network. Analysis of Stegobot's network throughput indicates that stealthy as it is, it is also functionally powerful -- capable of channeling fair quantities of sensitive data from its victims to the botmaster at tens of megabytes every month.

[1]  Tieniu Tan,et al.  On estimation of secret message length in JSteg-like steganography , 2004, Proceedings of the 17th International Conference on Pattern Recognition, 2004. ICPR 2004..

[2]  Sven Dietrich,et al.  Analysis of the Storm and Nugache Trojans: P2P Is Here , 2007, login Usenix Mag..

[3]  Prateek Mittal,et al.  BotGrep: Finding P2P Bots with Structured Graph Analysis , 2010, USENIX Security Symposium.

[4]  Marco Balduzzi,et al.  Take a Deep Breath: A Stealthy, Resilient and Cost-Effective Botnet Using Skype , 2010, DIMVA.

[5]  Niels Provos,et al.  Hide and Seek: An Introduction to Steganography , 2003, IEEE Secur. Priv..

[6]  Thorsten Holz,et al.  Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation , 2007, HotBots.

[7]  Massimo Marchiori,et al.  Error and attacktolerance of complex network s , 2004 .

[8]  Hassen Saïdi,et al.  A Foray into Conficker's Logic and Rendezvous Points , 2009, LEET.

[9]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[10]  Phil Sallee,et al.  Model-Based Steganography , 2003, IWDW.

[11]  Sangjin Lee,et al.  Generalised Category Attack - Improving Histogram-Based Attack on JPEG LSB Embedding , 2007, Information Hiding.

[12]  Andreas Westfeld,et al.  F5—A Steganographic Algorithm High Capacity Despite Better Steganalysis , 2001 .

[13]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[14]  Dana S. Richards,et al.  Modified Matrix Encoding Technique for Minimal Distortion Steganography , 2006, Information Hiding.

[15]  Suresh Singh,et al.  An Algorithm for Anomaly-based Botnet Detection , 2006, SRUTI.

[16]  Tomás Pevný,et al.  Statistically undetectable jpeg steganography: dead ends challenges, and opportunities , 2007, MM&Sec.

[17]  Andreas Pfitzmann,et al.  Attacks on Steganographic Systems , 1999, Information Hiding.

[18]  Jessica J. Fridrich,et al.  Perturbed quantization steganography , 2005, Multimedia Systems.

[19]  Ross J. Anderson,et al.  The snooping dragon: social-malware surveillance of the Tibetan movement , 2009 .

[20]  Ira S. Moskowitz,et al.  A Steganographic Embedding Undetectable by JPEG Compatibility Steganalysis , 2002, Information Hiding.

[21]  Phillip A. Porras,et al.  A Multi-perspective Analysis of the Storm ( Peacomm ) Worm , 2007 .

[22]  Michael K. Reiter,et al.  Traffic Aggregation for Malware Detection , 2008, DIMVA.

[23]  Anindya Sarkar,et al.  YASS: Yet Another Steganographic Scheme That Resists Blind Steganalysis , 2007, Information Hiding.

[24]  B. S. Manjunath,et al.  Provably Secure Steganography: Achieving Zero K-L Divergence using Statistical Restoration , 2006, 2006 International Conference on Image Processing.