DDoS agents, and malware in general are in a constant arms race with anti-virus scanners to outwit each other. Massively networked botnets require not only the ability to store malicious executables but also send and receive traffic covertly. Steganography can fulfill both these needs. While cryptographic methods (such as strong encryption or polymorphism) use math to re-arrange malicious data so it’s more difficult to detect, steganography bypasses this completely by making the malicious data appear completely benign.
Traditional steganography is used mostly in physical mediums such as newspaper articles, secret tattoos and invisible ink. In digital steganography, data is secretly encoded inside of an existing transport layer, such as text documents, songs, pictures, programs or even within protocols themselves. One of the benefits of using this over encryption is that it is often impossible to know if a file contains malicious data without precise details of the method used or the un-tampered file. Although not as resilient to reverse-engineering, it can evade suspicion for much longer, and is useful in bypassing many networking filters by piggy-backing on existing information channels.
Perhaps the most common use of steganography in malware is a ‘binder’ or ‘crypter’ which essentially takes a program and covertly appends it to another one in a way that is mostly undetectable to anti-virus scanning methods. Not only does this method allow for more stealthy malware but it also provides new avenues of spreading such as P2P file sharing where popular programs are binded with the DDoS agent and then spread passively. Many bot masters also use this technique to bind their bot to a worm or virus in an effort to spread it further, although technically this would not be considered steganography.
While network-based steganography is actually quite old, it is one of the most versatile and doesn’t require any temporary storage medium. For example, ‘port knocking’ is a method of opening a backdoor on a compromised machine by sending it a series of connections to closed ports. Once the correct sequence of connections is made, the machine then opens a pre-designated port and is ready to accept commands. Variations of this technique could also be used to transmit data by monitoring the delay between packets or other TCP headers. A more modern method would be HTTP-based steganography following the compromise of a web server, a high value target for a DDoSer. Instead of sending data to the backdoor via GET, POST or cookies, the attacker would send the server a carefully crafted HTTP request which contains hidden data within optional or custom headers. Although this data is not logged by virtually any HTTP daemon, it’s still passed to the backdoored script which could use it to determine what target to attack, or where to find a new update.
With the increasing restrictions and attention paid to historic command and control structures (such as IRC or custom TCP-based protocols) botmasters are looking more and more towards less conventional methods of passing networked data. Media files are usually an ideal candidate for steganography because they are seen as innocent, are easily shared and have a large size. An often used steganographic technique is hiding data within the colour values of images. A simple script might process an image and replace the least significant bit of every 10th pixel’s RGB value. When a recipient script opened the image it could then decode the hidden data and reconstruct an executable, or commence an attack. To the human eye the image would look innocuous and identical to the untampered version. This could be passed through any number of public upload or social networking mediums such as Flickr, Photobucket or Picasa.
While new data-rich Web 2.0 sites emerge they will undoubtedly be plagued by covert channels used to spread and control malware, and it’s already becoming evident many are currently having problems with this. In just four years since it opened Twitter has already seen numerous botnet control structures and spamming systems on it, (although so far they are primitive and only take advantage of text sharing). Free file uploading websites which previously were unrestricted now require several captchas. GMail now uses a confirmation text message sent to a phone before allowing registration. Facebook too has undergone several upheavals of its bot filtering and captcha system in response to abuse. Social networking websites pose perhaps the best playground for botnets because they are publicly accessible, have a massive amount of mediums to share data through, and are naturally situated for dispersing information to other computers. Software suites already exist for many of them that make automated accounts appear to be real people. Although these are almost entirely made for internet marketing, they could easily be converted into running DDoS control structures. A botnet could be setup that uses several clusters of ‘friends’ that outwardly appear human, while secretly sharing information embedded within their pictures, status updates and personal information. The controller would then only need to be friends with a few accounts from each friend cluster in order to rapidly issue commands to an extremely large botnet. As long as they are connecting to the website in a way that is identical to normal browsers, this technique would be extremely difficult to stop without the code to the bot program or extensive monitoring of all traffic to the website.
Steganography and cryptography are most effective when used together, but if the steganography is effective enough, encryption is not needed at all. While encryption protects the contents of a message, steganography can be said to protect messages, senders and recipients. Faster processors and transfer rates have given way to data-rich media streams such as streaming video, audio and file sharing. This allows for a literal sea of data to get lost in where it is simply not feasible or realistic to be able to manually search through looking for concealed data. Although only in the early stages, social networking botnets will become one of the biggest advances in botnet control since the use of IRC. With the proliferation of user-driven websites, the responsibility to stop covert channels is shifting from researchers and administrators onto individual webmasters who may be unwilling or unable to stop it.
DOSarrest Security Analyst