Download this gallery (ZIP, null KB)
Last week, New Scientist reported that researchers in India and the US had designed a proof-of-concept Facebook botnet capable of using photos to spread large-scale, covert attacks on data without relying on users to download anything.
The Stegobot uses JPEG steganography technology to hide data in image files, such as the photos Facebook users typically share with each other. This data is capable of performing a pre-programmed list of activities such as harvesting email addresses and passwords, credit card numbers or keystroke logging.
The fact that all of this could happen without the end user having to download anything – Facebook currently downloads images automatically – means the news generated a lot of interest , with the researchers suggesting that blocking social network access is, in theory, the best way to prevent such attacks.
Clearswift CEO Richard Turner says such drastic action is neither necessary nor advisable. With research indicating that the majority of business leaders believe that Web 2.0 and other collaborative technologies are critical to the future success of their company, Turner says that killing off employee access to social media not only prevents companies from innovating around the technology, it also sends out the wrong message to their workforce. “One fifth of employees say they would actually turn down a job that refused access to social networking sites. It’s not much of a leap to see how blocking such sites could damage employee relations while having an adverse effect on productivity and motivation,” says Turner.
Flexible policies allow organisations to deal with specific security issues while continuing to allow them to reap the benefits of Web 2.0 technologies. Rules can be tailored to allow specific departments and individuals the freedom to communicate in precisely the way they need while preventing distribution of confidential or damaging information.
When it comes to the specifics of Stegobot, Clearswift Chief Software Engineer Paul Singh says there are too many weaknesses and dependencies involved for it to be a commercial threat. “In order to infect the user, Stegobot has to do the same things that other, current botnets need to do. So the chances of infecting someone in an already-secured enterprise is radically reduced.”
Singh says that as the command and control communication of the Stegobot relies on downloading images from the peer online social network account of an infected friend, its effectiveness is reduced. “Modern distributed botnets use lists of known ‘near’ peers and pass these to each other, operating a distributed network of sharing commands,” says Singh. “Relying on infected online accounts where the image has to be updated for a command to be passed on to the network seriously affects the usefulness of a bot.”
In addition, the amount of data that can be used in steganography is limited; not a problem if the bot is only transmitting account details but if the primary aim of a botnet is to deploy other malware, this could limit its effectiveness. “There are much easier and more effective ways to do these things and the Stegobot is too dependent on whether someone uses Facebook and how often they actually upload images,” says Singh.
In terms of dealing with a threat of this nature, Singh suggests techniques like examining bit distribution to see whether it’s following abnormal patterns and using steganography detection tools to scan and weed-out infected images. “You could also blast all the redundant bits to wipe out any possible hidden data without damaging the image too much,” says Singh, “but this would require rebuilding if the image is in a document.”
It’s not all plain-sailing, however: as Singh points out, steganography can pose a credible threat to government IT systems, as the
US government discovered last year when alleged Russian spies were arrested in the country. They’d been using steganography to send and receive instructions without raising suspicion.
by Clearswift
