Steganography: See how hackers secretly hide malicious software

Some methods are often used to evade detection in today's most-watched apt attacks and 0-jet-lag exploits, and all possible ways that hackers use to hide data inside hidden channels are what we think of as "steganography"

ZEUSVM : Hide malware configuration files in JPG images

There is a kind of Zeus virus variant to hide its configuration file in a special way, use the picture at the end of its image file contains some data, after decryption, will generate a configuration file, and security gateway and other devices will not alarm, users will not be found.

(ZEUSVM downloaded pictures, hidden in the information)

Vawtrak Use the Favorites icon to hide the configuration file

Recently found a sinister online silver Trojan with a website icon to hide its own configuration, Favicon.ico is a browser display on the left side of the URL of a small map, each site has its own favicon.ico, so security software almost do not check.

Vawtrak uses a technique called LSB (the lowest bit) in the image to hide the message by changing the pixels of the image so that it can carry information with the invisible pixels of the naked eye.

Fakereg hide a profile in the application icon

Website icon is not the only choice, we find more than one kind of Android virus (Androidos_smsreg. A) Hide the configuration file in the program icon.

(The Android icon that carries the virus profile is processed because it contains pornographic content)

Vbklip Hiding data in the HTTP protocol

Vbklip This online silver Trojan (very popular in Poland) monitor the online banking account used by users, and once the available accounts are found, the transfer target 26 digits will be transformed to generate a new account to intercept the user's payment. The new account is a money laundering organization, issued by the C&C server in an unconventional manner. The virus will launch a meaningless HTTP link to the C&C server, for example:

GETg4x6a9k2u.txt http/1.1

This is a request that few people will notice, but the information returned by the server contains important content:

(HTTP response header for C&c server)

The above base64 encoded string, after being untied, is a bank account and the victim will pay for the account. Although this is not a complete steganography, it still conforms to the previous criteria: hiding important data using unconventional channels makes it difficult for outsiders to perceive it.

Reprint please mark the article from Trend Technology!

Steganography: See how hackers secretly hide malicious software