Stegomalware

Last updated

Stegomalware is a type of malware that uses steganography to hinder detection. Steganography is the practice of concealing a file, message, image, or video within another file, message, image, video or network traffic. This type of malware operates by building a steganographic system to hide malicious data within its resources and then extracts and executes them dynamically. It is considered one of the most sophisticated and stealthy ways of obfuscation.

The term of `stegomalware' was introduced by researchers in the context of mobile malware and presented at Inscrypt conference in 2014. [1] However, the fact that (mobile) malware could potentially utilize steganography was already presented in earlier works: the use of steganography in malware was first applied to botnets communicating over probabilistically unobservable channels, [2] mobile malware based on covert channels was proposed in the same year. [3] Steganography was later applied to other components of malware engineering such as return-oriented programming [4] and compile-time obfuscation, [5] among others. [6]

The Europol-supported CUING initiative monitors the use of steganography in malware. [7]

Related Research Articles

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Peer-to-peer</span> Type of decentralized and distributed network architecture

Peer-to-peer (P2P) computing or networking is a distributed application architecture that partitions tasks or workloads between peers. Peers are equally privileged, equipotent participants in the network. They are said to form a peer-to-peer network of nodes.

Steganography is the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video. The word steganography comes from Greek steganographia, which combines the words steganós, meaning "covered or concealed", and -graphia meaning "writing".

In computer security, a covert channel is a type of attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. The term, originated in 1973 by Butler Lampson, is defined as channels "not intended for information transfer at all, such as the service program's effect on system load," to distinguish it from legitimate channels that are subjected to access controls by COMPUSEC.

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a Slovak software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide, and its software is localized into more than 30 languages.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

<span class="mw-page-title-main">Drive-by download</span> Computer security exploitation

Drive-by download is of two types, each concerning the unintended download of computer software from the Internet:

  1. Authorized drive-by downloads are downloads which a person has authorized but without understanding the consequences.
  2. Unauthorized drive-by downloads are downloads which happen without a person's knowledge, often a computer virus, spyware, malware, or crimeware.

An air gap, air wall, air gapping or disconnected network is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network. It means a computer or network has no network interface controllers connected to other networks, with a physical or conceptual air gap, analogous to the air gap used in plumbing to maintain water quality.

Secure two-party computation (2PC) a.k.a. Secure function evaluation is sub-problem of secure multi-party computation (MPC) that has received special attention by researchers because of its close relation to many cryptographic tasks. The goal of 2PC is to create a generic protocol that allows two parties to jointly compute an arbitrary function on their inputs without sharing the value of their inputs with the opposing party. One of the most well known examples of 2PC is Yao's Millionaires' problem, in which two parties, Alice and Bob, are millionaires who wish to determine who is wealthier without revealing their wealth. Formally, Alice has wealth , Bob has wealth , and they wish to compute without revealing the values or .

<span class="mw-page-title-main">Fast flux</span> DNS evasion technique against origin server fingerprinting.

Fast flux is a domain name system (DNS) based evasion technique used by cyber criminals to hide phishing and malware delivery websites behind an ever-changing network of compromised hosts acting as reverse proxies to the backend botnet master—a bulletproof autonomous systems. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures.

Man-in-the-browser, a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two- or three-factor authentication solutions are in place. A MitB attack may be countered by using out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone. Trojans may be detected and removed by antivirus software; this approach scored a 23% success rate against Zeus in 2009 and still low rates in a 2011 report. The 2011 report concluded that additional measures on top of antivirus software were needed.

<span class="mw-page-title-main">Hardware Trojan</span> Malware embedded in hardware; harder to detect and fix than software vulnerabilities

A Hardware Trojan (HT) is a malicious modification of the circuitry of an integrated circuit. A hardware Trojan is completely characterized by its physical representation and its behavior. The payload of an HT is the entire activity that the Trojan executes when it is triggered. In general, Trojans try to bypass or disable the security fence of a system: for example, leaking confidential information by radio emission. HTs also could disable, damage or destroy the entire chip or components of it.

<span class="mw-page-title-main">Steganography tools</span>

A steganography software tool allows a user to embed hidden data inside a carrier file, such as an image or video, and later extract that data.

<span class="mw-page-title-main">Mobile security</span> Security risk and prevention for mobile devices

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

<span class="mw-page-title-main">Niels Provos</span> German-American computer scientist and software engineer

Niels Provos is a German-American researcher in security engineering, malware, and cryptography. He received a PhD in computer science from the University of Michigan. From 2003 to 2018, he worked at Google as a Distinguished Engineer on security for Google Cloud Platform. In 2018, he left Google to join Stripe as its new head of security.

Anti-tamper software is software which makes it harder for an attacker to modify it. The measures involved can be passive such as obfuscation to make reverse engineering difficult or active tamper-detection techniques which aim to make a program malfunction or not operate at all if modified. It is essentially tamper resistance implemented in the software domain. It shares certain aspects but also differs from related technologies like copy protection and trusted hardware, though it is often used in combination with them. Anti-tampering technology typically makes the software somewhat larger and also has a performance impact. There are no provably secure software anti-tampering methods; thus, the field is an arms race between attackers and software anti-tampering technologies.

Air-gap malware is malware that is designed to defeat the air-gap isolation of secure computer systems using various air-gap covert channels.

<span class="mw-page-title-main">Yuval Elovici</span>

Yuval Elovici is a computer scientist. He is a professor in the Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev (BGU), where he is the incumbent of the Davide and Irene Sala Chair in Homeland Security Research. He is the director of the Cyber Security Research Center at BGU and the founder and director of the Telekom Innovation Laboratories at Ben-Gurion University. In addition to his roles at BGU, he also serves as the lab director of Singapore University of Technology and Design’s (SUTD) ST Electronics-SUTD Cyber Security Laboratory, as well as the research director of iTrust. In 2014 he co-founded Morphisec, a start-up company, that develops cyber security mechanisms related to moving target defense.

A copy detection pattern (CDP) or graphical code is a small random or pseudo-random digital image which is printed on documents, labels or products for counterfeit detection. Authentication is made by scanning the printed CDP using an image scanner or mobile phone camera. It is possible to store additional product-specific data into the CDP that will be decoded during the scanning process. A CDP can also be inserted into a 2D barcode to facilitate smartphone authentication and to connect with traceability data.

The Lincoln Adaptable Real-time Information Assurance Testbed (LARIAT) is a physical computing platform developed by the MIT Lincoln Laboratory as a testbed for network security applications. Use of the platform is restricted to the United States military, though some academic organizations can also use the platform under certain conditions.

References

  1. Suarez-Tangil, Guillermo; Tapiador, Juan E; Peris-Lopez, Pedro (2014). "Stegomalware: Playing Hide and Seek with Malicious Components in Smartphone Apps". In Dongdai Lin; Moti Yung; Jianying Zhou (eds.). Information Security and Cryptology. 10th International Conference, Inscrypt. Vol. 8957. Beijing, China: Springer International Publishing. pp. 496–515. doi:10.1007/978-3-319-16745-9_27. ISBN   978-3-319-16745-9.
  2. Nagaraja, Shishir; Houmansadr, Amir; Piyawongwisal, Pratch; Singh, Vijit; Agarwal, Pragya; Nikita, Borisov (May 2011). "Stegobot: A Covert Social Network Botnet". Lecture Notes in Computer Science. 13th International Conference Information Hiding. Vol. 6958. Springer Berlin Heidelberg. pp. 299–313. doi:10.1007/978-3-642-24178-9_21.
  3. Wendzel, Steffen; Keller, Jörg (2011), "Low-Attention Forwarding for Mobile Network Covert Channels", Communications and Multimedia Security, Springer Berlin Heidelberg, pp. 122–133, doi: 10.1007/978-3-642-24712-5_10 , ISBN   9783642247118
  4. Lu, Kangjie, Siyang Xiong, and Debin Gao (2014). Ropsteg: Program steganography with return oriented programming. 4th ACM conference on Data and application security and privacy.{{cite conference}}: CS1 maint: multiple names: authors list (link)
  5. Schrittwieser, Sebastian; et al. (2014). "Covert Computation—Hiding code in code through compile-time obfuscation". Computers & Security. 42: 13–26. doi:10.1016/j.cose.2013.12.006.
  6. Andriesse, Dennis & Herbert Bos (2014). "Instruction-Level Steganography for Covert Trigger-Based Malware". Detection of Intrusions and Malware, and Vulnerability Assessment.
  7. Mazurczyk, Wojciech; Wendzel, Steffen (2017-12-27). "Information hiding: Challenges for forensic experts". Communications of the ACM. 61 (1): 86–94. doi:10.1145/3158416. ISSN   0001-0782. S2CID   21118544.