A new variant of the bank-account-raiding Zeus malware apparently uses the ancient technique of steganography to update its list of websites to subvert. Dubbed ZeusVM, the crafty strain is just like its cousins in that it intercepts activity in a victim's web browser, siphons off passwords and other sensitive personal …
If this is piggybacking data onto the end of the file, rather than hiding it within the image, then it ain't steganography!
Re: Not steganography
It's been so noted in the article and qualified appropriately (IOW these weren't El Reg's words).
I suspect, though, it won't be long before someone uses real stego to pull it off. I think the main concern is that many sites mangle images before posting to fit within dimension and/or size limits, and JPEG is a pretty forgiving format for that...except when you want to keep fine details which are necessary for stego, meaning mangling a JPEG will likely mangle the stego beyond the point of recognition.
So perhaps what we're seeing is a V1 attempt at hiding the list within an image file. V2 will see true robust stego.
Re: Not steganography
Paah, the articles qualification was an edit made after I posted, just to make me look daft!
As for "V2" I agree - I think the mangling will screw things up though - thry'd have to stick to hosting the image file on some hacked server etc.
Re: Re: Not steganography
"Paah, the articles qualification was an edit made after I posted"
I disagree :-) It was in there right from the start, tucked in at the end of a paragraph. I've now moved it into its own line just so that no one misses it.
IMHO it's concatenation; more generous readers will let it slide as very primitive steganography (seeing as it's obfuscated).
Re: Not steganography
"I disagree :-) It was in there right from the start, tucked in at the end of a paragraph. I've now moved it into its own line just so that no one misses it."
Oh! Apologies then, I must have missed it.
It's not my fault, though, I'm Welsh and stupid!
Bank-account-raiding Zeus malware?
Ban this LEnix malware now !
"but when the user visits a website that's on the malware's list of targets"
Would be nicer if you mentioned the few known ones, unless they're the obvious phishing sites - but you don't say that. One can only infer that "particular online banking website" could be real, but compromised.
Re: John Tserkezis
Fair point, but I believe it changes from crook to crook - the source code is even on Github. Zeus is a highly configurable and modular piece of software :-( Appears it can also screenshot your desktop and open a VNC connection.
Anyway, Facebook, PayPal, Bank of America, YouTube and others are in the defaults. It doesn't have to be a complete URL. Just having 'login' in the URL could be a trigger, or anything connected via HTTPS. I would just assume that if you are infected by Zeus, you're gonna have a real bad time whatever you do online until you get rid of it.
1. embed the malware code in an image of a trojan horse
Steganography to hide the whole thing
I'm surprised if they were going for something like this, they wouldn't have also tried to embed more of the virus into images.
The main payload could be nothing but a tiny little script that embeds a decoding routine and exec function into some system library. You could even use a browser update bug and embed this into Chome's or Firefox's SSL libraries (Done properly, you could even sign it with a fake code-signing cert and embed it into the underlying OS so the modified binary looks legit)
The rest of the virus would be embedded in a series of images labeled as 'Desktop Wallpaper' saved as full-color bitmaps at 1920x1080 or something of the like.
Something like this could go unnoticed for a long time
Re: Steganography to hide the whole thing
The big trick would be to conceal the payloads in ways that can withstand mangling, image conversion, and so on. Many hosting sites will routinely alter images to make them easier to store and transmit, and the extent of these alterations can break many stegos to date: including perhaps this method or a variant of concealing it in the EXIF data. I will admit that a 1080-sized wallpaper gives more real estate to work with, but that's again reduced by the robustness requirement.
- Twitter: La la la, we have not heard of any NUDE JLaw, Upton SELFIES
- China: You, Microsoft. Office-Windows 'compatibility'. You have 20 days to explain
- Apple to devs: NO slurping users' HEALTH for sale to Dark Powers
- Is that a 64-bit ARM Warrior in your pocket? No, it's MIPS64
- Apple 'fesses up: Rejected from the App Store, dev? THIS is why