back to article Beware Greeks bearing lists: Bank-raiding nasty Zeus smuggles attack orders in JPEGs

A new variant of the bank-account-raiding Zeus malware apparently uses the ancient technique of steganography to update its list of websites to subvert. Dubbed ZeusVM, the crafty strain is just like its cousins in that it intercepts activity in a victim's web browser, siphons off passwords and other sensitive personal …

COMMENTS

This topic is closed for new posts.
  1. Jamie Jones Silver badge
    FAIL

    Not steganography

    If this is piggybacking data onto the end of the file, rather than hiding it within the image, then it ain't steganography!

    1. Charles 9

      Re: Not steganography

      It's been so noted in the article and qualified appropriately (IOW these weren't El Reg's words).

      I suspect, though, it won't be long before someone uses real stego to pull it off. I think the main concern is that many sites mangle images before posting to fit within dimension and/or size limits, and JPEG is a pretty forgiving format for that...except when you want to keep fine details which are necessary for stego, meaning mangling a JPEG will likely mangle the stego beyond the point of recognition.

      So perhaps what we're seeing is a V1 attempt at hiding the list within an image file. V2 will see true robust stego.

      1. Jamie Jones Silver badge

        Re: Not steganography

        Paah, the articles qualification was an edit made after I posted, just to make me look daft!

        As for "V2" I agree - I think the mangling will screw things up though - thry'd have to stick to hosting the image file on some hacked server etc.

        1. diodesign (Written by Reg staff) Silver badge

          Re: Re: Not steganography

          "Paah, the articles qualification was an edit made after I posted"

          I disagree :-) It was in there right from the start, tucked in at the end of a paragraph. I've now moved it into its own line just so that no one misses it.

          IMHO it's concatenation; more generous readers will let it slide as very primitive steganography (seeing as it's obfuscated).

          C.

          1. Jamie Jones Silver badge
            Thumb Up

            Re: Not steganography

            "I disagree :-) It was in there right from the start, tucked in at the end of a paragraph. I've now moved it into its own line just so that no one misses it."

            Oh! Apologies then, I must have missed it.

            It's not my fault, though, I'm Welsh and stupid!

  2. Anonymous Coward
    Anonymous Coward

    Bank-account-raiding Zeus malware?

    Ban this LEnix malware now !

  3. John Tserkezis

    "but when the user visits a website that's on the malware's list of targets"

    Would be nicer if you mentioned the few known ones, unless they're the obvious phishing sites - but you don't say that. One can only infer that "particular online banking website" could be real, but compromised.

    1. diodesign (Written by Reg staff) Silver badge

      Re: John Tserkezis

      Fair point, but I believe it changes from crook to crook - the source code is even on Github. Zeus is a highly configurable and modular piece of software :-( Appears it can also screenshot your desktop and open a VNC connection.

      Anyway, Facebook, PayPal, Bank of America, YouTube and others are in the defaults. It doesn't have to be a complete URL. Just having 'login' in the URL could be a trigger, or anything connected via HTTPS. I would just assume that if you are infected by Zeus, you're gonna have a real bad time whatever you do online until you get rid of it.

      C.

  4. roselan

    trojanception recipe

    1. embed the malware code in an image of a trojan horse

    2. ...

    3. profit

  5. Crazy Operations Guy

    Steganography to hide the whole thing

    I'm surprised if they were going for something like this, they wouldn't have also tried to embed more of the virus into images.

    The main payload could be nothing but a tiny little script that embeds a decoding routine and exec function into some system library. You could even use a browser update bug and embed this into Chome's or Firefox's SSL libraries (Done properly, you could even sign it with a fake code-signing cert and embed it into the underlying OS so the modified binary looks legit)

    The rest of the virus would be embedded in a series of images labeled as 'Desktop Wallpaper' saved as full-color bitmaps at 1920x1080 or something of the like.

    Something like this could go unnoticed for a long time

    1. Charles 9

      Re: Steganography to hide the whole thing

      The big trick would be to conceal the payloads in ways that can withstand mangling, image conversion, and so on. Many hosting sites will routinely alter images to make them easier to store and transmit, and the extent of these alterations can break many stegos to date: including perhaps this method or a variant of concealing it in the EXIF data. I will admit that a 1080-sized wallpaper gives more real estate to work with, but that's again reduced by the robustness requirement.

This topic is closed for new posts.

Other stories you might like