Not steganography
If this is piggybacking data onto the end of the file, rather than hiding it within the image, then it ain't steganography!
A new variant of the bank-account-raiding Zeus malware apparently uses the ancient technique of steganography to update its list of websites to subvert. Dubbed ZeusVM, the crafty strain is just like its cousins in that it intercepts activity in a victim's web browser, siphons off passwords and other sensitive personal …
It's been so noted in the article and qualified appropriately (IOW these weren't El Reg's words).
I suspect, though, it won't be long before someone uses real stego to pull it off. I think the main concern is that many sites mangle images before posting to fit within dimension and/or size limits, and JPEG is a pretty forgiving format for that...except when you want to keep fine details which are necessary for stego, meaning mangling a JPEG will likely mangle the stego beyond the point of recognition.
So perhaps what we're seeing is a V1 attempt at hiding the list within an image file. V2 will see true robust stego.
"Paah, the articles qualification was an edit made after I posted"
I disagree :-) It was in there right from the start, tucked in at the end of a paragraph. I've now moved it into its own line just so that no one misses it.
IMHO it's concatenation; more generous readers will let it slide as very primitive steganography (seeing as it's obfuscated).
C.
Fair point, but I believe it changes from crook to crook - the source code is even on Github. Zeus is a highly configurable and modular piece of software :-( Appears it can also screenshot your desktop and open a VNC connection.
Anyway, Facebook, PayPal, Bank of America, YouTube and others are in the defaults. It doesn't have to be a complete URL. Just having 'login' in the URL could be a trigger, or anything connected via HTTPS. I would just assume that if you are infected by Zeus, you're gonna have a real bad time whatever you do online until you get rid of it.
C.
I'm surprised if they were going for something like this, they wouldn't have also tried to embed more of the virus into images.
The main payload could be nothing but a tiny little script that embeds a decoding routine and exec function into some system library. You could even use a browser update bug and embed this into Chome's or Firefox's SSL libraries (Done properly, you could even sign it with a fake code-signing cert and embed it into the underlying OS so the modified binary looks legit)
The rest of the virus would be embedded in a series of images labeled as 'Desktop Wallpaper' saved as full-color bitmaps at 1920x1080 or something of the like.
Something like this could go unnoticed for a long time
The big trick would be to conceal the payloads in ways that can withstand mangling, image conversion, and so on. Many hosting sites will routinely alter images to make them easier to store and transmit, and the extent of these alterations can break many stegos to date: including perhaps this method or a variant of concealing it in the EXIF data. I will admit that a 1080-sized wallpaper gives more real estate to work with, but that's again reduced by the robustness requirement.