Dev.SN

New Zeus Trojan Variant Using Steganography

posted by Dopefish on Friday February 21 2014, @02:30PM   
from the zeus-favored-the-greeks dept.

Keldrin writes:

"Zeus is a trojan designed to steal banking credentials, and has been declared one of the most successful pieces of malware currently seen in the wild. A new variant is making detection far more difficult for anti-virus companies by hiding configuration settings inside pictures. At the moment, the malware simply encodes the configuration with Base64, passes them through XOR and RC4, then attaches them to the end of an image file. This makes for an 'infected' file that is much larger than the original. There is speculation that future releases of the malware will be able to detect minuscule changes to the colors of individual pixels, making the affected files much harder to detect."

• Re:Not Stenography (Score: 2, Informative) by Fnord666 on Friday February 21 2014, @10:54PM

  by Fnord666 (652) on Friday February 21 2014, @10:54PM (#4661)

  This seems like an improbable attack vector, as the malware would need to store the original image somewhere, or the original pixel values, in order to compare the changes that were made. Storing this information "in the open" would defeat the covert nature of the exploit, since you could simply look for that instead of the manipulated images, IMHO.

  The key for the steganography can tell you where the next bit in the encoded message is located within the image. To encode you replace the lower order bit at that location with your next payload bit. To decode you just grab the low order bit at that location. No need to have the original image to compare against. In fact it's better if the original image is not available so that a cryptanalyst doesn't have it available as a crib.

  Parent

  Starting Score:	1		point
  Moderation		+1
  Informative=1, Total=1
  Extra 'Informative' Modifier		0
  Total Score:		2