Abstract

Once a botnet is constructed over the network, a bot master and bots start communicating by periodically exchanging messages, which is known as botnet C&C communication, in order to send botnet commands to bots, collect critical information stored in bots, upgrade software functions of malwares installed in bots, and so on. For this reason, most existing botnet detection techniques focus on monitoring and capturing suspicious communications between the bot master and bots. Meanwhile, botnets continue to evolve to hide their C&C communication. Recently, a novel type of botnet using image steganography techniques and SNS (Social Network Service) platforms, which is known as image steganography-based botnet or stegobotnet, has emerged to make its C&C communications undetectable by existing botnet detection systems. In stegobotnets, image files used in SNSs carry messages (between the bot master and bots) which are hidden in them by using image steganography techniques. In this paper, we first investigate whether major SNS platforms such as KakaoTalk, Facebook, and Twitter can be suitable for constructing image steganography-based botnets. Next, we construct a part of stegobotnet based on KakaoTalk, and conduct extensive experiments including digital forensic analysis (1) to validate stegobotnet C&C communication can be successful in KakaoTalk and (2) to examine its performance in terms of C&C communication reliability.

Highlights

  • A botnet consists of huge number of bots, which are computing devices with network functions infected by malwares, and bots are under the control of a cyber-attacker [1,2]

  • C&Ccommunications communicationsbybythe thefavor favorofofsophisticated sophisticatedsteganography steganography ininorder techniques and infect mobile smartphone devices whose owners actively use SNSs by downloading image files and video clips in which malicious messages may be hidden by a bot master

  • Messengers, we constructed a part of stegobotnets based on the KakaoTalk mobile messenger, conducted extensive experiments based on it, and analyzed experiment results in terms of stegobotnet command and control (C&C) communication reliability

Read more

Summary

Introduction

A botnet consists of huge number of bots, which are computing devices (such as PCs or smartphones) with network functions infected by malwares, and bots are under the control of a cyber-attacker (i.e., a bot master) [1,2]. The SNS-based stegobotnet has a couple of advantages over existing botnets It hides the existence of its C&C communications by the favor of sophisticated steganography techniques. It separates direct connections between a bot master and bots by locating a SNS server in the middle of the bot master and bots. According to our survey, we observed that no researchers have studied on stegobotnets based on mobile SNS messengers they are one of popular SNS platforms in these days By this motivation, in this paper, we construct a part of (innocuous) stegobotnet based on KakaoTalk [14], which is the most popular mobile SNS messenger in Republic of Korea, conduct extensive experiments on it, and report performance analysis results in terms of stegobotnet C&C communication reliability.

Brief Description of Basic Entities and Structure of Botnet
Methods
A Novel Stealthy Botnet
Existing
Investigation of the Suitability of Popular SNSs for Stegobotnet Platform
Suitability Investigation Procedures and Results
Brief Introduction to KakaoTalk Openchat
An Attack Scenario Using Stegobotnet in KakaoTalk Openchat
Experiments and Result Analysis
Experiment 1
MB JPEG file
Result and and Analysis
Conclusion andand

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.