Staying hidden is one of the primary goals of an attacker, making the arms race between cybercriminals and security professionals a never-ending battle.
At the recent Black Hat Europe 2015 conference in Amsterdam, Dell SecureWorks’ Pierre-Marc Bureau and fellow researcher Christian Dietrich from security vendor CrowdStrike brought attendees behind the frontlines of that fight and revealed how attackers are hiding their command and control communication in an effort to dodge detection.
One method being used by malware operators is steganography, an old tactic that has experienced resurgence recently. Using steganography, an attacker can conceal secret information within a digital format like an image or audio file. Though it is still uncommon, steganography use in malware is on the upswing. Last year for example, our researchers spotted it being used by the Lurk malware, and earlier this year the Stegoloader and Gozi malware were observed using it as well.
In their presentation, Bureau and Dietrich described the ways each of the three malware families leveraged the tactic. Each did so differently: Stegoloader hides code in PNG images, while Lurk hides download URLs in BMP images and Gozi conceals server control domain names in ICO files. However, the technique used to hide information inside the least significant bit from each pixel is similar across all three pieces of malware.
The main advantage to steganography is that the communication between an infected computer and its command and control server is harder to detect by tools and humans alike. The downside for attackers however is that the hidden information needs to be significantly smaller than the file hosting it, and steganography is not trivial to implement without mistakes.
Steganography of course is not the only way advanced attackers are covertly communicating with infected computers. Bureau and Dietrich also discussed the use of inconspicuous carrier protocols to obscure command and control communications, including the concealment of information in DNS packets by malware such as PlugX and Feederbot and examples of malware hiding commands in HTTP error messages (HTTP 404).
Just like with steganography, the goal for the attacker is to go undetected as they continue their operations. And it is not just cybercriminals doing it; nation-states are using these tactics as well. Hidden communication channels have made their way into all kinds of malware, from information stealers to remote access trojans to distributed denial of service tools. In many cases, malware only hides part of their communication using covert communication channels. For example, the reporting portion of Stegoloader is not hidden and can be detected, as can the standard communication protocol used by Gozi. From the perspective of security vendors, now as much as ever, it is necessary to have in-depth analysis of these threats to understand how they hide their communication and how to detect them at different levels.