Stegobot: A Covert Social Network Botnet

  • Shishir Nagaraja
  • Amir Houmansadr
  • Pratch Piyawongwisal
  • Vijit Singh
  • Pragya Agarwal
  • Nikita Borisov
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6958)


We propose Stegobot, a new generation botnet that communicates over probabilistically unobservable communication channels. It is designed to spread via social malware attacks and steal information from its victims. Unlike conventional botnets, Stegobot traffic does not introduce new communication endpoints between bots. Instead, it is based on a model of covert communication over a social-network overlay – bot to botmaster communication takes place along the edges of a social network. Further, bots use image steganography to hide the presence of communication within image sharing behavior of user interaction. We show that it is possible to design such a botnet even with a less than optimal routing mechanism such as restricted flooding. We analyzed a real-world dataset of image sharing between members of an online social network. Analysis of Stegobot’s network throughput indicates that stealthy as it is, it is also functionally powerful – capable of channeling fair quantities of sensitive data from its victims to the botmaster at tens of megabytes every month.


Social Network Online Social Network Image Steganography Stego Image Covert Channel 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
  5. 5.
    Albert, R., Jeong, H., Barabasi, A.-L.: Error and attack tolerance of complex networks. Nature 406(6794), 378–382 (2000)CrossRefGoogle Scholar
  6. 6.
    Binkley, J.R., Singh, S.: An algorithm for anomaly-based botnet detection. In: SRUTI 2006: Proceedings of the 2nd Conference on Steps to Reducing Unwanted Traffic on the Internet, p. 7. USENIX Association, Berkeley (2006)Google Scholar
  7. 7.
    Fridrich, J.J., Goljan, M., Soukal, D.: Perturbed quantization steganography. Multimedia Syst. 11(2), 98–107 (2005)CrossRefGoogle Scholar
  8. 8.
    Fridrich, J.J., Pevný, T., Kodovský, J.: Statistically undetectable jpeg steganography: dead ends challenges, and opportunities. In: Kundur, D., Prabhakaran, B., Dittmann, J., Fridrich, J.J. (eds.) Proceedings of the 9th workshop on Multimedia & Security, MM&Sec 2007, Dallas, Texas, USA, September 20-21, pp. 3–14. ACM, New York (2007)Google Scholar
  9. 9.
    Goebel, J., Holz, T.: Rishi: Identify bot contaminated hosts by IRC nickname evaluation. In: HotBots (2007)Google Scholar
  10. 10.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th USENIX Security Symposium, Security 2008 (2008)Google Scholar
  11. 11.
    Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale botnet detection and characterization. In: HotBots (2007)Google Scholar
  12. 12.
    Kim, Y., Duric, Z., Richards, D.: Modified Matrix Encoding Technique for Minimal Distortion Steganography. In: Camenisch, J.L., Collberg, C.S., Johnson, N.F., Sallee, P. (eds.) IH 2006. LNCS, vol. 4437, pp. 314–327. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  13. 13.
    Lee, K., Westfeld, A.: Generalised category attack—improving histogram-based attack on JPEG LSB embedding. In: Furon, T., Cayre, F., Doërr, G., Bas, P. (eds.) IH 2007. LNCS, vol. 4567, pp. 11–13. Springer, Heidelberg (2008)Google Scholar
  14. 14.
    Lee, K., Westfeld, A., Lee, S.: Category attack for lsb embedding of jpeg images. In: Shi, Y.Q., Jeon, B. (eds.) IWDW 2006. LNCS, vol. 4283, pp. 35–48. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Nagaraja, S., Anderson, R.: The snooping dragon: social-malware surveillance of the tibetan movement. Technical Report UCAM-CL-TR-746, University of Cambridge (March 2009)Google Scholar
  16. 16.
    Nagaraja, S., Mittal, P., Hong, C.-Y., Caesar, M., Borisov, N.: Botgrep: finding p2p bots with structured graph analysis. In: Proceedings of the 19th USENIX Conference on Security, USENIX Security 2010, p. 7. USENIX Association, Berkeley (2010)Google Scholar
  17. 17.
    Nappa, A., Fattori, A., Balduzzi, M., Dell’Amico, M., Cavallaro, L.: Take a Deep Breath: A Stealthy, Resilient and Cost-Effective Botnet Using Skype. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 81–100. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  18. 18.
    Newman, Moskowitz, Chang, Brahmadesam: A steganographic embedding undetectable by JPEG compatibility steganalysis. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 258–277. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  19. 19.
    Porras, P., Saidi, H., Yegneswaran, V.: A multi-perspective analysis of the Storm (Peacomm) worm. In: SRI Technical Report 10-01 (2007)Google Scholar
  20. 20.
    Porras, P., Saidi, H., Yegneswaran, V.: A foray into Conficker’s logic and rendezvous points. In: 2nd Usenix Workshop on Large-Scale Exploits and Emergent Threats, LEET 2009 (2009)Google Scholar
  21. 21.
    Provos, N., Honeyman, P.: Hide and seek: An introduction to steganography. IEEE Security and Privacy 1, 32–44 (2003)CrossRefGoogle Scholar
  22. 22.
    Sallee, P.: Model-based steganography. In: Kalker, T., Cox, I., Ro, Y.M. (eds.) IWDW 2003. LNCS, vol. 2939, pp. 154–167. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  23. 23.
    Solanki, K., Sarkar, A., Manjunath, B.S.: YASS: Yet Another Steganographic Scheme That Resists Blind Steganalysis. In: Furon, T., Cayre, F., Doërr, G.J., Bas, P. (eds.) IH 2007. LNCS, vol. 4567, pp. 16–31. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  24. 24.
    Solanki, K., Sullivan, K., Madhow, U., Manjunath, B., Chandrasekaran, S.: Provably secure steganography: Achieving zero k-l divergence using statistical restoration. In: ICIP (2006)Google Scholar
  25. 25.
    Stover, S., Dittrich, D., Hernandez, J., Dietrich, S.: Analysis of the Storm and Nugache trojans: P2P is here. Login 32(6) (December 2007)Google Scholar
  26. 26.
    Westfeld, A.: F5–A steganographic algorithm: High capacity despite better steganalysis. In: Moskowitz, I.S. (ed.) IH 2001. LNCS, vol. 2137, pp. 289–302. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  27. 27.
    Westfeld, A., Pfitzmann, A.: Attacks on steganographic systems. In: Pfitzmann, A. (ed.) IH 1999. LNCS, vol. 1768, pp. 61–75. Springer, Heidelberg (2000)Google Scholar
  28. 28.
    Yen, T.-F., Reiter, M.K.: Traffic aggregation for malware detection. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 207–227. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  29. 29.
    Yu, X., Wang, Y., Tan, T.: On estimation of secret message length in jsteg-like steganography. In: International Conference on Pattern Recognition, vol. 4, pp. 673–676 (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Shishir Nagaraja
    • 1
  • Amir Houmansadr
    • 2
  • Pratch Piyawongwisal
    • 2
  • Vijit Singh
    • 1
  • Pragya Agarwal
    • 1
  • Nikita Borisov
    • 2
  1. 1.Indraprastha Institute of Information TechnologyNew DelhiIndia
  2. 2.University of Illinois at Urbana-ChampaignUrbanaUSA

Personalised recommendations