8:12 PMStegobot New Threat to Facebook | Ethical Hacking Chandigarh
THINK twice before uploading your holiday pictures to Facebook - you could be helping someone to steal information from your computer. A botnet called Stegobot was created to show how easy it would be for a crook to hijack Facebook photos to create a secret communication channel that is very difficult to detect.
Like most botnets, Stegobot gains control of computers by tricking users into opening infected email attachments or visiting suspect websites. But rather than contacting the botmasters directly, it piggybacks on the infected user's normal social network activity. "If one of your friends is a friend of a friend of the botmaster, the information transfers hop by hop within the social network, finally reaching the botmasters," says Amir Houmansadr, a computer scientist at the University of Illinois at Urbana-Champaign who worked on the botnet.
Stegobot takes advantage of a technique called steganography to hide information in picture files without changing their appearance. It is possible to store around 50 kilobytes of data in a 720 by 720 pixel image - enough to transmit any passwords or credit card numbers that Stegobot might find on your hard drive.
The botnet inserts this information into any photo you upload to Facebook, and then waits for one of your friends to look at your profile. They don't even have to click on the photo, as Facebook helpfully downloads files in the background. If your friend is also infected with the botnet - quite likely, since any email you send them will pass it on - any photo they upload will also pass on the stolen data.
From there, the data will eventually make its way to the account of someone who is also friends with the botmaster, allowing them to extract details on your identity. The botmasters can also send commands to the botnet through the reverse process - uploading a photo with hidden instructions that make their way to infected computers.
"It's scary because it's virtually undetectable," says Shishir Nagaraja of the Indraprastha Institute of Information Technology, New Delhi, India, who led the project.
Macro Cova, a computer scientist at the University of Birmingham, UK, says that criminals could employ a system like Stegobot, as it is hard to detect, but other methods allow them to steal much larger quantities of data. "It's not the most efficient or convenient way," he says.