Alureon Trojan Uses Steganography Techniques

The malware hides a part of its 'soul' inside strategically placed image files

By on September 26th, 2011 07:38 GMT

A version of the Alureon Trojan was discovered hiding command and control backup locations in regular jpeg files. The images were posted on random domains so in case the virus couldn't contact the primary servers, it would make use of these encrypted addresses.

Microsoft researchers came across this form of the malware after a period of monitoring in which they've determined exactly the way the new Alureon does its job.

Win32/Alureon is part of the data-stealing family of trojans. Its multiple functionality allows its master to intercept private data, send distructive commands to the infected device, leaving behind a trail of damaged DNS settings. Keyboard and other drivers might malfunction after an attack from this specific malware.

A closer investigation revealed that that the new variant downloads an extra component file called com32 and after it was decrypted, its true purpose was discovered.

The new element actually tries to communicate with a number of image files hosted on a few blogs. The images contain a string of data that is interpreted by com32, allowing Alureon to obtain a list of C&C servers which he would seek to retrieve in the event that the primary hosts might become unavailable.

This technique of embedding a hidden code inside a message is called steganography and it seems as hackers are using it more often to strengthen their malicious programs.

According to the TechNet blog, the configuration files are masqueraded as pictures representing an old woman, a young man and a bowl of Chinese herbs and they're posted on Livejournal and Wordpress sites.

The threat is detected by most anti-virus applications so in order to protect your device and your data, make sure you have an up-to-date virus definition database and a properly configured firewall. Also beware of suspicious email messages as in many cases they're the ones responsible for spreading these infections.
A simple image might contain the configuration file of a trojan
   A simple image might contain the configuration file of a trojan
MORE ON THIS TOPIC
LATEST NEWS
HOT RIGHT NOW

Comments