Stegobot: construction of an unobservable communication network leveraging social behavior

TL;DR

This paper introduces Stegobot, a covert communication network built on social media behavior, using steganography to enable stealthy data exchange among bots without revealing new endpoints.

Contribution

It presents a novel social network-based botnet architecture that leverages image sharing and steganography for unobservable communication, demonstrating its feasibility and data throughput.

Findings

Stegobot can transmit tens of megabytes of data monthly.

The network remains stealthy by using existing social interactions.

It achieves decent bandwidth with simple routing mechanisms.

Abstract

We propose the construction of an unobservable communications network using social networks. The communication endpoints are vertices on a social network. Probabilistically unobservable communication channels are built by leveraging image steganography and the social image sharing behavior of users. All communication takes place along the edges of a social network overlay connecting friends. We show that such a network can provide decent bandwidth even with a far from optimal routing mechanism such as restricted flooding. We show that such a network is indeed usable by constructing a botnet on top of it, called Stegobot. It is designed to spread via social malware attacks and steal information from its victims. Unlike conventional botnets, Stegobot traffic does not introduce new communication endpoints between bots. We analyzed a real-world dataset of image sharing between members of an online social network. Analysis of Stegobot's network throughput indicates that stealthy as it is, it is also functionally powerful -- capable of channeling fair quantities of sensitive data from its victims to the botmaster at tens of megabytes every month.