Think twice before uploading your holiday pictures to Facebook – you could be helping someone steal information from your computer. A botnet called Stegobot was created by an Indian origin scientist to show how easy it would be for a bad guy to hijack Facebook photos to create a secret communication channel that is very difficult to detect.
Like most botnets, Stegobot gains control of computers by tricking users into opening infected email attachments or visiting malicious websites.
But rather than contacting the botmasters directly, it piggybacks on the infected user’s normal social network activity. “If one of your friends is a friend of a friend of the botmaster, the information transfers hop by hop within the social network, finally reaching the botmasters.”
Stegobot takes advantage of a technique called ‘Steganography’ to hide information in picture files without changing their appearance. It is possible to store around 50 KB of data in a 720×720 pixel image – enough to transmit any passwords or credit card numbers that Stegobot might find on your hard drive.
The botnet inserts this information into any photo you upload to Facebook and then waits for one of your friends to look at your profile. They don’t even have to click on the photo as Facebook helpfully downloads files in the background. If your friend is also infected with the botnet – quite likely, since any email you send them will pass it on – any photo they upload will also pass on the stolen data.
From there, the data will eventually make its way to the account of someone who is also friends with the botmaster, allowing them to extract details on your identity. The botmasters can also send commands to the botnet through the reverse process – uploading a photo with hidden instructions that make their way to infected computers.
Thankfully, Stegobot only exists in a lab. For now.