Defeating Censorship or Undetectable Botnet C and C?

Monday, November 22, 2010

Dan Dieterle


Recently, during the protests in Iran, Iranians scrambled to get internet messages out to let the world know what was going on. And the Iranian government scrambled to intercept and block them.

Next, internet proxies started popping up; allowing Iranian protesters to bypass government filters, but these too were found out and shut down.

A way is needed to send messages that could bypass internet filters and government scrutiny, something where you could place hidden messages inside normal everyday internet traffic.

Enter Collage, a project by Sam Burnett, Nick Feamster, and Santosh Vempala of the Georgia Institute of Technology. According to the Collage Project website:

Collage uses user-generated content (e.g., photo-sharing sites) as “drop sites” for hidden messages.  To send a message, a user embeds it into cover traffic and posts the content on some site, where receivers retrieve this content using a sequence of tasks.


Sounds like normal steganography, but there is a twist. Collage breaks the messages into small pieces and places them into several forms of electronic media, be it videos, pictures or tweets.

At the receiver, Collage fetches the cover content from content hosts and decodes the message. By hiding data inside user-generated content as they traverse the network, Collage escapes detection by censors.

This sounds great, but it could also be used for nefarious purposes. The same functions that allow Collage to bypass government censors could also be used by malware or botnets to, in essence, become invisible to network security monitoring.

Richard Bejtlich (GE’s CIRT team leader) explains this on his blog, TaoSecurity:

Collage makes it difficult for incident detection and response teams to monitor or block these messages by exploiting the sheer number of sites where users can exchange messages and the variety of ways that a message can be hidden. Our evaluation of Collage shows that the performance overhead is acceptable for sending small messages (e.g., Web articles, email), perfect for command and control instructions.

As always, a tool meant for good could be manipulated and used for evil. How would you stop or even detect botnet command and control messages, when they are hidden inside tweets or Flickr photos?

We may be fast approaching a time when all social media traffic and picture sharing is banned altogether from company networks.

Cross-posted from Cyber Arms

Possibly Related Articles:
Viruses & Malware
Botnets Proxy Tools Collage
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.