Stegobot: building unobservable communication networks using social network behavior Shishir Nagaraja Vijit Singh Pragya Agarwal Indraprastha Institute of Information Technology, New Delhi, India {nagaraja, vijit, pragya}@iiitd.ac.in Amir Houmansadr Pratch Piyawongwisal Nikita Borisov University of Illinois at Urbana-Champaign, Urbana, IL, USA {ahouman2,piyawon1,nikita}@illinois.edu Abstract We propose the construction of an unobservable communications net- work using social networks. The communication endpoints are vertices on a social network. Probabilistically unobservable communication channels are built by leveraging image steganography and the social image shar- ing behavior of users. All communication takes place along the edges of a social network overlay connecting friends. We show that such a net- work can provide decent bandwidth even with a far from optimal routing mechanism such as restricted flooding. We show that such a network is indeed usable by constructing a botnet on top of it, called Stegobot. It is designed to spread via social malware attacks and steal information from its victims. Unlike conventional bot- nets, Stegobot traffic does not introduce new communication endpoints between bots. We analyzed a real-world dataset of image sharing between members of an online social network. Analysis of Stegobot’s network throughput indicates that stealthy as it is, it is also functionally powerful – capable of channeling fair quantities of sensitive data from its victims to the botmaster at ens of megabytes every month. 1 Introduction Malware is an extremely serious threat to modern networks. In recent years, a new form of general-purpose malware known as bots has arisen. Bots are unique in that they collectively maintain communication structures across nodes to resiliently distribute commands and data through a command and control (C&C) channel. The ability to coordinate and upload new commands to bots gives the botnet owner vast power when performing criminal activities, including the ability to orchestrate surveillance attacks, perform DDoS extortion, sending spam for pay, and phishing. 1 arXiv:1107.2031v1 [cs.CR] 11 Jul 2011