Stegobot steals passwords, reveals social network insecurities

2/21/2013 April Dahlquist, CSL Communications

As if you needed another reason to be careful with photos on Facebook.

Written by April Dahlquist, CSL Communications

As if you needed another reason to be careful with photos on Facebook.


Not only can unflattering photos paint an undesirable image of you to prospective employers, but they could also be stealing private passwords, credit card numbers and other confidential information.

Amir Houmansadr, a PhD candidate in electrical and computer engineering and researcher in the Coordinated Science Laboratory, was a part of a research team that created the malicious botnet Stegobot to demonstrate how easy it is to hack into private computers and steal information. Stegobot can spread through images on social networking sites such as Facebook, Flickr and Google+.

“We designed Stegobot to demonstrate the power of botnets as a tool of political and industrial surveillance,” said Shishir Nagaraja, project head and assistant professor at Indraprastha Institute of Information Technology (IIIT), New Delhi, India.

A person can be tricked into having their computer hacked from clicking on unknown links or opening attachments from unknown users. With a normal botnet, the information would be sent straight to the botmaster, the person who created the botnet. However, this type of activity is usually spotted by a firewall or other antivirus protection software, Houmansadr said. Stegobot is so powerful because it uses social networking connections to communicate, which is undetectable to a firewall.

“Since Stegobot's infection does not result in your computer’s communication with any computer that it wasn’t already in communication with before the attack, it is harder to detect its presence,” Nagaraja said.

Stegobot gives the illusion that nothing is going on since the stolen information is living within the code of the picture, without altering the content of picture.

Stegobot works by first infecting a computer and then communicating the stolen information, which could be passwords or credit card numbers. The information transfer happens within the realm of social networking when a user views pictures of an infected friend. This continues until the stolen information from each infected computer gets back to the botmaster. Stegobot can even steal information when a user is simply logged in to his or her Facebook account, without even clicking on photos, says Houmansadr.

It only takes one person to get infected, and then the rest of his or her social contacts will most likely be infected, since the botnet can be spread through e-mail as well.

“If I get an email from an unknown person, it is very unlikely that I will click on the attachment, but if I get an email from a friend, I’m more likely to open the attachment,” Houmansadr said. “If one of my friends is actually infected with the botnet, their social activity can use the botbinary more efficiently and help it infect more machines.”

The collaboration included other students from IIIT in India, as well as ECE student Pratch Piyawongwisal and Nikita Borisov, a member of Illinois’ electrical and computer engineering faculty.

“We are very interested in pursuing this research,” Houmansadr said. “The next step is to verify whether this Stegobot can run on other kinds of social networks, like YouTube.”

Coding for video can hold much more stolen information than a picture, and thus be more destructive.

The researchers also hope that social networking sites will start protecting against this kind of hacking, or that antivirus makers will start to offer protection against invisible botnet connections.

“As governments and the industry are slowly awakening to the risks of information theft, such as network attacks on political and industrial targets, it is important to understand attack technologies of this nature so we may design better defensive countermeasures,” Nagaraja said.

Share this story

This story was published February 21, 2013.