Malicons: detecting payload in favicons
A recent version of the “Vawtrak” malware used steganography to hide the addresses of the command and control channels in favicons: small images automatically downloaded by the web browser. Since almost all research in steganalysis focuses on natural images, we study how well these methods can detec...
| Main Authors: | , , , |
|---|---|
| Format: | Conference item |
| Published: |
Ingentaconnect
2016
|
| Summary: | A recent version of the “Vawtrak” malware used steganography to hide the addresses of the command and control channels in favicons: small images automatically downloaded by the web browser. Since almost all research in steganalysis focuses on natural images, we study how well these methods can detect secret messages in favicons. The study is performed on a large corpus of favicons downloaded from the internet and applies a number of state-of-art steganalysis techniques, as well as proposing very simple novel features that exploit flat areas in favicons. The ultimate question is whether we can detect Vawtrak’s steganographic favicons with a sufficiently low false positive rate. |
|---|