Back to articles
Steganalysis
Volume: 28 | Article ID: art00015
Image
Malicons: Detecting Payload in Favicons
Tomáš Pevný
Martin Kopp
Jakub Křoustek
Andrew D. Ker
  DOI :  10.2352/ISSN.2470-1173.2016.8.MWSF-079  Published OnlineFebruary 2016
Abstract

A recent version of the "Vawtrak" malware used steganography to hide the addresses of the command and control channels in favicons: small images automatically downloaded by the web browser. Since almost all research in steganalysis focuses on natural images, we study how well these methods can detect secret messages in favicons. The study is performed on a large corpus of favicons downloaded from the internet and applies a number of state-of-art steganalysis techniques, as well as proposing very simple novel features that exploit flat areas in favicons. The ultimate question is whether we can detect Vawtrak's steganographic favicons with a sufficiently low false positive rate.

Journal Title : Electronic Imaging
Publisher Name : Society for Imaging Science and Technology
Subject Areas :
Views 44
Downloads 2
 DOI 10.2352/ISSN.2470-1173.2016.8.MWSF-079
 articleview.views 44
 articleview.downloads 2
  Cite this article 

Tomáš Pevný, Martin Kopp, Jakub Křoustek, Andrew D. Ker, "Malicons: Detecting Payload in Faviconsin Proc. IS&T Int’l. Symp. on Electronic Imaging: Media Watermarking, Security, and Forensics,  2016,  https://doi.org/10.2352/ISSN.2470-1173.2016.8.MWSF-079

 Copy citation
  Copyright statement 
Copyright © Society for Imaging Science and Technology 2016
72010604
Electronic Imaging
2470-1173
Society for Imaging Science and Technology
10.2352/ISSN.2470-1173.2016.8.MWSF-079
2470-1173(20160214)2016:8L.1;1-
s15.phd
/ist/ei/2016/00002016/00000008/art00015
Steganalysis
Malicons: Detecting Payload in Favicons
PevnýTomáš
KoppMartin
KřoustekJakub
KerAndrew D.
14022016
2016
8
1
9
2016
A recent version of the "Vawtrak" malware used steganography to hide the addresses of the command and control channels in favicons: small images automatically downloaded by the web browser. Since almost all research in steganalysis focuses on natural images, we study how well these methods can detect secret messages in favicons. The study is performed on a large corpus of favicons downloaded from the internet and applies a number of state-of-art steganalysis techniques, as well as proposing very simple novel features that exploit flat areas in favicons. The ultimate question is whether we can detect Vawtrak's steganographic favicons with a sufficiently low false positive rate.