Collage: Defeating Censorship or Undetectable Botnet C&C?

Recently, during the protests in Iran, Iranians scrambled to get internet messages out to let the world know what was going on. And the Iranian government scrambled to intercept and block them.

Next, internet proxies started popping up; allowing Iranian protesters to bypass government filters, but these too were found out and shut down. A way is needed to send messages that could bypass internet filters and government scrutiny, something where you could place hidden messages inside normal everyday internet traffic.

Enter Collage, a project by Sam Burnett, Nick Feamster, and Santosh Vempala of the Georgia Institute of Technology. According to the Collage Project website:

Collage uses user-generated content (e.g., photo-sharing sites) as “drop sites” for hidden messages.  To send a message, a user embeds it into cover traffic and posts the content on some site, where receivers retrieve this content using a sequence of tasks.

Sounds like normal steganography, but there is a twist. Collage breaks the messages into small pieces and places them into several forms of electronic media, be it videos, pictures or tweets.

At the receiver, Collage fetches the cover content from content hosts and decodes the message. By hiding data inside user-generated content as they traverse the network, Collage escapes detection by censors.

This sounds great, but it could also be used for nefarious purposes. The same functions that allow Collage to bypass government censors could also be used by malware or botnets to, in essence, become invisible to network security monitoring.

Richard Bejtlich (GE’s CIRT team leader) explains this on his blog, TaoSecurity:

Collage makes it difficult for incident detection and response teams to monitor or block these messages by exploiting the sheer number of sites where users can exchange messages and the variety of ways that a message can be hidden. Our evaluation of Collage shows that the performance overhead is acceptable for sending small messages (e.g., Web articles, email), perfect for command and control instructions.

As always a tool meant for good could be manipulated and used for evil. How would you stop or even detect botnet command and control messages, when they are hidden inside tweets or Flickr photos?

We may be fast approaching a time when all social media traffic and picture sharing is banned altogether from company networks.


One thought on “Collage: Defeating Censorship or Undetectable Botnet C&C?”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.