New ‘Lurk’ Malware Avoids Detection Using Steganographic Techniques


A gang of cybercriminals has been found using steganography, a technique that embeds information inside an image, to create malware that lasts longer and is harder to detect. The group has compromised the devices of approximately 350,000 users and earned a quarter of a million dollars through their scheme, according to Dark Reading.

A Dell researcher discovered that the malware involved in a customer attack they were investigating had spread through a malicious image as part of a click-fraud campaign. The malware, known as Lurk, utilizes an algorithm that allows encrypted downloader URLs to be embedded within an image file by imperceptibly manipulating the pixels. The surreptitious URLs lead the phone-home command-and-control nodes that instruct the compromised devices connected to the gang’s main botnet.

The malware was found to be spreading through iFrames on websites via an Adobe Flash exploit. This type of attack requires a target to be using a version of Flash that carries the vulnerability, which will then trigger the exploit that downloads Lurk. A plain, white image secretly carrying the malware is downloaded, which contains an encrypted URL that, in turn, downloads a second payload.

Malware Capable of Slipping Past Security Undetected
Most common types of antivirus software can’t detect malware hidden with steganographic techniques, according to Dell researcher Brett Stone-Gross. Steganography enables malware to sneak past basic signature-based security systems, making it very difficult to notice when an infection has occurred.

“The Lurk downloader demonstrates the power and versatility of this technique and how it can be used to evade network detection and manual scrutiny by malware researchers,” explained Stone-Gross in an interview with The Register. “Steganography can make it exceedingly difficult to detect the presence of hidden information such as a configuration file, binary update, or bot command, especially in digital files. As a result, the use of steganography in malware may become more prevalent in the future.”

Stone-Gross added that defending against this type of malware is more about prevention than mitigation, because little can be done once a device has been infected. He suggested organizations ensure software is updated regularly and take other proactive steps to ensure enterprise security are taken. Safeguards like strong authentication and data encryption are the best ways to ensure sensitive information and enterprise networks are protected from this, and any, type of malware.


Entrust provides identity-based security solutions that empower enterprises, consumers, citizens and websites in more than 5,000 organizations spanning 85 countries. Entrust's identity-based approach offers the right balance between affordability, expertise and service. With more than 125 patents granted and pending, these world-class solutions include strong authentication, physical and logical access, credentialing, mobile security, fraud detection, digital certificates, SSL and PKI.


Add to the Conversation