Co-authors: Parag Malshe, Minaxi Gupta, and Chris Dunn

Abstract: Popular botnets earn millions of dollars for their operators by enabling many types of cyberfraud activities, including spam and phishing. Current and past botnet architectures revolve around the idea of bots communicating with their masters to carry out their functionality. Given that many take-down eorts leverage this feature, future botnet architectures may evolve to overcome this limitation. In order to enable pro-active defenses against such botnets, in this paper we design a botnet whose bots never explicitly communicate with their master. Our design leverages the popularity of social networks and the hidden nature of steganography. In our prototype implementation of an information stealing bot, the bot hides stolen information in the prole picture of Facebook user(s) on infected machines through the use of steganography. The stolen information is uploaded when a user visits Facebook thus hiding its tracks. Subsequently, it joins a carefully selected Facebook group to indicate the availability of information to the botmaster. The botmaster polls relevant groups like any other Facebook user to identify prole pictures of new group members that may contain stolen information. Neither Facebook nor the machine’s user(s) can easily identify bot tra c. Further, since bots never directly communicate with their master, capturing a bot will reveal nothing about the whereabouts of the master.