Click Fraud Malware Found Lurking Inside Image Files

[Reefa]

Researchers have discovered click fraud malware designed to “hide in plain sight” and evade traditional security tools by embedding data into an image file.

Lurk is a downloader which uses digital steganography – the art of hiding information in images, audio or video files, according to a Dell SecureWorks Counter Threat Unit (CTU) Threat Intelligence paper by Brett Stone-Gross.

“Lurk specifically uses an algorithm that can embed encrypted URLs into an image file by inconspicuously manipulating individual pixels. The resulting image contains additional data that is virtually invisible to an observer,” he wrote.

“It is unlikely that existing IPS/IDS devices could detect data that is concealed with digital steganography. As a result, Lurk may be able to evade network defenses and hide in plain sight.”

Lurk is comprised of two parts – a dropper DLL and a payload DLL, with the former’s main job being to extract and load the latter, he added.

Once the main payload DLL executes, it checks the victim computer for 52 different security products and apparently won’t install if it discovers one of 21 specific products.

“Steganography can make it exceedingly difficult to detect the presence of hidden information such as a configuration file, binary update, or bot command, especially in digital files,” concluded Stone-Gross.

“As a result, the use of steganography in malware may become more prevalent in the future.”

Source