A Novel Video Steganography-Based Botnet Communication Model in Telegram SNS Messenger

In botnets, a bot master regularly sends command and control messages (C & C messages) to bots for various purposes, such as ordering its commands to bots and collecting critical data from bots. Although such C & C messages can be encrypted by cryptographic methods to hide them, existing botnet detection mechanisms could detect the existence of botnets by capturing suspicious network traffics between the bot master (or the C & C server) and numerous bots. Recently, steganography-based botnets (stego-botnets) have emerged to make C & C communication traffics look normal to botnet detection systems. In stego-botnets, every C & C message is embedded in a multimedia file, such as an image file by using steganography techniques and shared in Social Network Service (SNS) websites (such as Facebook) or online messengers (such as WeChat or KakaoTalk). Consequently, traditional botnet detection systems without steganography detection methods cannot detect them. Meanwhile, according to our survey, we observed that existing studies on the steganography botnet are limited to use only image steganography techniques, although the video steganography method has some obvious advantages over the image steganography method. By this motivation, in this paper, we study a video steganography-based botnet in Social Network Service (SNS) platforms. We first propose a video steganography botnet model based on SNS messengers. In addition, we design a new payload approach-based video steganography method (DECM: Divide-Embed-Component Method) that can embed much more secret data than existing tools by using two open tools VirtualDub and Stegano. We show that our proposed model can be implemented in the Telegram SNS messenger and conduct extensive experiments by comparing our proposed model with DECM with an existing image steganography-based botnet in terms of C & C communication efficiency and undetectability.