{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,17]],"date-time":"2025-10-17T14:06:27Z","timestamp":1760709987643,"version":"build-2065373602"},"reference-count":26,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2019,8,21]],"date-time":"2019-08-21T00:00:00Z","timestamp":1566345600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Computers"],"abstract":"Once a botnet is constructed over the network, a bot master and bots start communicating by periodically exchanging messages, which is known as botnet C&C communication, in order to send botnet commands to bots, collect critical information stored in bots, upgrade software functions of malwares installed in bots, and so on. For this reason, most existing botnet detection techniques focus on monitoring and capturing suspicious communications between the bot master and bots. Meanwhile, botnets continue to evolve to hide their C&C communication. Recently, a novel type of botnet using image steganography techniques and SNS (Social Network Service) platforms, which is known as image steganography-based botnet or stegobotnet, has emerged to make its C&C communications undetectable by existing botnet detection systems. In stegobotnets, image files used in SNSs carry messages (between the bot master and bots) which are hidden in them by using image steganography techniques. In this paper, we first investigate whether major SNS platforms such as KakaoTalk, Facebook, and Twitter can be suitable for constructing image steganography-based botnets. Next, we construct a part of stegobotnet based on KakaoTalk, and conduct extensive experiments including digital forensic analysis (1) to validate stegobotnet C&C communication can be successful in KakaoTalk and (2) to examine its performance in terms of C&C communication reliability.<\/jats:p>","DOI":"10.3390\/computers8030061","type":"journal-article","created":{"date-parts":[[2019,8,21]],"date-time":"2019-08-21T11:19:06Z","timestamp":1566386346000},"page":"61","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":5,"title":["Construction and Performance Analysis of Image Steganography-Based Botnet in KakaoTalk Openchat"],"prefix":"10.3390","volume":"8","author":[{"given":"Jaewoo","family":"Jeon","sequence":"first","affiliation":[{"name":"Department of Computer Engineering, Graduate School of Defense Management, Korea National Defense University, Nonsan 33021, Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1274-6291","authenticated-orcid":false,"given":"Youngho","family":"Cho","sequence":"additional","affiliation":[{"name":"Department of Computer Engineering, Graduate School of Defense Management, Korea National Defense University, Nonsan 33021, Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2019,8,21]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"898","DOI":"10.1109\/SURV.2013.091213.00134","article-title":"A Taxonomy of Botnet Behavior, Detection, and Defense","volume":"16","author":"Khattak","year":"2014","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"2768","DOI":"10.1109\/COMST.2017.2749442","article-title":"Botnet communication patterns","volume":"19","author":"Vormayr","year":"2017","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Yang, Z., and Wang, B. (2019). A Feature Extraction Method for P2P Botnet Detection Using Graphic Symmetry Concept. Symmetry, 11.","DOI":"10.3390\/sym11030326"},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Dittrich, D., and Dietrich, S. (2008, January 7\u20138). P2P as botnet command and control: A deeper insight. Proceedings of the IEEE 3rd International Conference on Malicious and Unwanted Software (MALWARE), Fairfax, VI, USA.","DOI":"10.1109\/MALWARE.2008.4690856"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.jnca.2016.10.007","article-title":"Survey of approaches and features for the identification of HTTP-based botnet traffic","volume":"76","author":"Acarali","year":"2016","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Eslahi, M., Rohmad, S., Nilsaz, H., Naseri, M., Tahir, N., and Hashim, H. (2015, January 12\u201314). Periodicity Classification of HTTP Traffic to Detect HTTP Botnets. Proceedings of the IEEE Symposium on Computer Applications & Industrial Electronics (ISCAIE), Langkawi, Malaysia.","DOI":"10.1109\/ISCAIE.2015.7298339"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Zeidanloo, H., Manaf, A., Vahdani, P., Tabatabaei, F., and Zamani, M. (2010, January 11\u201312). Botnet detection based on traffic monitoring. Proceedings of the IEEE International Conference on Networking and Information Technology, Manila, Philippines.","DOI":"10.1109\/ICNIT.2010.5508552"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Saad, S., Traore, I., Ghorbani, A., Sayed, B., Zhao, D., Lu, W., Felix, J., and Hakimian, P. (2011, January 19\u201321). Detecting P2P Botnets through Network Behavior Analysis and Machine Learning. Proceedings of the IEEE Ninth Annual International Conference on Privacy, Security and Trust, Montreal, QC, Canada.","DOI":"10.1109\/PST.2011.5971980"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Garg, S., Singh, A., Sarje, A., and Peddoju, S. (2013, January 21\u201322). Behaviour analysis of machine learning algorithms for detecting P2P botnets. Proceedings of the IEEE 15th International Conference on Advanced Computing Technologies (ICACT), Rajampet, India.","DOI":"10.1109\/ICACT.2013.6710523"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Nagaraja, S., Houmansdr, A., Piyawongwisai, P., Singh, V., Agarwal, P., and Borisov, N. (2011, January 18\u201320). Stegobot: A covert social network botnet. Proceedings of the Information Hiding Conference, Prague, Czech Republic.","DOI":"10.1007\/978-3-642-24178-9_21"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Compagno, A., Conti, M., Lain, D., Lovisotto, G., and Mancini, L. (2015, January 28\u201330). Boten ELISA: A new novel approach for Botnet C&C in Online Social Networks. Proceedings of the IEEE Conference on Communications and Network Security, Florence, Italy.","DOI":"10.1109\/CNS.2015.7346813"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Singh, K., Srivastava, A., Giffin, J., and Lee, W. (2008, January 24\u201327). Evaluating Email\u2019s Feasibility for Botnet Command and Control. Proceedings of the 38th Annual IEEE\/IFIP International Conference on Defendable Systems and Networks, Anchorage, AK, USA.","DOI":"10.1109\/DSN.2008.4630106"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Pantic, N., and Husain, M. (2015, January 7\u201311). Covert Botnet Command and Control Using Twitter. Proceedings of the 31st Annual Computer Security Applications Conference, Los Angeles, CA, USA.","DOI":"10.1145\/2818000.2818047"},{"key":"ref_14","unstructured":"(2019, June 25). KakaoTalk. Available online: https:\/\/www.kakaocorp.com\/service\/KakaoTalk?lang=en."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Bailey, M., Cooke, E., Jahanian, F., Xu, Y., and Karir, M. (2009, January 3\u20134). A Survey of Botnet Technology and Defenses. Proceedings of the IEEE Cybersecurity Applications & Technology Conference for Homeland Security, Washington, DC, USA.","DOI":"10.1109\/CATCH.2009.40"},{"key":"ref_16","unstructured":"Daswani, N., and Stoppelman, M. (2007, January 10). The anatomy of clickbot.A. Proceedings of the First Conference on the First Workshop on Hot Topics in Understanding Botnets, Berkeley, CA, USA."},{"key":"ref_17","unstructured":"Chiang, K., and Lloyd, L. (2007, January 10). A case study of the restock rootkit and spam bot. Proceedings of the First Conference on the First Workshop on Hot Topics in Understanding Botnets, Berkeley, CA, USA."},{"key":"ref_18","unstructured":"Nazario, J. (2007). Blackenergy DDoS Bot Analysis, Arbor Networks."},{"key":"ref_19","unstructured":"Desimone, J., Johnson, D., Yuan, B., and Lutz, P. (2012, January 16\u201319). Covert Channel in the BitTorrent Tracker Protocol. Proceedings of the 2012 International Conference on Security and Management, Las Vegas, NV, USA."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Davis, C.R., Neville, S., Fernandez, J.M., Robert, J.M., and McHugh, J. (2008, January 6\u20138). Structured Peer-to-Peer Overlay Networks: Ideal Botnets Command and Control Infrastructures?. Proceedings of the 13th European Symposium on Research in Computer Security, Malaga, Spain.","DOI":"10.1007\/978-3-540-88313-5_30"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"82","DOI":"10.1109\/MSECP.2003.1177002","article-title":"An Analysis of the slapper Worm","volume":"1","author":"Arce","year":"2003","journal-title":"IEEE Secur. Priv."},{"key":"ref_22","unstructured":"Falliere, N. (2011). Sality: Story of a Peer-to-Peer Viral Network, Symantec Security Response."},{"key":"ref_23","first-page":"18","article-title":"Analysis of the storm and nugache trojans: P2P is here","volume":"32","author":"Stover","year":"2007","journal-title":"USENIX Login"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Zhou, Y., and JiangConti, X. (2012, January 21\u201323). Dissecting Android Malware: Characterization and Evolution. Proceedings of the IEEE Symposium on Security and Privacy, San Francisco, CA, USA.","DOI":"10.1109\/SP.2012.16"},{"key":"ref_25","unstructured":"(2019, June 28). OpenStego. Available online: http:\/\/www.openstego.com."},{"key":"ref_26","unstructured":"(2019, August 13). HxD. Available online: http:\/\/mh-nexus.de\/en\/hxd."}],"container-title":["Computers"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-431X\/8\/3\/61\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T13:12:52Z","timestamp":1760188372000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-431X\/8\/3\/61"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,8,21]]},"references-count":26,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2019,9]]}},"alternative-id":["computers8030061"],"URL":"https:\/\/doi.org\/10.3390\/computers8030061","relation":{},"ISSN":["2073-431X"],"issn-type":[{"type":"electronic","value":"2073-431X"}],"subject":[],"published":{"date-parts":[[2019,8,21]]}}}