New botnet hides commands as JPEG images
The SecureWorks Counter Threat UnitSM (CTU) has been carefully monitoring the activity of the Monkif/DlKhora botnet. This bot is an example of a Downloader trojan, in that its primary purpose is to receive instructions to download and execute other malware. The trojan also attempts to disable anti-virus and personal firewall software to maintain its foothold on the system.
One interesting technique the Monkif botnet utilizes to hide its intent on the network is to encode the instructions to appear as if the command and control server is returning a JPEG file. The server sets the HTTP Content-Type header to “image/jpeg” and prefaces the bot commands with a fake 32-byte JPEG header. The bot checks if the header matches and decodes the rest of the response to retrieve its commands. The commands are encoded using a single byte XOR with 0×4. The malware that CTU has observed being installed by Monkif is a BHO (Browser Helper Object) trojan commonly referred to as ExeDot, which performs Ad Hijacking and Ad Clicking.
The botnet makes no attempt to pad the commands to make the data size representative of a true JPEG. In addition, the data will not parse to a legitimate JPEG. These attributes may provide opportunities for generic countermeasures to detect the traffic by identifying malformed image data.
leave a comment