Welcome to the new ZDNet! Give feedback or learn more about our updated design here. Or, return to the classic view.

New botnet hides commands as JPEG images

Security researchers have stumbled on a new botnet that uses an interesting technique to mask its nefarious intentions.

Security researchers have stumbled on a new botnet that uses an interesting technique to mask its nefarious intentions.

The Monkif/DIKhora botnet, which is pushing out Trojan downloaders to infected machines, is encoding the instructions to appear as if the command-and-control server is returning a JPEG image file, according to SecureWorks researcher Jason Milletary.

Milletary explains:

The server sets the HTTP Content-Type header to “image/jpeg” and prefaces the bot commands with a fake 32-byte JPEG header. The bot checks if the header matches and decodes the rest of the response to retrieve its commands. The commands are encoded using a single byte XOR with 0×4. The malware that CTU has observed being installed by Monkif is a BHO (Browser Helper Object) trojan commonly referred to as ExeDot, which performs Ad Hijacking and Ad Clicking.

The Trojan associated with this botnet also attempts to disable anti-virus and personal firewall software to maintain its foothold on the system.

ALSO SEE:

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All