New ‘Monkif/DlKhora’ Botnet Hides Trojan Downloader Behind JPEG Files

Jason Milletary, a researcher at SecureWorks, said - a newly built botnet known as 'Monkif or DIKhora' is spreading Trojan downloaders to already infected computers, as reported by Blogs.zdnet on September 30, 2009.

Giving details of botnet's working, security researchers said - Monkif botnet conceals its malicious intentions by using a technique of encoding its commands in such a way that it may seem that the command-and-control system (C&C) is sending back a JPEG file. Apparently, the C&C system crafts HTTP Content-Type caption (or header) as "image/jpeg" and attaches a bogus 32-byte JPEG header as a prefix to the bot instructions. Thereafter, the bot examines for the header match as well as restores the coding of remaining response so that its instructions may be retrieved.

Moreover, there occurs an encoding of the instructions with the help of one-byte XOR and 0x4. Researchers have found that the malicious program, which Monkif installs, is a 'Browser Helper Object' (BHO) Trojan. This Trojan commonly known as 'ExeDot' and is used for Ad clicking and Ad Hijacking.

Internet security analysts stated that unlike the earlier preference for IRC channels by command-and-control mediums, miscreants' current choices for control channels are varied like Twitter, Google Groups and most recently pictorial or "image" servers.

According to the analysts, they are minutely tracking all the activities of Monkif. The botnet represents an example of a 'Downloader Trojan' which means that it basically accepts commands for downloading and installing more malicious programs.

Nevertheless, the botnet doesn't attempt to make the instructions in such a manner that the related data appears as a real JPEG file. This characteristic of the botnet makes detection of Monkif's servers harder.

The researchers therefore suggest that a novel method should be used to end the growing risk from botnets and their treacherous, targeted malware that make conventional security systems useless.

Finally, the security specialists warn that the Downloader further tries to deactivate personal firewall and antivirus programs to remain on the host machine. This is truly alarming as Monkif currently accounts as a highly active botnet which has contaminated a massive 520,000 computers.

Related article: New Zealand Releases Code To Reduce Spam

» SPAMfighter News - 10/19/2009