Monkif Botnet Hides Commands in JPEGs

As we see new threats arrive daily employing unique and complex capabilities, it is surprising to find a Swedish bot using a control server that was active in 2009. Generally malware authors keep changing their control servers–especially after reports about them surface–but not in this case. This network belongs to prq.se, which hosts at IP address 88.80.7.152 and is an Internet service provider.

Here is a quote from their English website:

Refugee hosting
Our boundless commitment to free speech has been tested and proven over and over again. If it is legal in Sweden, we will host it, and will keep it up regardless of any pressure to take it down. We have ZERO tolerance against SPAM and related services!

This botnet is Monkif, which uses stealth techniques to hide its commands. It receives download URLs encrypted in JPEG files to avoid detection by network intrusion prevention systems. We have also found some samples that use SSL communications to download other threats.

The site http://www.ableads.net is also hosted on same network, at IP 88.80.5.123

Figure 1. GET request with control server.

 

Figure 2. SSL communication with control server.

 

Figure 3. SSL certificate.

The botnet is installed as plug-in or browser helper object. As a check, it enumerates all running programs to compare them with their parent process names and antivirus or firewall programs to avoid detection while executing. The names of these security programs are encrypted in the binary with different algorithms from sample to sample.

Further to evade detection, the Monkif generates random filename and other encoded parameters:

GET /photo/lfzt.php?rzj=51<75=26x644646x4x4x4x524x7x0x6x5x5772=716×5772=70<x

GET /babynot/pzj.php?dnr=722576<x644420x4x4x4x0x

GET /sodoma/xcgyscm.php?gquo=<<<6<4x644475x4x4

GET /karaq/mueoyisc.php?wgau=127=27×64446<x4x4x4x53

The response to these requests is an image file. Monkif parses the first 32 bytes of the JPEG header by comparing embedded 32 bytes as header in the sample. It then decodes the remaining bytes, which is a URL for downloading a malicious file.

 

Figure 4 The control server responds with an image file.

The decryption follows:

 

Figure 4b Decrypting the JPEG to reveal the URL for a malicious download.

 

(Encoded) lppt>++<<*<4*3*516+`+`h*tlt;bh9`<5a2<6ge<a323b5gf5b4=610fb=gga4″bm`9560″591595907|200041|0|0|0|0

(Decoded) http://88.80.7.152/d/dl.php?fl=d81e682ca8e767f1cb1f09254bf9cce0&fid=124&1=51=1=43x644405x4x4x4x4

 

(Encoded) lppt>++<<*<4*3*516+`+`h*tlt;bh9faf<<“6g`eefb0`63=64143`g6=b<<5″bm`9560″591753617|200042|0|0|0|0

(Decoded) http://88.80.7.152/d/dl.php?fl=beb88dd2cdaabf4d27920507dc29f881&fid=124&1=5317253x644406x4x4x4x4

 

Encoded) lppt>++<<*<4*3*516+`+`h*tlt;bh9b3`5a<0423ag11`=a14b4`=5f<520e25″bm`9561″591925694|200044|0|0|0|0

(Decoded) http://88.80.7.152/d/dl.php?fl=f7d1e84067ec55d9e50f0d91b8164a61&fid=125&1=5=612=0x644400x4x4x4x4

 

In response to the preceding request, Monkif downloads another executable. We currently see the botnet downloading adware files, but it may download other complex threats as well.

 

Figure 5 Downloading another malicious file.

 

McAfee customers are protected by signature 0×48807500.