As we see new threats arrive daily employing unique and complex capabilities, it is surprising to find a Swedish bot using a control server that was active in 2009. Generally malware authors keep changing their control servers–especially after reports about them surface–but not in this case. This network belongs to prq.se, which hosts at IP address 126.96.36.199 and is an Internet service provider.
Here is a quote from their English website:
Our boundless commitment to free speech has been tested and proven over and over again. If it is legal in Sweden, we will host it, and will keep it up regardless of any pressure to take it down. We have ZERO tolerance against SPAM and related services!
This botnet is Monkif, which uses stealth techniques to hide its commands. It receives download URLs encrypted in JPEG files to avoid detection by network intrusion prevention systems. We have also found some samples that use SSL communications to download other threats.
The site http://www.ableads.net is also hosted on same network, at IP 188.8.131.52
Figure 1. GET request with control server.
Figure 2. SSL communication with control server.
Figure 3. SSL certificate.
The botnet is installed as plug-in or browser helper object. As a check, it enumerates all running programs to compare them with their parent process names and antivirus or firewall programs to avoid detection while executing. The names of these security programs are encrypted in the binary with different algorithms from sample to sample.
Further to evade detection, the Monkif generates random filename and other encoded parameters:
The response to these requests is an image file. Monkif parses the first 32 bytes of the JPEG header by comparing embedded 32 bytes as header in the sample. It then decodes the remaining bytes, which is a URL for downloading a malicious file.
Figure 4 The control server responds with an image file.
The decryption follows:
Figure 4b Decrypting the JPEG to reveal the URL for a malicious download.
In response to the preceding request, Monkif downloads another executable. We currently see the botnet downloading adware files, but it may download other complex threats as well.
Figure 5 Downloading another malicious file.
McAfee customers are protected by signature 0×48807500.