While we have seen in a recent Koobface blog
post showing sudden rise and fall in Koobface network activity, the Trojan Monkif’s C&C requests are still being consistently seen. According to the data, the Trojan Monkif is still highly active today and making new HTTP requests every day to pull down the additional C&C commands from the specific servers. Even though this threat is a year old, it is still present in the wild and impacting users. The Trojan Monkif makes a number of different requests to the predefined servers to collect commands, and the server responds with JPEG images encapsulating the malicious commands inside. This is used to avoid C&C command detection on the network
The functionality of Monkif is to pull out the command instructions from the remote server and download additional malware. It generates a lot of unique HTTP requests on the same server to download malicious JPEG files containing encoded commands. It also installs BHO (Browser Helper Object) on the infected machine. Interestingly, there is less of a drop for Trojan Monkif’s unique network traffic per month than Koobface. Here are the March 2010 unique web requests per day:
There are only 4-5 C&C servers seen in the requests but every request is unique containing different root directories, random “.php” files and different parameters passed to the file. The only highly active and live C&C server is hosted in Sweden with IP 188.8.131.52. Here are the servers associated with the Monkif activity:
Here is how random requests looks like,
As the above requests show, every request is unique, containing random data. This is done to fool IDS/IPS engines from detecting the malicious requests. The C&C server replies with Content-Type “image/jpeg” which contains JPEG image with malicious commands hidden inside. The malicious image file contains the JPEG header followed by some commands that are in encoded format. We observed by downloading some image files that first part of the command remains same and later part changes values. Here are some examples:
The bold text remains same in the JPEG image file and later part differs for every request – this makes detection difficult. The values within the JPEG are the malicious commands that instruct the Monkif to infect victim systems. If you compare other Botnet traffic like Koobface verses Monkif in Q1 2010, you will find that Monkif is very consistent and ongoing.
The unique network traffic for Trojan Monkif remains approximately same for each month in this quarter (March data is up to 17th). The detection for these JPEG file is zero (here is the Virustotal result for one of the C&C image files). This means you are at a greater risk from this Botnet if you are relying on only a single security protection like Antivirus.
We are near to end of Q1, 2010 and Botnet attacks remain a large threat on the web. Previously, we saw Koobface activity rise and fall, but this Monkif threat remains consistently active. The attackers behind Trojan Monkif are evading the detection by hiding their malicious Botnet commands inside JPEG files. The commands inside the JPEG files are encoded and vary, making detection more difficult for Antivirus vendors. The Virustotal result shows none of the Antivirus vendors out of 42 are detecting these malicious samples. The web is growing and so are Botnets. Currently, we are seeing only a few C&C servers being used for this Trojan, but this may increase in the future. Koobface and Monkif have been active threats in the Q1 2010, but Monkif has remained consistent. Zscaler’s solution is detecting these kinds of attacks every day. Be sure to block the above-mentioned malicious domains, and check that your security solutions are protecting you from these dangerous threats.