14 DAY TRIAL // Security researchers have discovered that the authors of a botnet send commands to the infected computers under their control through JPEG files. This new technique has the purpose of hiding the malicious traffic from network scanners.
The method was discovered by Jason Milletary, a security researcher with Atlanta-based SecureWorks, while analyzing a botnet known as Monkif or DlKhora. The botnet serves as delivery channel for further malware.
Malware delivery services are common on the black market and the providers charge a small fee for each computer infected with someone else's malware. The creators of this trojan downloader have a strong interest in keeping its operation under the radar and are therefore employing several detection evading techniques.
Mr. Milletary notes that in addition to its ability to disable various antivirus and firewall solutions, this botnet client also hides its Internet traffic as a JPEG file transfer. The command and control server "sets the HTTP Content-Type header to 'image/jpeg' and prefaces the bot commands with a fake 32-byte JPEG header," the researcher explains.
Once the malformed JPEG is downloaded to the computer, the bot isolates the header and begins decoding the rest of the response, which is XOR-encoded with a single byte of 0x4. The instructions observed by SecureWorks instructed the bot to install a click-fraud trojan that comes in the form of a BHO (Browser Helper Object).
"The botnet makes no attempt to pad the commands to make the data size representative of a true JPEG. In addition, the data will not parse to a legitimate JPEG. These attributes may provide opportunities for generic countermeasures to detect the traffic by identifying malformed image data," Milletary concludes.
According to recent research into the underground economy from Kaspersky Lab, adware developers pay botnet owners between $0.30 and $1.50 per install. The cost of installing someone else's malware on an already compromised computer can vary depending on its location. For systems in China, the price is around $3, while for computers in US, it can reach $120.