Hello all,
quote:
One interesting technique the Monkif botnet utilizes to hide its intent on the network is to encode the instructions to appear as if the command and control server is returning a JPEG file.
more:
Hello all,
quote:
One interesting technique the Monkif botnet utilizes to hide its intent on the network is to encode the instructions to appear as if the command and control server is returning a JPEG file.
more:
Hi nmb,
This is a general posting as how to keep your machine free of malware:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
This bot is an example of a Downloader trojan, in that its primary purpose is to receive instructions to download and execute other malware. The trojan also attempts to disable anti-virus and personal firewall software to maintain its foothold on the system. One interesting technique the Monkif botnet utilizes to hide its intent on the network is to encode the instructions to appear as if the command and control server is returning a JPEG file. The server sets the HTTP Content-Type header to “image/jpeg” and prefaces the bot commands with a fake 32-byte JPEG header. The bot checks if the header matches and decodes the rest of the response to retrieve its commands. The commands are encoded using a single byte XOR with 0×4. The malware that CTU has observed being installed by Monkif is a BHO (Browser Helper Object) trojan commonly referred to as ExeDot, which performs Ad Hijacking and Ad Clicking. The botnet makes no attempt to pad the commands to make the data size representative of a true JPEG. In addition, the data will not parse to a legitimate JPEG. These attributes may provide opportunities for generic countermeasures to detect the traffic by identifying malformed image data…"
So the best way of preventing infection is to use Firefox browser with NoScrip and RequestPolicy extensions enabled to prevent malicious request from being made. Another important thing for normal users to prevent against these type of malware is going online with critical applications under normal user rights, so use DropMyRights etc. If malware do not get full admin rights it cannot ride into the OS or run its payload (shellcode) or launch a system32 dll, so you are secure in 97% of all cases of Windows-based malware,
polonus