Botnet control server camouflages commands as JPEG images
The command and control server for the Monkif botnet is reportedly using a rudimentary technique to mask network communication by camouflaging commands to its drones as JPEG images. According to monitoring by Websense, the Monkif C&C server, operating as a web server, responds to queries from bots with an HTTP packet in which the Content-Type header is set to "image/jpeg". The packet also includes a fake, but valid, JPEG header. Rather than an image, the rest of the packet contains an encoded command (XOR'd with 0x4).
The botnet controller's intention appears to be to fool network monitoring systems, or specific bot detection software, on company networks. Depending on the type of detection used, monitoring systems may detect this as a normal web session between browser and server, in which a user is viewing various images. To detect this kind of deception, monitoring systems would need to take a much closer look at these JPEG packets. This, however, would impose an additional workload, which could itself pose problems, particularly on very large networks.
The WALEDAC botnet also uses a similar trick to disguise files. When the bot receives a valid image from the server, it appends the WALEDAC binary (encoded with XOR or 0xed) to the end of the image data.