alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Monkif CnC response in fake JPEG"; flow:established,from_server; content:"|0d 0a 0d 0a ff d8 ff e0|"; content:"JFIF|00 01 01|"; distance:2; content:"lppt>++"; fast_pattern; within:50; content:"bm|60|95"; distance:0; content:"|7c|0"; distance:0; reference:url,2009.brucon.org/material/Julia_Wolf_Brucon_final.pdf; reference:url,research.zscaler.com/2010/03/trojan-monkif-is-still-active-and.html; reference:url,blogs.mcafee.com/mcafee-labs/monkif-botnet-hides-commands-in-jpegs; classtype:command-and-control; sid:2012507; rev:5; metadata:created_at 2011_03_15, signature_severity Major, updated_at 2019_07_26;)