IRCBot

IRCBot malware communicate to their author through IRC channels instead of getting commands and sending info directly from dedicated or infected C&C servers to evade detection based on network communications.

When a large number of systems are infected, the attacker forms the bot network which is controlled through IRC Channels.

IRC (Internet Relay Chat) is an application level protocol based on client and server model.

The infected system registers itself with an IRC channel. The attacker then issues commands to the client through the IRC channel.

The sample here is divided into two parts.

1) Downloader

2) IRC Payload

Downloader

SHA-256: 2c9d5b20b584ef578af97f99357810e7c53a1667b5c46f63b6b81c5d738371c4

File Type : PE32 EXE (.NET compiled)

ICON:

icon1

The downloader sample has the icon of a PDF document, which is used to fool the victim user to be a legitimate PDF attachment.

Analysis of Downloader

When traced the packets of the process in wireshark, found that the malware is communicating to IP “31.170.160.95” on TCP and FTP.

We can see the sample is trying to establish FTP connection

Destination IP : 31.170.160.95

Destination port :

With FTP connection details

Username : a4549035

Password : bigbobby

The process establishes an FTP connection with given username and when the FTP servers prompts for password, it gives the above given password.

In this case, we can see the authentication failing because the FTP credentials might have been changed.

As the FTP authentication failed, the FTP connection established is logged out.

wireshark

Note: To check all the network communications made by an exact process please use Microsoft Network Monitor.

Now, we can analyse the same thing statically.

The file is .net compiled and hence we can use a good .net decompiler to view the MSIL code.

downloader_config

The class “config” contains the code to grab the FTP configuration.

download_function

We can see here the functions to download the payload, function for setting registry key to maintain persistence and the function to grab the configuration settings file from URL.

IRC Payload:

SHA-256 : d612e4643721d7d5a18e8f99cb751655440810ea451f7b6f78bc493abcf08e5b

File Type : PE32 EXE (.net compiled)

Version Info :

“Comments”, “Intel Extreme Graphics Interceptor”

“CompanyName”, “Microsoft”

“FileDescription”, “Intel Graphics Services”

“FileVersion”, “1.0.0.0”

“InternalName”, “hosting_556.exe”

“LegalCopyright”, “Copyright © 2013”

“LegalTrademarks”, “Microsoft”

“OriginalFilename”, “hosting_556.exe”

“ProductName”, “Microsoft”

“ProductVersion”, “1.0.0.0”

“Assembly Version”, “1.0.0.0”

Analysis of Payload:

The Payload is basically a Keylogger which logs all the user keystrokes and sends it to the attacker.

For this purpose it sets a Windows hook using Windows API “SetWindowsHookExW”

The IRCBot connects to the IRC Server “irc.fdfnet.net” on port: 6667 with a PING request. But the IRC server refuses to connect to the client with an error message.

payload_network

All these information can be analysed statically using .NET decompilers.

The payload is coded under three different namespaces.

  1. activeWindow

  2. Activity

  3. CrimeScene

The “activeWindow” contains the code to get the active foreground window in the infected machine using APIs “GetForegroundWindow()” “GetActiveWindow()”

The “Activity” contains code which is used to Log the keystrokes using “SetWindowsHookEx”

The 3rd “CrimeScene” contains classes which does the actual function of an IRCBot.

payload_config

All the configuration information needed for the IRCBot is given here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s