IRCBot malware communicate to their author through IRC channels instead of getting commands and sending info directly from dedicated or infected C&C servers to evade detection based on network communications.
When a large number of systems are infected, the attacker forms the bot network which is controlled through IRC Channels.
IRC (Internet Relay Chat) is an application level protocol based on client and server model.
The infected system registers itself with an IRC channel. The attacker then issues commands to the client through the IRC channel.
The sample here is divided into two parts.
2) IRC Payload
File Type : PE32 EXE (.NET compiled)
The downloader sample has the icon of a PDF document, which is used to fool the victim user to be a legitimate PDF attachment.
Analysis of Downloader
When traced the packets of the process in wireshark, found that the malware is communicating to IP “220.127.116.11” on TCP and FTP.
We can see the sample is trying to establish FTP connection
Destination IP : 18.104.22.168
Destination port :
With FTP connection details
Username : a4549035
Password : bigbobby
The process establishes an FTP connection with given username and when the FTP servers prompts for password, it gives the above given password.
In this case, we can see the authentication failing because the FTP credentials might have been changed.
As the FTP authentication failed, the FTP connection established is logged out.
Note: To check all the network communications made by an exact process please use Microsoft Network Monitor.
Now, we can analyse the same thing statically.
The file is .net compiled and hence we can use a good .net decompiler to view the MSIL code.
The class “config” contains the code to grab the FTP configuration.
We can see here the functions to download the payload, function for setting registry key to maintain persistence and the function to grab the configuration settings file from URL.
SHA-256 : d612e4643721d7d5a18e8f99cb751655440810ea451f7b6f78bc493abcf08e5b
File Type : PE32 EXE (.net compiled)
Version Info :
“Comments”, “Intel Extreme Graphics Interceptor”
“FileDescription”, “Intel Graphics Services”
“LegalCopyright”, “Copyright © 2013”
“Assembly Version”, “22.214.171.124”
Analysis of Payload:
The Payload is basically a Keylogger which logs all the user keystrokes and sends it to the attacker.
For this purpose it sets a Windows hook using Windows API “SetWindowsHookExW”
The IRCBot connects to the IRC Server “irc.fdfnet.net” on port: 6667 with a PING request. But the IRC server refuses to connect to the client with an error message.
All these information can be analysed statically using .NET decompilers.
The payload is coded under three different namespaces.
The “activeWindow” contains the code to get the active foreground window in the infected machine using APIs “GetForegroundWindow()” “GetActiveWindow()”
The “Activity” contains code which is used to Log the keystrokes using “SetWindowsHookEx”
The 3rd “CrimeScene” contains classes which does the actual function of an IRCBot.
All the configuration information needed for the IRCBot is given here.