Windows IRC Bot in the Wild
Last weekend, I caught on VirusTotal a trojan disguised as Windows IRC bot. It was detected thanks to my ‘psexec’ hunting rule which looks definitively an interesting keyword (see my previous diary[1]). I detected the first occurrence on 2018-03-24 15:48:00 UTC. The file was submitted for the first time from the US. The strange fact is that the initial file has already a goods code on VT (55/67) and is detected by most of the classic antivirus tools.
I had a quick look at the sample. First interesting point, the PE header has been changed. The standard 'This program cannot be run in DOS mode’ has been replaced by a funny string to mimic a GIF file: 'GIF89a Adobe Photoshop Elements®’. Probably to defeat simple regular expressions used to filter files to be analyzed:
00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ.............. 00000010: b800 0000 0000 0000 4000 0000 0000 0000 ........@....... 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000030: 0000 0000 0000 0000 0000 0000 e800 0000 ................ 00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 4749 ........!..L.!GI 00000050: 4638 3961 2041 646f 6265 2050 686f 746f F89a Adobe Photo 00000060: 7368 6f70 2045 6c65 6d65 6e74 73ae 2031 shop Elements. 1 00000070: 313a 3532 2e0d 0d0a 2400 0000 0000 0000 1:52....$....... 00000080: 667f 0021 221e 6e72 221e 6e72 221e 6e72 f..!".nr".nr".nr 00000090: 5902 6272 211e 6e72 4d01 6572 231e 6e72 Y.br!.nrM.er#.nr 000000a0: 4d01 6472 7d1e 6e72 a102 6072 361e 6e72 M.dr}.nr..`r6.nr 000000b0: a116 3372 2f1e 6e72 221e 6f72 be1e 6e72 ..3r/.nr".or..nr 000000c0: 763d 5f72 231e 6e72 5269 6368 221e 6e72 v=_r#.nrRich".nr 000000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000000e0: 0000 0000 0000 0000 5045 0000 4c01 0400 ........PE..L…
I took 3 samples and they look quite similar based on ssdeep:
default viper 59dcab059d5935f3fd21c4c976e89e7c470b1e565191590792baad33393de5fd.exe > fuzzy [*] 2 relevant matches found +-------+----------------------------------------------------------------------+------------------------------------------------------------------+ | Score | Name | SHA256 | +-------+----------------------------------------------------------------------+------------------------------------------------------------------+ | 88% | 84636926f88d11ae4ba43be7052a7def4bf1f6005f92315171fde31e54ff7378.exe | 84636926f88d11ae4ba43be7052a7def4bf1f6005f92315171fde31e54ff7378 | | 93% | 62881d728709d31d628d165d993adc605e4b84d0d9a795f2748939f406185eaa.exe | 62881d728709d31d628d165d993adc605e4b84d0d9a795f2748939f406185eaa | +-------+----------------------------------------------------------------------+------------------------------------------------------------------+
The PE file is not packed nor obfuscated so it’s easy to find other interesting behaviours just be searching for interesting strings. Here is a list potential commands supported by the bot:
portscan download execute update updat3 ifnexist ifexist ifnmask ifmask ifnothost ifnhost ifhost ifnrup ifnotup ifnotbu ifnotos ifnotid ifnidb random repeat dccsend regread removefilematch msgbox action privmsg addalias existcheckdir excheckdir existcheck excheck prefix wchance welcomechance killthreads killthread ownership rmstart processname unignore ignorehost ignore delete remove rem0ve sysinfo netinfo addsniff sniffer aliases thread threads cshell cmdshell shutdown restart logoff discon disconnect reconnect logout keylog killservice killprocess processes drives sysdir windir netstat dcclisten rndnick announce notice global
The list looks classic and gives a good overview of all the capabilities of the bot to fully control the infected machine.
Another interesting finding: It prevents updates and antivirus tools to contact their servers by modifying the hosts file with loopback addresses:
127.158.241.18 www.symantec.com 127.192.143.103 securityresponse.symantec.com 127.63.79.161 symantec.com 127.183.6.177 www.mcafee.com 127.201.182.131 mcafee.com 127.116.210.59 us.mcafee.com 127.164.207.200 www.sophos.com 127.176.202.154 sophos.com 127.191.114.142 www.viruslist.com 127.182.174.155 viruslist.com 127.73.60.74 f-secure.com 127.233.124.164 www.f-secure.com 127.227.84.179 kaspersky.com 127.74.111.144 www.avp.com 127.152.238.195 www.kaspersky.com 127.2.163.72 avp.com 127.11.101.127 www.networkassociates.com 127.99.150.194 networkassociates.com 127.141.12.141 www.ca.com 127.223.2.62 ca.com 127.22.1.186 my-etrust.com 127.221.190.203 www.my-etrust.com 127.102.166.7 secure.nai.com 127.129.169.124 nai.com 127.174.147.207 www.nai.com 127.183.206.218 trendmicro.com 127.142.20.36 www.trendmicro.com 127.36.63.113 housecall.trendmicro.com 127.89.148.123 www.pandasoftware.com 127.206.95.140 www.bitdefender.com 127.203.141.55 www.ravantivirus.com 127.152.142.126 www3.ca.com 127.197.197.185 v4.windowsupdate.microsoft.com 127.224.111.7 windowsupdate.microsoft.com 127.167.10.253 www.windowsupdate.com 127.228.79.181 windowsupdate.com
Later, I saw a bunch of submissions for the same malware but every time as a new sample. It spread from the US mainly to Canada and Russia.
8ed04a3ff882b32526add28d57d5dfbe90c51a703bd0fec31e3d55c48ef636f7, AR eae83c72ced7b4e77309a2e740993646da733bec0c0b853f49e7c75374e4e409, CA 4e77b02ce35cefb51121e8e025a17aeef16ce2bb70a00cec284a875a035462e3, CA 23c66ac21812614ac0650f524e9be922aa2edad449e542bc6be7132ab1aba465, CA e1010a4f7b310fde25ac13d2648f3fac2d9a15a3a364f74139dff3424c014cef, CA 8c9236c53c844a41b8e0a876782b4cbf34509d456b5cb9fc4826cb67b498338a, CA bf186262af3edc0505f3f605ce4d7241a5f422dc9049be71ef47123f2385f961, CA 7da1af19edffc5f07057a77adae165f2c4e94d51ceb460cb744cf458df5173d9, UA 587051ad5080e53b29abfaf57527225a8813425837771c65af4e3825ed7806e4, UA aff7f374455ebad5c4f3e15693e2a78b44c3f7d28334d506018595d69de5e13b, UA 6da2d2c78cef15c32cb02fb0f5c7a7967cce6c9f066521bb966c8fae0036e823, CA d72da0674db109c016f816697c7e10e0989a2c08e84462221de5fd04cf89c89c, CA d83292fcb6ca4ae3ab4cdff9959d22ca9437ce7c125d7f2dac6b74ce6a4dd5a4, CA db03fbaedc0ff5eec9611cac8eeb1b078a86f31f8b4ccf5e403928b1b67ff23f, CA 94383a246795387e91ce939a17b49c4cb300af87caae6fa861fe7065b07f38e0, UA 30cc05e09b4e22314c0f2d253eca0a21791943a30f14275d88f77476eb753629, UA b8129da8baaaabf3eb72f0988b11017b31a3632731c67045d898d938dfee333e, CA 064bdf4a80408b49e6e68efec26a58264e245af8c043df3704c42d102f9e8163, CA 6f7bc398bea9541ab096241e01b03a630c665aa6def263aa320016992eaddcdb, CA b9652c536fad10a05df9fb6d89fff7bff81a0ad7a5acc00bd6cf03f0b24c2131, UA 621ed22119dc61253c42182c572fe668b7d7203d7db2531939fb00ae325a1956, UA 4dc10a49ba4eaa19e3ae1f796381c9822c7636b1d4b03d87cd5f4a259832f862, UA 1ac1c6a50d142e46309f14458170d3294d995f4f2f3981f767b8b28a3e238c59, UA 1f3a78d1728d70b8ce6f030db137ea61153ce3dadb721eb05c9ca62e809f26cf, UA e84049d2aeb3a235a94921c3240650c1233805be2b13d8aed28da5c9eb70365b, UA 2cbe3663042adfb4a414b5cfc8be8ce12d940670dfa7fdfdb3acffcae5b14e35, UA d263cb133b048c888369a47291fa2ba5710112b558c5a4acb5bdef8f9656155d, UA 34cf9a9075ca01a8e9361c7c9f54ef5ed81437b7bca84b91b700fa0e1e0020cf, UA 2ee94a263aedf2be88824e458548870c0dcfb86fb5066ce670453e7a6d644042, UA c9fd35f615a82dc62b97e2dc5b2e991885c33770808f04d02eb6f085ec8f2ff3, UA 8e240668165797bbc376b06db65359b6ec16b41950fa4b70e86ecfc8f7a06ffen UA 4f3aa4e54881442c3cf7ec3969117b75502c9c2fcc785f4fddb06884eb5e656a, UA 4f3c44c495ec604d0519b4265ba0883e362b37bc6811e93a0f279592fed03db9, UA 1a5835d74136f863399768a10b27d2c4e0efa61d566b5f12f83c8a46979f5765, UA b938e48c1984d6482d5c7c6ecfa44b419c6665eccf2468576be78e4ed3788eb6, UA cce63d509308b7394fb8902818af6618b037c775f4d039470506c4fd29ddc689, UA aee7dd17c2dbbecc89c44872a6239700bead32a98a23659bdbf187b15356492fn UA 9116055edeeda04047b14d7ab97a4a55b2e5596e7976d0d8e8c3dd151509327f, UA 03cc608d4bbcb496ca9ee2c1d58882fa2060fbb56bca0fbef01a05a3f3fac9f6, UA 5b6c4a76f88a88c1af21eb108affaade0e9f2389a8c4a2fa0242b8e7c5a65458, UA a53b0a72e020c9a69cf0e0834738e503c084048006ecefdc4953d0f6a3d17055, UA 5c6cd2d18e80e32279c256fa8bf8e8062e4e6954ca179ed57ebed53ef332e367, UA 9d6adbab80749971284e18eaa453fa5182d673ef6f977360edd13ec0403cf16e, UA da9ed4744562c8f2aeed53d60e580434f7b7a9f3f907fe9bc892a5ef11a2aaa8, UA 50e82b8dd71e4bb46ff43f57897775012a51bb90c7c04770d1d217471ff22bef, UA 1fc67f13b6b2bd963ae920f17ba9bfea90856979b864428194165c6cbe0fd667, UA 07910dc6223abd9dde485c1b1753babed6ca9036d050ad941618b4eb085844aa, UA b034dbc6fabf109ccea391682a86471f765d9721e9bbf9f7c8aeba6873137069, UA 780d21b206938496359e0c82edda2d280555605b68610887510e89a930191e61, CA 4e21832db383ab8bd97a19cb76e44a1b36ee4e61e6bb655e218e9e97ebbe8644, UA 8777db4fdaf21be1dbb7a5b4db78b1842c9ade3ee58e76fd215a033f5bc42f21, CA 9b342df3fc750dc91b5c5df2619137f85d216ea158d589d9ae9cd36be3a2d98e, US f716dc46f6a38898f4f5fd8e50c77362be4954da12de99d955c1fe253551bc03, US
I'll continue to analyze the sample. Do you have more information about this bot? Please share!
[1] https://isc.sans.edu/forums/diary/Administrators+Password+Bad+Practice/23465/
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments