Last Updated: 2008-02-28 18:36:17 UTC
by Bojan Zdrnja (Version: 2)
Yesterday I received samples of an IRC bot. This in itself would be nothing interesting except the fact that the archive contained binaries for FreeBSD and Mac (Darwin, ppc).
After initial analysis I found out that it's nothing special – just a port of a well known IRC bot called EnergyMech. The most interesting thing was that the attacker compiled it for FreeBSD and Mac. This probably didn't require any extra effort though since it compiles out of the box on FreeBSD and Linux anyway.
The bot did all the standard stuff: had couple of "owners" defined; comments in Portuguese and connected to Undernet, the IRC network that a lot of attackers like.
I decided, for the fun of it, to run the sample through VirusTotal, just to see what results AV programs will have. It was .. erm.. interesting, as you will see below.
There were in total 3 files:
$ md5sum linux freebsd darwin
The FreeBSD version of the bot was detected by 23 out of 32 AV programs (decent) and the Linux one by 24 out of 32 AV programs (even better). This was clearly signature detection since almost all AV programs detected the FreeBSD version as something for Linux (Linux/RST.B) – my guess is that they trigger on some text in the binary.
Finally, the Darwin version was a bit of a shock – 0 detections in total (!). Since it was a Mach-O executable for PPC, my guess is that AV programs didn't know how to parse the file format and just thought of it as data.
Just couple of things we received from our readers. The EnergyMech package is not malicious - it's just an IRC bot, similar to eggdrop so the fact that the bad guys use it doesn't make the package itself malicious.
Regarding the AV detection, it appears that those binaries could be infected with the RST virus (that would explain all detection and why the darwin file was clean since the RST virus infects only ELF files). I briefly analyzed the Linux version and it didn't appear to be infected (at least didn't show any infection activities). It's indeed possible and it wouldn't be the first time when attacker's own machine was actually infected (oh the irony).