Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Windows IRC Bot in the Wild - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Windows IRC Bot in the Wild

Last weekend, I caught on VirusTotal a trojan disguised as Windows IRC bot. It was detected thanks to my ‘psexec’ hunting rule which looks definitively an interesting keyword (see my previous diary[1]). I detected the first occurrence on 2018-03-24 15:48:00 UTC. The file was submitted for the first time from the US. The strange fact is that the initial file has already a goods code on VT (55/67) and is detected by most of the classic antivirus tools. 

I had a quick look at the sample. First interesting point, the PE header has been changed. The standard 'This program cannot be run in DOS mode’ has been replaced by a funny string to mimic a GIF file: 'GIF89a Adobe Photoshop Elements®’. Probably to defeat simple regular expressions used to filter files to be analyzed:

00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000  MZ..............
00000010: b800 0000 0000 0000 4000 0000 0000 0000  ........@.......
00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000030: 0000 0000 0000 0000 0000 0000 e800 0000  ................
00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 4749  ........!..L.!GI
00000050: 4638 3961 2041 646f 6265 2050 686f 746f  F89a Adobe Photo
00000060: 7368 6f70 2045 6c65 6d65 6e74 73ae 2031  shop Elements. 1
00000070: 313a 3532 2e0d 0d0a 2400 0000 0000 0000  1:52....$.......
00000080: 667f 0021 221e 6e72 221e 6e72 221e 6e72  f..!".nr".nr".nr
00000090: 5902 6272 211e 6e72 4d01 6572 231e 6e72  Y.br!.nrM.er#.nr
000000a0: 4d01 6472 7d1e 6e72 a102 6072 361e 6e72  M.dr}.nr..`r6.nr
000000b0: a116 3372 2f1e 6e72 221e 6f72 be1e 6e72  ..3r/.nr".or..nr
000000c0: 763d 5f72 231e 6e72 5269 6368 221e 6e72  v=_r#.nrRich".nr
000000d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000e0: 0000 0000 0000 0000 5045 0000 4c01 0400  ........PE..L…

I took 3 samples and they look quite similar based on ssdeep:

default viper 59dcab059d5935f3fd21c4c976e89e7c470b1e565191590792baad33393de5fd.exe > fuzzy
[*] 2 relevant matches found
+-------+----------------------------------------------------------------------+------------------------------------------------------------------+
| Score | Name                                                                 | SHA256                                                           |
+-------+----------------------------------------------------------------------+------------------------------------------------------------------+
| 88%   | 84636926f88d11ae4ba43be7052a7def4bf1f6005f92315171fde31e54ff7378.exe | 84636926f88d11ae4ba43be7052a7def4bf1f6005f92315171fde31e54ff7378 |
| 93%   | 62881d728709d31d628d165d993adc605e4b84d0d9a795f2748939f406185eaa.exe | 62881d728709d31d628d165d993adc605e4b84d0d9a795f2748939f406185eaa |
+-------+----------------------------------------------------------------------+------------------------------------------------------------------+

The PE file is not packed nor obfuscated so it’s easy to find other interesting behaviours just be searching for interesting strings. Here is a list potential commands supported by the bot:

portscan
download
execute
update
updat3
ifnexist
ifexist
ifnmask
ifmask
ifnothost
ifnhost
ifhost
ifnrup
ifnotup
ifnotbu
ifnotos
ifnotid
ifnidb
random
repeat
dccsend
regread
removefilematch
msgbox
action
privmsg
addalias
existcheckdir
excheckdir
existcheck
excheck
prefix
wchance
welcomechance
killthreads
killthread
ownership
rmstart
processname
unignore
ignorehost
ignore
delete
remove
rem0ve
sysinfo
netinfo
addsniff
sniffer
aliases
thread
threads
cshell
cmdshell
shutdown
restart
logoff
discon
disconnect
reconnect
logout
keylog
killservice
killprocess
processes
drives
sysdir
windir
netstat
dcclisten
rndnick
announce
notice
global

The list looks classic and gives a good overview of all the capabilities of the bot to fully control the infected machine.

Another interesting finding: It prevents updates and antivirus tools to contact their servers by modifying the hosts file with loopback addresses:

127.158.241.18 www.symantec.com
127.192.143.103 securityresponse.symantec.com
127.63.79.161 symantec.com
127.183.6.177 www.mcafee.com
127.201.182.131 mcafee.com
127.116.210.59 us.mcafee.com
127.164.207.200 www.sophos.com
127.176.202.154 sophos.com
127.191.114.142 www.viruslist.com
127.182.174.155 viruslist.com
127.73.60.74 f-secure.com
127.233.124.164 www.f-secure.com
127.227.84.179 kaspersky.com
127.74.111.144 www.avp.com
127.152.238.195 www.kaspersky.com
127.2.163.72 avp.com
127.11.101.127 www.networkassociates.com
127.99.150.194 networkassociates.com
127.141.12.141 www.ca.com
127.223.2.62 ca.com
127.22.1.186 my-etrust.com
127.221.190.203 www.my-etrust.com
127.102.166.7 secure.nai.com
127.129.169.124 nai.com
127.174.147.207 www.nai.com
127.183.206.218 trendmicro.com
127.142.20.36 www.trendmicro.com
127.36.63.113 housecall.trendmicro.com
127.89.148.123 www.pandasoftware.com
127.206.95.140 www.bitdefender.com
127.203.141.55 www.ravantivirus.com
127.152.142.126 www3.ca.com
127.197.197.185 v4.windowsupdate.microsoft.com
127.224.111.7 windowsupdate.microsoft.com
127.167.10.253 www.windowsupdate.com
127.228.79.181 windowsupdate.com


Later, I saw a bunch of submissions for the same malware but every time as a new sample. It spread from the US mainly to Canada and Russia.

8ed04a3ff882b32526add28d57d5dfbe90c51a703bd0fec31e3d55c48ef636f7, AR
eae83c72ced7b4e77309a2e740993646da733bec0c0b853f49e7c75374e4e409, CA
4e77b02ce35cefb51121e8e025a17aeef16ce2bb70a00cec284a875a035462e3, CA
23c66ac21812614ac0650f524e9be922aa2edad449e542bc6be7132ab1aba465, CA
e1010a4f7b310fde25ac13d2648f3fac2d9a15a3a364f74139dff3424c014cef, CA
8c9236c53c844a41b8e0a876782b4cbf34509d456b5cb9fc4826cb67b498338a, CA
bf186262af3edc0505f3f605ce4d7241a5f422dc9049be71ef47123f2385f961, CA
7da1af19edffc5f07057a77adae165f2c4e94d51ceb460cb744cf458df5173d9, UA
587051ad5080e53b29abfaf57527225a8813425837771c65af4e3825ed7806e4, UA
aff7f374455ebad5c4f3e15693e2a78b44c3f7d28334d506018595d69de5e13b, UA
6da2d2c78cef15c32cb02fb0f5c7a7967cce6c9f066521bb966c8fae0036e823, CA
d72da0674db109c016f816697c7e10e0989a2c08e84462221de5fd04cf89c89c, CA
d83292fcb6ca4ae3ab4cdff9959d22ca9437ce7c125d7f2dac6b74ce6a4dd5a4, CA
db03fbaedc0ff5eec9611cac8eeb1b078a86f31f8b4ccf5e403928b1b67ff23f, CA
94383a246795387e91ce939a17b49c4cb300af87caae6fa861fe7065b07f38e0, UA
30cc05e09b4e22314c0f2d253eca0a21791943a30f14275d88f77476eb753629, UA
b8129da8baaaabf3eb72f0988b11017b31a3632731c67045d898d938dfee333e, CA
064bdf4a80408b49e6e68efec26a58264e245af8c043df3704c42d102f9e8163, CA
6f7bc398bea9541ab096241e01b03a630c665aa6def263aa320016992eaddcdb, CA
b9652c536fad10a05df9fb6d89fff7bff81a0ad7a5acc00bd6cf03f0b24c2131, UA
621ed22119dc61253c42182c572fe668b7d7203d7db2531939fb00ae325a1956, UA
4dc10a49ba4eaa19e3ae1f796381c9822c7636b1d4b03d87cd5f4a259832f862, UA
1ac1c6a50d142e46309f14458170d3294d995f4f2f3981f767b8b28a3e238c59, UA
1f3a78d1728d70b8ce6f030db137ea61153ce3dadb721eb05c9ca62e809f26cf, UA
e84049d2aeb3a235a94921c3240650c1233805be2b13d8aed28da5c9eb70365b, UA
2cbe3663042adfb4a414b5cfc8be8ce12d940670dfa7fdfdb3acffcae5b14e35, UA
d263cb133b048c888369a47291fa2ba5710112b558c5a4acb5bdef8f9656155d, UA
34cf9a9075ca01a8e9361c7c9f54ef5ed81437b7bca84b91b700fa0e1e0020cf, UA
2ee94a263aedf2be88824e458548870c0dcfb86fb5066ce670453e7a6d644042, UA
c9fd35f615a82dc62b97e2dc5b2e991885c33770808f04d02eb6f085ec8f2ff3, UA
8e240668165797bbc376b06db65359b6ec16b41950fa4b70e86ecfc8f7a06ffen UA
4f3aa4e54881442c3cf7ec3969117b75502c9c2fcc785f4fddb06884eb5e656a, UA
4f3c44c495ec604d0519b4265ba0883e362b37bc6811e93a0f279592fed03db9, UA
1a5835d74136f863399768a10b27d2c4e0efa61d566b5f12f83c8a46979f5765, UA
b938e48c1984d6482d5c7c6ecfa44b419c6665eccf2468576be78e4ed3788eb6, UA
cce63d509308b7394fb8902818af6618b037c775f4d039470506c4fd29ddc689, UA
aee7dd17c2dbbecc89c44872a6239700bead32a98a23659bdbf187b15356492fn UA
9116055edeeda04047b14d7ab97a4a55b2e5596e7976d0d8e8c3dd151509327f, UA
03cc608d4bbcb496ca9ee2c1d58882fa2060fbb56bca0fbef01a05a3f3fac9f6, UA
5b6c4a76f88a88c1af21eb108affaade0e9f2389a8c4a2fa0242b8e7c5a65458, UA
a53b0a72e020c9a69cf0e0834738e503c084048006ecefdc4953d0f6a3d17055, UA
5c6cd2d18e80e32279c256fa8bf8e8062e4e6954ca179ed57ebed53ef332e367, UA
9d6adbab80749971284e18eaa453fa5182d673ef6f977360edd13ec0403cf16e, UA
da9ed4744562c8f2aeed53d60e580434f7b7a9f3f907fe9bc892a5ef11a2aaa8, UA
50e82b8dd71e4bb46ff43f57897775012a51bb90c7c04770d1d217471ff22bef, UA
1fc67f13b6b2bd963ae920f17ba9bfea90856979b864428194165c6cbe0fd667, UA
07910dc6223abd9dde485c1b1753babed6ca9036d050ad941618b4eb085844aa, UA
b034dbc6fabf109ccea391682a86471f765d9721e9bbf9f7c8aeba6873137069, UA
780d21b206938496359e0c82edda2d280555605b68610887510e89a930191e61, CA
4e21832db383ab8bd97a19cb76e44a1b36ee4e61e6bb655e218e9e97ebbe8644, UA
8777db4fdaf21be1dbb7a5b4db78b1842c9ade3ee58e76fd215a033f5bc42f21, CA
9b342df3fc750dc91b5c5df2619137f85d216ea158d589d9ae9cd36be3a2d98e, US
f716dc46f6a38898f4f5fd8e50c77362be4954da12de99d955c1fe253551bc03, US

I'll continue to analyze the sample. Do you have more information about this bot? Please share!

[1] https://isc.sans.edu/forums/diary/Administrators+Password+Bad+Practice/23465/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

396 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!