AryaN IRC Botnet discovered in the wild (April 5, 2012)
The SonicWALL Threat Research team discovered a new IRC bot Trojan in the wild with DDoS (Distributed Denial Of Service) functionality. This Trojan also has the ability to spread through USB removeable drives and update itself over the internet.
Once run, the Trojan injects code into explorer.exe and exits. The injected code contains an IRC bot [Detected as GAV: Agent.ADC (Trojan)]. The injected code deletes the original malware file.
The Trojan makes the following DNS requests:
The Trojan determines its IP address by making a request to wipmania.com. It then proceeds to join channel #!y! on a private IRC server.
The Bots idle on IRC awaiting further instructions from its author. They are given names according to Bot type, geographical location, operating system version and CPU architecture as seen in the screenshot below:
The Trojan contains the ability to spread through USB removeable drives. It also contains UDP flooding functionality for DDoS (distributed denial of service attacks):
Upon further analysis we found that the Trojan also contains the ability to update itself by downloading a new version from a remote webserver.
The Trojan adds the following file to the file system:
- C:Documents and Settings{USER}Application Datasvhost.exe [Detected as GAV: Agent.ADC (Trojan)]
The Trojan adds the following keys to the windows registry to enable startup after system reboot:
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun svhost.exe “C:Documents and Settings{USER}Application Datasvhost.exe”
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun svhost.exe “C:Documents and Settings{USER}Application Datasvhost.exe”
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun egregregerfwde “C:Documents and Settings{USER}Application Datasvhost.exe”
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: IRCbot.AYN (Trojan)
- GAV: Agent.ADC (Trojan)
