Security News

IRC Bot masquerading as popular applications (October 11, 2013)

By

The Dell SonicWall Threats Research team has observed a recent wave of IRC bots posing as legitimate applications. The bot installer may arrive with file names such as, chrome.exe or facebook-images.exe on the victim machine. It attempts to masquerade itself as Google Chrome by using the following icon and file properties:

Infection Cycle:

Upon execution the bot creates a copy of itself into the following directories:

  • %WINDIR%tempfacebook-images.exe [Detected as GAV: Zusy.G (Trojan)]
  • %TEMP%adbreader.exe [Detected as GAV: Zusy.G (Trojan)]

In order to start after reboot the bot adds the following keys to the registry:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun [adobe driver update] “%TEMP%adbreader.exe”
  • HKLMsoftwareMicrosoftWindowsCurrentVersionRun [adobe driver update] “%TEMP%adbreader.exe”

It also executes the following command to allow itself through the windows firewall:

  • %SYSTEM% netsh.exe [netsh firewall add allowedprogram “%TEMP%adbreader.exe” “Adobe Driver Update” ENABLE]

It connects to a remote IRC based Command and Control server and waits for further instructions:

It then joins an IRC channel named #biz:

During our analysis, we noticed the Command and Control server sending instructions to download an additional malware component:

The downloaded malware is copied into the following directory:

  • %WINDIR%mdm.exe [Detected as GAV: Injector.AOED (Trojan)]

The following registry keys were added by the bot to persist infection upon system reboot:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun [microsoft firevall engine] “%WINDIR%mdm.exe”
  • HKLMSoftwareMicrosoftWindowsCurrentVersionRun [microsoft firevall engine] “%WINDIR%mdm.exe”

It also sent an instruction to create another component which uses the Pidgin icon and is copied into the following directory:

  • %TEMP%eraseme_*random digits*.exe [Detected as GAV: MalAgent.G_3527 (Trojan)]

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Injector.AOED (Trojan)
  • GAV: Zusy.G (Trojan)
  • GAV: MalAgent.G_3527(Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
AZORult infostealer first spotted by Sonicwall RTDMI engine
IBM DB2 XML Query Buffer Overflow (Sep 19, 2008)
Cyber Security News & Trends – 02-01-19
Linux Kernel ksmbd Integer Underflow Vulnerability
Microsoft Security Bulletin Coverage for December 2023
Modular Emotet Variant
OpenSSL X509 Certificate Vulnerabilities
Important Document (doc.zip) spam (Sep 23, 2008)