In this blog post I’ll examine a botnet attack utilizing Instant Messaging services such as AIM and Live Messenger to recruit infected computers. This botnet spreads a malicious Sdbot variant with a low detection rate; the following is a detailed technical analysis of this bot.
The Attack Vector
The Trojan itself arrives through MSN Messenger as a message with a link sent out by contacts with infected systems. Here is an example of a sent message:
Once the user clicks on the link, an executable will be downloaded into the user’s system. However, for launching the executable, the user must run it manually.
The downloaded executable is a Win32 Cabinet Self-Extractor given a name which makes it appear like an image file: IMG000985215488524-JPEG.EXE.
This Trojan has a very low detection rate according to VirusTotal. Up to the time of writing, only 7 out of 40 AV products detect this bot.
|
a-squared
|
4.0.0.101 2009.05.13
|
Win32.SuspectCrc!IK
|
|
AntiVir
|
7.9.0.166 2009.05.13
|
SPR/Tool.Injector.101376B
|
|
eSafe
|
7.0.17.0 2009.05.13
|
Win32.Trojan
|
|
Ikarus
|
T3.1.1.49.0 2009.05.13
|
Win32.SuspectCrc
|
|
McAfee-GW-Edition
|
6.7.6 2009.05.13
|
Riskware.Tool.Injector.101376B
|
|
Microsoft
|
1.4602 2009.05.13
|
VirTool:Win32/Injector.gen!B
|
|
Prevx
|
3.0 2009.05.13
|
Medium Risk Malware
|
The Cabinet Self-Extractor file drops a file named d.exe, which has another packed PE file in its resource section (the file is packed with some private packer).
The decoding routine
The decoding routine of the bot (part 1).
The decoding routine of the bot (part 2).
The decoding routine of the bot (part 3).
Now, to get the new executable, we can simply dump the memory into a file and using a HexEditor, we cut the junk data from the beginning of the dump file:
And using a tool such as Stud_PE to cut off the extra data at the end of the dump file:
Now we have the real Trojan. In a quick glance, we can clearly see it is an IRC bot and to be more accurate, it’s an SdBot which connects to an IRC server and joins a channel waiting for further commands from its operators.
The detection rate in VirusTotal gets better now, where 21 out of 40 detect this bot:
|
a-squared
|
4.0.0.101 2009.05.13
|
Virus.Win32.IRCBot.BSX!IK
|
|
AntiVir
|
7.9.0.166 2009.05.13
|
TR/Spy.Gen
|
|
Authentium
|
5.1.2.4 2009.05.13
|
W32/Bloop.A.gen!Eldorado
|
|
Avast
|
4.8.1335.0 2009.05.12
|
Win32:IRCBot-BSX
|
|
BitDefender
|
7.2 2009.05.13
|
Backdoor.Agent.AAAT
|
|
DrWeb
|
5.0.0.12182 2009.05.13
|
DLOADER.IRC.Trojan
|
|
eSafe
|
7.0.17.0 2009.05.13
|
Win32.Trojan
|
|
F-Prot
|
4.4.4.56 2009.05.13
|
W32/Bloop.A.gen!Eldorado
|
|
F-Secure
|
8.0.14470.0 2009.05.13
|
Backdoor.Win32.SdBot.eit
|
|
GData
|
19 2009.05.13
|
Backdoor.Agent.AAAT
|
|
Ikarus
|
T3.1.1.49.0 2009.05.13
|
Virus.Win32.IRCBot.BSX
|
|
Kaspersky
|
7.0.0.125 2009.05.13
|
Backdoor.Win32.SdBot.eit
|
|
McAfee
|
5613 2009.05.12
|
W32/Sdbot.worm.gen.a
|
|
McAfee+Artemis
|
5613 2009.05.12
|
W32/Sdbot.worm.gen.a
|
|
McAfee-GW-Edition
|
6.7.6 2009.05.13
|
Trojan.Spy.Gen
|
|
Microsoft
|
1.4602 2009.05.13
|
Worm:Win32/Pushbot.gen
|
|
NOD32
|
4070 2009.05.13
|
probably a variant of IRC/SdBot
|
|
Norman
|
6.01.05 2009.05.13
|
W32/Malware
|
|
Rising
|
21.29.24.00 2009.05.13
|
Worm.Win32.Pushbot.ad
|
|
Symantec
|
1.4.4.12 2009.05.13
|
W32.Spybot.Worm
|
|
VBA32
|
3.12.10.5 2009.05.13
|
suspected of Backdoor.xBot.1 (paranoid heuristics)
|
The following are the commands used by this botnet:
login || l
logout || lo
rm
download
update
gone || rmzerm3b1tch
threads || t
r.getfile
r.new
r.update || r.upd4te
msn.msg
msn.stop
aim.msg
aim.stop
trion.msg
trion.stop
Inspecting into the strings list of the new executable, we can see that the bot’s multiple functionalities include:
- Download and execute remote files
- Registry manipulation
- Services manipulation
- Opening sockets, including sending and receiving data through sockets
- Sending/Downloading data through HTTP
- Uploading/Downloading files through FTP
- DNS manipulation
- Open ports in the infected systems and hide those ports
- Retrieve TCP, UDP listener tables
- Retrieve MIB-II interface table
- Retrieve IP-to-physical address mapping table
- Add/Remove Network Connections
- Keylogging
- ARP table manipulation
- ODBC functionalities
