AryaN Botnet analysis - Part 2

May 11, 2012

SonicWALL Threats Research team reported about an active IRC based AryaN botnet in the wild last week. We continued to monitor the botnet activity and looked further at its origin.

We found that the AryaN Botnet builder kit was first released on September 11, 2011 on one of the underground forums. This was followed by a leak of source code and builder later that month. The builder was written in Borland Delphi and the interface looks like this:

Botnet commands as advertised by the author:

Features of Bot:

  • Geo/OS aware and named using following convention:
    • AryaN{%s-%s-x%d}%s -> AryaN{CountryCode-OperatingSystem-Architecture}BotID
  • Connects to a remote C&C server and waits for command
  • Capable of DoS attacks
  • Spreads by infected Removable devices
  • Injects itself into explorer.exe

The botnet we were monitoring over past week is hosted in U.K. It grew close to 1000+ bots over a period of one week and we observed following activity:

  • New AryaN bot update and subsequent redirection to a new IRC server/channel.

  • Instruction to download Bitcoin miner Trojan. Below are the domains that were contacted by the downloaded Trojan:
    • eu.triplemining.com:8344
    • eu1.triplemining.com:8344
    • litecoinpool.org:9332

  • Instruction to perform DoS flooding attacks.

  • Instructions to download multiple other pay per install malware binaries and infect the victim machine.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Scar.GAJG (Trojan) [Bitcoin miner]
  • GAV: IRCBot.AYN_2 (Trojan) [New AryaN bot]
  • GAV: Agent.ADC (Trojan) [AryaN bot builder & base]