Gone with the wings ngrBot dropper

October 4, 2013

The Dell SonicWall Threats Research team has observed incidents of a new ngrBot Dropper Trojan active in the wild. The Dropper may arrive as an attachment in spam e-mail or via drive-by downloads from cybercrime exploit kit hosting sites. The Dropper appears to remove other malware family binaries from the victim machine before infecting it with the embedded copy of the new ngrBot variant.

ngrBot, also known as Dorkbot is a family of IRC-based worms that is known to spread through instant messengers, social networking websites, and removable drives. The bot steals user credentials for various applications & websites, and is also capable of launching Denial of Service attacks. More details can be found in our previous writeup - New Dorkbot variant targeting skype users (Oct 19, 2012).

Infection Cycle:

Upon execution, the Dropper Trojan checks for the command line argument "-shell" and attempts to create a specific mutex. If the Dropper was executed with the argument "-shell" and the mutex already exists on the system, it will terminate as seen below:

If the above conditions are not true, then it drops multiple copies of itself as:

  • %APPDATA%temp.bin [Copy of itself detected as GAV: Dropper.NGR (Trojan) ]
  • %APPDATA%ScreenSaverPro.scr [Copy of itself detected as GAV: Dropper.NGR (Trojan) ]
  • %APPDATA%Microsoftrcanurcanu.exe [Copy of itself detected as GAV: Dropper.NGR (Trojan) ]

It creates the following registry key to ensure that the infection persists upon system reboot:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun Screen Saver Pro 3.1 "%APPDATA%ScreenSaverPro.scr"
  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun Windows Update "%APPDATA%Microsoftrcanurcanu.exe"

It keeps track of the number of times the malware has been executed on the victim machine by creating a Registry key shown in the image below and by setting the value for iterXXXz. It essentially forces the target system to reboot twice after initial infection. This looks like a ploy to hinder malware analysis by automated systems and malware researchers.

It further creates a system process svchost.exe and injects malicious code into it which is responsible for following:

    Infect Removable Drives

  • It checks and monitors any removable drives connected to the infected system. If found, it will drop a copy of itself as %VolumeSerialNumber%.exe on it.
  • It then looks for HIDDEN or READONLY executable files on the removable drive and deletes them.
  • It infects the removable drive by copying %APPDATA%temp.bin to it using the same filename and attributes as the files that it deleted.
  • It finally launches Microsoft Windows paint program mspaint.exe process in the background which will eventually be accessed by the ngrBot process.

The Dropper then looks for files with .exe extension in %APPDATA%, %TEMP%, and %User Profile% directories and appends string .gonewiththewings to the filename before deleting them as seen below:

It launches the ngrBot binary which is embedded in the resource section. More details on the ngrBot infection cycle can be found in our previous alert.

The ngrBot variant in our case connected to a remote IRC server and was immediately instructed to download an updated version of the bot as seen below:

We have been actively tracking ngrBot Botnets over the past one year, and here is the geographical distribution of the active Botnet Command and Control (C&C) servers from the past two weeks:

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Dorkbot.B_222 (Worm)
  • GAV: Dropper.NGR (Trojan)
  • IPS: ngrBot Infection Activity