IRC Bot masquerading as popular applications

October 11, 2013

The Dell SonicWall Threats Research team has observed a recent wave of IRC bots posing as legitimate applications. The bot installer may arrive with file names such as, chrome.exe or facebook-images.exe on the victim machine. It attempts to masquerade itself as Google Chrome by using the following icon and file properties:

Infection Cycle:

Upon execution the bot creates a copy of itself into the following directories:

  • %WINDIR%tempfacebook-images.exe [Detected as GAV: Zusy.G (Trojan)]
  • %TEMP%adbreader.exe [Detected as GAV: Zusy.G (Trojan)]

In order to start after reboot the bot adds the following keys to the registry:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun [adobe driver update] "%TEMP%adbreader.exe"
  • HKLMsoftwareMicrosoftWindowsCurrentVersionRun [adobe driver update] "%TEMP%adbreader.exe"

It also executes the following command to allow itself through the windows firewall:

  • %SYSTEM% netsh.exe [netsh firewall add allowedprogram "%TEMP%adbreader.exe" "Adobe Driver Update" ENABLE]

It connects to a remote IRC based Command and Control server and waits for further instructions:

It then joins an IRC channel named #biz:

During our analysis, we noticed the Command and Control server sending instructions to download an additional malware component:

The downloaded malware is copied into the following directory:

  • %WINDIR%mdm.exe [Detected as GAV: Injector.AOED (Trojan)]

The following registry keys were added by the bot to persist infection upon system reboot:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun [microsoft firevall engine] "%WINDIR%mdm.exe"
  • HKLMSoftwareMicrosoftWindowsCurrentVersionRun [microsoft firevall engine] "%WINDIR%mdm.exe"

It also sent an instruction to create another component which uses the Pidgin icon and is copied into the following directory:

  • %TEMP%eraseme_*random digits*.exe [Detected as GAV: MalAgent.G_3527 (Trojan)]

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Injector.AOED (Trojan)
  • GAV: Zusy.G (Trojan)
  • GAV: MalAgent.G_3527(Trojan)