Parasitic IRCBot in the wild

Statistics show that the contemporary malware landscape is, in the main, somehow connected with Trojans: Backdoors, Trojan-Downloaders, Trojan-Droppers, etc.

Although we are still seeing the same kind of viruses as we were seeing 10 years ago, written by cyber hooligans, every now and then we find old style methods being incorporated into more serious malware.

Almost a year ago we wrote about Tenga, a classic file infector with worm and trojan-downloader functionality.

Recently we added detection for something similar: Virus.Win32.Virut.4960. While its name doesn’t sound very interesting, or pretty for that matter, this is quite an interesting sample.

Like Tenga, Virut.4960 is a classic appending virus. This file infector infects .exe and .scr files by attaching its (encrypted) code.

The interesting part is that the encrypted code contains IRCBot functionality. When an infected sample is executed it tries to connect to a certain IRC server.

The IRCBot functionality is very limited, and simply downloads a file of the attacker’s choice. However, even such restricted functionality is enough to introduce more malware onto the victim system.

Using this kind of attack has some clear advantages; most significantly, that only virus scanners will be capable of detecting it. So malware which uses such strategies will be able to bypass, for example, anti-spyware solutions, which don’t have an antivirus engine, and therefore can’t detect and disinfect virus infected files.

Although the use of file infecting techniques still isn’t particularly common, it’s an interesting trend, which will continue evolving – because dedicated antispyware solutions will be unable to combat such threats.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *