Malware descriptions

Parasitic IRCBot in the wild

Statistics show that the contemporary malware landscape is, in the main, somehow connected with Trojans: Backdoors, Trojan-Downloaders, Trojan-Droppers, etc.

Although we are still seeing the same kind of viruses as we were seeing 10 years ago, written by cyber hooligans, every now and then we find old style methods being incorporated into more serious malware.

Almost a year ago we wrote about Tenga, a classic file infector with worm and trojan-downloader functionality.

Recently we added detection for something similar: Virus.Win32.Virut.4960. While its name doesn’t sound very interesting, or pretty for that matter, this is quite an interesting sample.

Like Tenga, Virut.4960 is a classic appending virus. This file infector infects .exe and .scr files by attaching its (encrypted) code.

The interesting part is that the encrypted code contains IRCBot functionality. When an infected sample is executed it tries to connect to a certain IRC server.

The IRCBot functionality is very limited, and simply downloads a file of the attacker’s choice. However, even such restricted functionality is enough to introduce more malware onto the victim system.

Using this kind of attack has some clear advantages; most significantly, that only virus scanners will be capable of detecting it. So malware which uses such strategies will be able to bypass, for example, anti-spyware solutions, which don’t have an antivirus engine, and therefore can’t detect and disinfect virus infected files.

Although the use of file infecting techniques still isn’t particularly common, it’s an interesting trend, which will continue evolving – because dedicated antispyware solutions will be unable to combat such threats.

Parasitic IRCBot in the wild

Your email address will not be published.



Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

APT trends report Q2 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q2 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox