By: Nirmal Singh

IRC Botnets Alive, Effective & Evolving


An IRC Botnet is a collection of machines infected with malware that can be controlled remotely via an IRC channel. It usually involves a Botnet operator controlling the IRC bots through a previously configured IRC server & channel. The Botnet operator, after appropriate checks, periodically moves the IRC bot to a new IRC channel to thwart researchers & automated sandboxes from monitoring the commands.
In this blog, we will look at one of the most prevalent IRC based malware families - DorkBot, followed by three additional IRC Botnet families - RageBot, Phorpiex, and IRCBot.HI.
DorkBot Installer
In our telemetry data from last 3 months we have seen following URL serving the DorkBot installer:
api1[.]wipmania[.]com[.]wipmsc[.]ru/api1[.]gif  (Check APPENDIX section for additional info.)
The malware executable checks for two command line arguments
  • "-aav_start"  - It terminates
  • "–shell"  - It starts the infection cycle, creates a registry key "Windows Update" to ensure persistence, and creates a mutex named “Windows_Shared_Mutex_231_c000900” to ensure only one copy of Dorkbot is running
If no command line argument is provided, it starts injecting threads into other processes without performing the above mentioned actions. 
It first injects a thread into svchost.exe and performs the following actions:
  1. Copy itself as "%APPDATA% \Update\Explorer.exe" on the infected system.
  2. Creates a Run registry key with the name of "Windows Explorer Manager" for the dropped executable copy.
  3. It creates a thread that monitors the Run key created in step 2 & recreates it if missing, every 10,000 seconds.
  4. It also creates a thread that copies the file created in step 1 to file name “\c731200” in the "%APPDATA%” folder.
  5. It then creates a remote thread in mspaint.exe that tries to resolve a predetermined list of domains as shown in image below:
DorkBot - Hardcoded Domains
The main Dorkbot binary (MD5-E7E48AD1A2A57CC94B56965AA8B476DA) was found embedded in the resource section which is extracted and executed at runtime.
DorkBot - memory strings
It also creates a remote thread in the “calc.exe” process that performs the following actions:
  1. Creates a mutex with the name “c731200
  2. Checks for Internet connectivity using API InternetCheckConnection with as the URL.
  3. It then tries to download files from 20 different URLs and saves the downloaded file with random file names in the %Temp% folder. File names are shown in the screenshot below:
DorkBot- Random file names
All the URLs are hardcoded in the DorkBot and are encrypted via a custom encryption method.
DorkBot - Encrypted URLs
DorkBot - Pseudocode of decryption function
Below is the full list of URLs from from where it tries to download additional malware:
Dorkbot represents a family of information stealing worms that uses IRC based Command & Control (C&C) server communication. Dorkbot is also known as ngrBot due to it's similar feature set. It is one of the most powerful IRC based botnets that generates revenue for the botnet operator via the following features:
  • Capable of spreading via chat messengers, USB drives, & social networking sites
  • Supports multiple Distributed Denial of Service (DDoS) attack types
  • Capable of stealing login credentials for multiple HTTP and FTP sites
  • Blocks security update related websites to evade detection
  • Capable of downloading, installing and uninstalling other malware payloads
RageBot, Phorpiex, and IRCBot.HI Analysis –
From our 3 months telemetry data, we have seen the following URLs serving these IRC bots–
Malware Name
In addition to IRC based C&C communication, all these bots have following similarity in their operation:
1. Checks execution environment - Virtual Environment, Honeypot or Sandbox
RageBot - Check via Username
As seen in the screenshot above, Ragebot is checking for common usernames found in certain public sandboxing environments before executing further.
Phorpiex - Check via DLL name
Phorpiex bot looks for strings like 'qemu', 'virtual', and 'vmware' in system registry to check for execution in Virtual Environment. In addition, it also checks for the presence of Sandboxie sandbox environment by looking for specific DLLs as seen in the screenshot above.
IRCBot.HI - Check via DLL & Product IDs
It is important to note that IRCBot.HI checks the ProductID value from the registry against multiple hardcoded ProductID values. It terminates execution if any of them matches. We believe that these hardcoded ProductIDs were harvested from various online public sandboxes.
2. Creates Mutex
RageBot – It creates a mutex with name “ie”
RageBot - Mutex
           Phorpiex – It creates a mutex with name “t2”, We have also seen some Phorpiex samples which were creating mutexes with name “t3” and “t4”. 
Phorpiex - Mutex
          IRCBot.HI – During installation it creates a mutex with the name MAIN_<RandomNumber>. When it runs from the installation path, it creates a mutex with the name BACKUP_<RandomNumber> 
IRCBot.HI - Mutex
3. Installation
RageBot- It installs itself in “%ProgramFiles%\Common Files\System” or “C:\DOCUME~1\” directory. The malware uses ragebot.exe as file name for the dropped file.
RageBot – Building installation path
If it is not able to create the file at the above mentioned locations then it tries to install itself in “C:\RECYCLER” directory.
Phorpiex – It installs itself into %WINDIR% , %USERPROFILE% , %APPDATA% and %TEMP% locations by creating a folder “M-50504578520758924620” containing a file named winmgr.exe.
Phorpiex – Pseudocode of Installations function 
It then deletes itself after installation by running a batch file dropped in the %TEMP% folder.
IRCBot.HI – During our analysis it installed itself into %WINDIR% and %USERPROFILE%. In %WINDIR%, it creates a folder named 1756410959 and drops copy of itself as lsass.exe. In %USERPROFILE%, it drops copy of itself as ctfmon.exe. 
IRCBot.HI – Installing in different locations
4. Adding autostart feature using Run registry key.
RageBot – Creates Run Key -         HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and key name as – “Windows Update”
Phorpiex – Creates Run Key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and key name as – “Microsoft Windows Manager”
IRCBot.HI – Creates Run Once Key - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce and key name as – “*<RandomNumber>”
IRCBot.Hi – RunOnce Entry
5. Adding itself to Windows Firewall trusted application list 
All these bots add themselves to the Windows Firewall’s exception list by modifying the key
6. Propagation method 
RageBot – 
  1. It copies itself to the following P2P & Instant messenger application folders for spreading  
    • \Program Files\LimeWire\Shared
    • \Program Files\eDonkey2000\incoming
    • \Program Files\KAZAA
    • \Program Files\Morpheus\My Shared Folder\
    • \Program Files\BearShare\Shared\
    • \Program Files\ICQ\Shared Files\
    • \Program Files\Grokster\My Grokster\
    • \My Downloads\
  2. It also searches for RAR files and copies itself inside them.
Phorpiex –

    A. Creates a shortcut in a removable device
  • It checks for all removable devices
  • Copies itself with a different name
  • Creates a shortcut to an already present folder and sets the path of a shortcut to run the malicious file
  • Hides the malicious file and folder by setting a hidden attribute for both
Phorpiex - Creating Shortcuts

    B. Creates an autorun.inf file in removable devices to autorun the malicious file
  • Checks for all removable devices.
  • Copies itself with a name of windrv.exe
  • Creates an autorun.inf file to autorun the malicious file
Phorpiex - Creating autorun.inf file
IRCBot.HI - 
We identified strings related to Skype in memory during our analysis that would suggest this bot is capable of spreading via Skype. 
IRCBot.HI - Skype inject related string
7. IRC based Command & Control communication
All these bots use the IRC protocol for C&C communication. Bots perform different actions based on the commands received from the remote C&C server.
RageBot – During our analysis, this RageBot sample was trying to connect to vnc.e-qacs[.]com on port 6668. Upon successful connection, the following initial communication was observed:
RageBot - C&C Communication
You can find full list of C&C commands in the appendix section.
Phorpiex – It tries to connect to trksrv[.]su on port 5050. Some other IRC servers it tries to connect to are - trik[.]su , srv50[.]ru and trkbox[.]ru. Upon successful connection, it sends the following IRC commands:
                                      NICK `|USA|hihdlxu
                                      USER x "" "x" :x
Some other commands:
                              001 -> Sends JOIN #b message to server
                              PING -> Checks status
                              .j <channel name> - > Join given channel
                              bye -> Uninstall bot
Phorpiex - C&C Communication
IRCBot.HI - It tries to connect to irc[.]ernsthaft[.]su or irc[.]ded-rrwqwzjzjris[.]com on port 6667. 
Upon successful connection, it sends the following IRC commands:
                                     PASS ddos
                                     USER <8 char string> <1 digit number> * :<8 char string>
                                     NICK n[USA|A|D|<OS_NAME><OS_TYPE>|1c]<8 char string>
                                     JOIN #PlanB

Below is a sample of the C&C communication for this bot:
IRCBot.HI - C&C Communication
In this era of sophisticated Botnets with multiple C&C communication channels, custom protocols, and encrypted communication; we continue to see a steady number of new IRC based Botnet payloads being pushed out in the wild on a regular basis. As we saw in our analysis, IRC based Botnet families continue to evolve in terms of sophisticated features incorporated in the bots.

ThreatLabZ is actively monitoring this threat and ensuring signature coverage for Zscaler customers.


DorkBot installer URLs and MD5

Jan-15 E49B3EF80FF4DB4DB1D5220930EC7DAD api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 CC9D72663D2495779B0C81AEE34592E7 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 A98472BCAA010433A80410C3483C90E1 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 EEFC72EFFD96FFD11EC2D69CD6248AC5 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 4E7149C1401F5A0BC34E3AAD6070F4BE api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 5B14C029570F40BDDC73669FE4EFEFB0 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 4C54D366B04F9980F038CB6FC62603D0 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 6E4282023D6A19B27C30DB5D54CEE32C api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 E7B61B2BE23167965079468DF36497EF api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 DC8CBA3F91A34F0D1EFA79BE4495B305 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 8AAD291926335F28B4402830252556F7 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 8036A36C372602CFA049996B9F5BD6AE api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 8036A36C372602CFA049996B9F5BD6AE api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 7257FD6F90B5AA9BB249EA74B764A401 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 B186525826856E881E879C6C44BB2452 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 220188F1BD2E10BA0751383EA0946DBA api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 2DB9BD0ABD99F3285721D358A6816737 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 EBEB072B8336F5FD35328227A60B271C api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 01303BEFE5938C3C748C4E058A8A6AE9 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 82E2CA09BDEB3ABF8B70D848F66793E7 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 0B2E7AE8DF2ADA1E86A3A25FC248C6FE api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 430560EBD3BE6A680BFA6409F332585B api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 F79AF05D9B43F99EB6FC64DA2C129F67 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 384252746FAFF8D264E6A8CA450B6301 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 C9636239ED698834CABA78E1F9F8DB0F api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 9C42746376CC7D265D6BF554B960EDE2 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 67B08BF0F2C89DE4E0D1C36BAF7193B9 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 735B6602B4BD1D71246F43642D6873AA api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 7D9AF61AE962443D586BFC8A86100B5F api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 05ABC48A4BEE624D7952954CF14F699D api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 FF638ACA7D8D10ED8AD2DE1BC333123D api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 AA4085182E8F10FEC8EBC3F6D3612321 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 1A54593E7C82DD1B16B7626FCB211DA1 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Jan-15 235E67A88907DA68BFBB9264A00A31E3 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 2CBD9428DEE885C30258BF0C38299138 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 CCDC5EC2085536160813658BE549F0B6 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 CBD732F87901EE03820DBA41D0D2895A api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 BE5E43F2786D628B7AA8689C2108247D api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 5AEC4A3B3E0AEB3B13B98086FC81D797 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 6034814DB1C25A092C39F251F29B2216 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 6CAE0B51E5EAD86EEA47C4068287650A api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 451E324D3CB601E00FA041D6FDE1C4EC api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 9AEB3A097F11887D89EC08D337814B6B api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 8F9F97232DBE283BC5E7B6AB4DD580B8 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 F57A08679380F3FDFD369528FE5CE854 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 F24BC22CFD12E3FDE40D06BF54F35CF1 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 4BB4C19B5FC2401D45845789CC761577 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 583432D95424EC051AFE9E621DC41ACA api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 C5756AC3FE61266D326B43E904BC1A6C api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 44012367D7FFA7845B59462952AB9014 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 FC506F023FF71E3ACDEE4449C43E5F1B api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 322E11B552B897ADBC9ABCE51774988E api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 EC0832E5818E4CD753C4B2675C6179A1 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 63C37B2FEB0C0F71568B9771AC4DACE4 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Feb-15 7BE4749D1D1F8950F7288C67A393B7F0 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 ADDF9E2B207AD9E89DB46E81A8121882 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 3E70DB4E5F5F60F2FDE7AEC38F4B30CD api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 268301147BC53722A898E1F38E6F026D api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 309FB15C08861BC063C19C326A29AC98 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 422C1A2BC53F72CAE5435F7F5598BDFD api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 30A6C9DC574075C5EA47F17EA9392C47 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 37A9570400CB0C0CD4E5273AE3232EB5 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 E59BCA5EE865FE5789C96B20A43F9207 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 919C861E6A6ABF88045476D5D92A5DE1 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 5FD98DE177F158C31960BF80272F2535 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 9439AA18598643131B3F8DD9E69AB294 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 F66A06166B73391C4C7A7A58CC6CE66C api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 79589FC33375A63BB44A8DE0B2B5DAF8 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 2C328EF3F2074D68729F329D4B2F8013 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 90E8FF73C7E78B99ABCD1FC22394F22E api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 A3AEC401831AF6EF1C75AFB1C50D96DA api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 42C7C8719D33AFCF36DC7D5D2594EB5B api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 375E51758336183B07CA7DBF771D2EF8 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 FA20E413002E17B938B2451552721027 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 09840FA1887528B20C98C408C8EB6E07 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 6AB2975E77EA4724FADF4CCB7250F0E9 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 51E7E34FFB5EF17FDE5FAFC5DF8F7212 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 F61E3F5ACFE1F861CECEA0A793D4F333 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 229236B39E92E629178419CB8A529E1A api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 D299AD2A61F325F5DA56AE7674D2F77D api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 53CA20232F358A9C256748403451EF14 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 41BE96D1B3BDF9E48D97AE153D6EFD45 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif
Mar-15 213E0B42AF7CF1D0DCB75E378CA93512 api1[.]wipmania[.]com[.]wipmsc[.]ru/api1.gif

RageBot Commands

Command Description
PING Check status
422 Check status
433 Redefine nick name
-s Silent mode
h 0f6969d7052da9261e31ddb6e88c136e Uninstall bot.
h fd456406745d816a45cae554c788e754 Download and run file
Botinfo Sends botinfo
p2p Starts p2p spread, Copy itself into following location-
\Program Files\LimeWire\Shared
\Program Files\eDonkey2000\incoming
\Program Files\KAZAA
\Program Files\Morpheus\My Shared Folder\
\Program Files\BearShare\Shared\
\Program Files\ICQ\Shared Files\
\Program Files\Grokster\My Grokster\
\My Downloads\
commands Sends following list of commands
commands: botinfo/rarworm/xpl/p2p/vncstop/disconnect/reconnect/nick/restart/part/join/
rarworm Scan for .rar files and copy itself into .rar archives with name as ?self-installer.exe?
disconnect Disconnect itself
b0tk1ller (off) Starts a thread that scans for the running processes and terminate the process if process name matched with hardcoded process names.
If parameter off is provided it stops the bot killer thread.
reconnect Reconnects to the same server Same as reconnect since there is only one ip hardcoded in the bot.
nick (nickname) Sets nick name if nickname not provided that generates random nickname
restart Restarts itself
vncstop Stop VNC scanning threads.
join (channel_name) Join mentioned channel
xpl Starts vnc and ftp scanning threads.

Analysis by: Amandeep Kumar, Avinash Kumar, Nirmal Singh & Deepen Desai

Learn more about Zscaler.