IRC botnets have evolved to steal passwords and avoid detection

A recent analysis of some of the most common and widespread IRC based botnets performed by researchers at Zscaler revealed that such threats continue to thrive as they keep improving by adding new features. An IRC bot is a set of scripts or an independent program that connects to Internet Relay Chat as a client, and so appears to other IRC users as another user.

Dorkbot and other common IRC botnets

32323423_sBotnet malware has evolved to become a multipurpose tool that compromises the security of the infected system in several different ways, while building up an army of bots for large scale attacks. The worm Dorkbot is one of the most prevalent IRC based malware families. This threat, also known as Nrgbot is capable of stealing passwords, stopping security updates, downloading more malware, and even launching DDoS attacks using infected systems. Dorkbot is mostly spread via instant messaging services and social networking websites. The malware can also sneak into thumb drives thus creating another source of infection.

Once on the system, Dorkbot creates a registry entry to preserve itself while actively injecting malicious code into Microsoft Windows executables such as svchost.exe, mspaint.exe and calc.exe. The different code injected in the various Windows processes perform specific malicious tasks. For example, the malicious code in calc.exe downloads additional malware from 20 custom encrypted urls. The malware Dorkbot is also armed with a rootkit component.

Some other ambitious IRC botnet malware like RageBot, Phorpiex, and IRCBot.HI can even check for sandboxed environments and honeypots, and enter systems selectively, thus avoiding analysis and detection. To make the analysis process even more difficult, all of these threats have different propagation mechanisms.

According to Security Week:

“RageBot spreads by copying itself into RAR archive files, and folders associated with instant messaging and peer-to-peer (P2P) applications. Phorpiex spreads through removable drives, while the IRCBot.HI sample analyzed by Zscalers was designed to leverage Skype in order to spread.”

IRC botnets are alive, effective and evolving

Research shows that in the current cyber security environment, IRC botnets continue to evolve and thrive. Hackers have been using the combined power of thousands of infected computers as a weapon to launch massive DDoS attacks against various organizations for quite a while, but now they are looking to do even more.

As stated by Zscaler in their blog post:

“In this era of sophisticated botnets with multiple C&C communication channels, custom protocols, and encrypted communication; we continue to see a steady number of new IRC based botnet payloads being pushed out in the wild on a regular basis. As we saw in our analysis, IRC based botnet families continue to evolve in terms of sophisticated features incorporated in the bots.”

The good news is, several botnets have been targeted and taken down by joint International Police Operations this year, like this one. Although such combined efforts of government and private organizations have been pretty successful, it is important to remember that any massive botnet is still made of individual bots (infected computers). The cyber criminals can only use the power they salvage from their victims. Thus, by protecting your own computer and keeping it clean, you can prevent the growth of botnets too! Make sure you have an up to date anti-malware application.

Have a nice (malware-free) day!