« File extensions matter
Targeted Phishing, an example. »

Up close with a Bot

May 27th, 2008

During our malware investigations we come across some interesting things. Today, we will discuss the case of an IRC bot.

First of all, let’s start by defining what we are talking about. A Bot is an infected machine (with a malicious backdoor program) which can be controlled by a hacker through a command and control infrastructure. We refer to botnets to describe a network of computers made up of infected machines.

Bots can be used for multiple purposes: one can use them to host malware, send spam, or combine them to launch DDos attacks (distributed denial-of-service attack), typically to bring down a server.

What usually happens is a computer gets infected by a drive-by-download. In most of the cases we have seen, it is a Trojan Downloader whose purpose is to contact a server to install a malicious backdoor. This program gives the hacker (also known as the bot herder) full control over the PC which is now a Bot.
The bot connects to an IRC (Internet Relay Chat) server where it identifies itself. For example, it will send a message to the hacker, saying: “I’m a Windows XP machine, with a broadband connection, my IP is address is …… etc.”. The hacker can control the bot by sending it instructions via the IRC channel.

At this point the PC is owned by the hacker and can be participating in illegal activities. Hackers will gather hundreds of thousands of bots to launch massive spam campaigns or DDos attacks.

After the theory, let’s see a real life example. We found this PHP IRC Bot configuration file that describes the main commands use by a hacker to control a Bot. Here are some screenshots:


Configuration of the Bot server.


Commands available to the Bot Master.

As you can see it is frigthening how much a hacker can do with a compromised PC. Malware authors are aware of the power of combined computers to be used to generate money or launch a cyber attack. The other scary thing is that most people are not aware that their PC is part of a Botnet. Our recommendations to our readers are to scan their PC regularly as well as shut it down when they are not using it. Once the power is turned off, the hacker will lose the machine, that is until next time it restarts ;-)

JSegura

RSS feed to this site Twitter Linkedin YouTube Channel

 

RSS feed to this site Jerome Segura is a Security Analyst working at ParetoLogic.

You can contact him at:
MalwareDiaries Email

 

Pages




Security Software




Malware Top 10




Archives




Categories
 
 
 

© 2009 ParetoLogic Inc.