FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
News

News by topic

Virus alerts
The Anti-virus Times
News boxes
Press center

Back to the news list

BackDoor.IRC.NgrBot botnet steps out of the shadow

September 9, 2011

Doctor Web—the leading Russian anti-virus developer—reports new cases of infection by BackDoor.IRC.NgrBot used by criminals to create a large botnet.

One of the ways to spread theTrojan horse is via flash drives. When you plug a flash drive into the USB-port, BackDoor.IRC.NgrBot copies itself with a random name into the % RECYCLER% folder and creates a startup file autorun.inf. Once in a system, the Trojan horse hides system folders in the root directory and instead creates shortcuts. Opening the shortcuts launches malicious programs. Then BackDoor.IRC.NgrBot saves itself as a file with a random name into the system folder %APPDATA%, adds itself to the registry branch listing autorun applications and launches itself. After that BackDoor.IRC.NgrBot injects its code into the explorer.exe process and all other running processes except for skype.exe and lsass.exe and removes its copy that has been used to launch it. When launched, the Trojan horse checks its integrity: if it is lost, the harmful program erases the system boot sector and also several following sectors and displays the following message on the screen:

"This binary is invalid.
Main reasons:
- you stupid cracker
- you stupid cracker...
- you stupid cracker?!"
Then the Trojan horse attempts to acquire privileges to restart the system.

If the system has been infected successfully, BackDoor.IRC.NgrBot authorizes on a controlling IRC-server, sends a corresponding report and awaits for instruction, which can be commands to update the bot, switch to another IRC channel, remove the bot, transfer statistics, begin a DDoS-attack, enable redirecting — in all the set of instructions includes several dozen commands. A distinguishing feature of this network is encryption of bots downloaded onto infected machines during updating. Thus, virus writers try to complicate detection of the malware by anti-viruses.

In addition, BackDoor.IRC.NgrBot allows attackers to perform the following tasks:

  • Control such programs as ipconfig.exe, verclsid.exe, regedit.exe, rundll32.exe, cmd.exe, regsvr32.exe;
  • Block access to information security and anti-virus vendors' web-sites;
  • Intercept and forward to criminals the stolen account information used to authorize on various sites (including PayPal, YouTube, Facebook, AOL, Gmail, Twitter);
  • Intercept and send to criminals messages sent via Facebook or Twitter;
  • Redirect the user to various phishing sites.

Each bot in the network generates its name according to the version of the operating system installed on the infected computer, its locale, and permissions available to the Trojan horse. According to Doctor Web's virus analysts, on September 2 alone bots comprising the BackDoor.IRC.NgrBot network redirected users to phishing web-sites that mimic the design of www.davivienda.com and colpatria.com 60806 times.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments