Nirbot – Even Botters Need Attention
A new bot has been making the rounds this winter and has been dubbed “Nirbot”, “Rinbot”, “Vanbot”, or “IrnBot” depending on the AV vendor. This is one of the first new IRC bot codebases to emerge in the past few years, but like many other Windows bots it’s written in C++. Unlike Spybot, Agobot, or other popular Windows bots this malware does not have a rich set of capabilities. Once installed on a system, it can start HTTP servers, SOCK4 and SOCKS5 proxies, launch an FTP server, steal CD keys for popular programs, download arbitrary files, and disable various analysis programs such as Filemon. Also, once launched the malware will download at least one additional binary used to hide itself. Finally, the malware joins an IRC server to communicate with the authors and receive commands. Exploits used by this family of malware include spreading through Windows file shares protected by weak passwords, the Symantec Client Security and Symantec AntiVirus Elevation of privilege vulnerability (SYMC06-010), the Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (MS06-040), and weak passwords used to protect Microsoft SQL server. The malware authors have been known to add new exploits in the past few months they have been using and developing this malware. During propagation the victim system retrieves the bot executable from the attacking system via TFTP file transfers. All of this is pretty standard for the bot world, although the number of exploits is significant lower than most bots include. The name is a play on the name found in the malware itself.
We’ve seen a steady rise in Symantec AV overflow attacks in the past month or so (TCP port 2967 and 2968), as evidenced by the ATLAS graphs below. We think this is due to the aggressiveness of the Nirbot authors in getting their malware out and its reliance on this exploit. It’s tempting to think that this is not going to affect many people, after all this vulnerability is over six months old and such, however it clearly affects people. This malware even reportedly disrupted operations at CNN, so it can cause havoc if the network has weak passwords or these lingering vulnerabilities. Get patched!
We’ve also seen some DDoS attacks which were sourced from Nirbot machines, telling us that stopping these guys will be important.
Static analysis of the binaries is usually an interesting exercise, we’ve seen the Nirbot author start to share messages with people. Some of them are hostile (more below), but some of them are quite intriguing. This one led me to do some more investigations and talk to a bunch of folks to try and explain it.
The NirBot author sure does like to chat (see some more messages below). This one got my interest, however, as it’s not something you see all the time. After talking to some folks about it, people think it’s related to the “Quebec Health Care Virus”. It may be that the health care system was affected by Nirbots spreading and disrupting services. So why the message? Remorse? My guess is that the author(s) are trying to avoid the same fate that befell Christopher Maxwell, who got 3 years for a botnet affecting hospitals. It would have been better if they just hadn’t released the bots in the first place … This may also explain some of the skipped networks. If you look at the list, some are obvious RFC1918 space, but some are allocated networks.
Like I said, the Nirbot author sure is a chatty type. Some of these messages are relatively benign or boastful, the kinds of things you expect to see from a malware author who knows that someone is peering into their creations:
Other messages, however, are clear threats and attempts at intimidation. I’ve edited some of these to obscure offensive language or personal information about the targets.
What’s next for the Nirbot person (or people)? We’ll see, but we don’t expect them to be slowing down for a while. They’re obviously adding features, becoming more destructive, and becoming an increasing threat. Many folks in the analysis community are working on tracking these guys down and putting a stop to them.
Links around the blogosphere include …