Dissecting the NGR bot framework: IRC botnets die hard

2012-01-01

Aditya K. Sood

Michigan State University, USA

Richard J. Enbody

Michigan State University, USA

Rohit Bansal

SecNiche Security, USA
Editor: Helen Martin

Abstract

The latest variants of IRC-based botnets, such as the NGR botnet, are designed to steal sensitive information by exploiting browser processes and acting as backdoors. Aditya Sood and colleagues discuss the framework of the NGR bot version 1.1.0.0, which is growing in prominence in the malware world.


IRC-based botnets [1], [2] have become the preferred choice of bot herders for remotely managing bots. IRC networks provide anonymity during communication, which makes tracking their activity more difficult. The IRC network is used for sharing files, controlling network activity and sending distributed commands to networks of infected machines. The IRC network is comprised of dedicated servers that use specific communication channels. As a result, it is possible to control a large number of infected machines through a centralized space (IRC channel) to create a complete botnet. Basically, the bot is compiled with a configuration which has a predefined IRC channel name. Once the bot is installed, it connects back to the IRC channel and the bot herder is able to send commands through that channel to operate the bot remotely. IRC-based botnets are popular for conducting Distributed Denial of Service (DDoS) attacks [3], [4]. However, the latest variants of IRC-based botnets, such as NGR, are designed to steal sensitive information by exploiting browser processes and acting as a backdoor. In this paper, we discuss the framework of the NGR bot version 1.1.0.0 which is growing in prominence in the malware world. The workings of the IRC bot are presented in Figure 1.

Working of IRC bot.

Figure 1. Working of IRC bot.

Understanding the framework

In this section, we present the design and analysis of the NGR bot framework. The framework consists of the bot executable with built-in modules. The design of the framework is discussed next.

Ring 3 bot

The NGR bot is a ring 3 bot that works in user space. The bot is written using the standard Visual Studio development kit. It has the characteristics of user-land rootkits [5], [6] and follows a similar process of DLL injection and hooking to infect the running processes in the system. The DLL injection is a system-wide operation and is not restricted to the browser process. That is, the NGR bot is capable of injecting content into any process in the system. The NGR bot exhibits some properties that are found in third generation botnets such as Zeus and SpyEye. The bot is designed to infect 32-bit processes and does not support 64-bit injections at this point. However, the bot can successfully be installed in versions of Windows including XP, Vista, Windows 7 and Windows Server. From the design of the NGR bot we expect that upcoming versions will include full support for injecting into 64-bit processes. Figure 2 shows the layer model of the Windows operating system and where the bot infects it.

Ring 3 layer of OS and bot infection.

Figure 2. Ring 3 layer of OS and bot infection.

Like all bots, the NGR bot is designed to operate in a covert manner. It can be installed in Windows using any user account without administrative privileges. The bot is capable of sending back information about the access rights of the victim’s account on the system through the IRC channel. The NGR bot’s primary installation location is the user’s application directory. The bot installs itself there under a randomly generated name so it varies from machine to machine. The bot is activated in the machine after a reboot. It ensures execution by creating a registry key with a path directly to the bot’s binary (under its random name). As the system is restarted, the NGR bot connects back to the IRC channel through a relay server and then becomes ready to receive commands, as shown in Figure 3.

NGR bot connecting back to IRC channel.

Figure 3. NGR bot connecting back to IRC channel.

The bot sends information back to the server in the following format:

n{RU|XPa}kdskfksd

The bot herder can decipher the information based on the string shown above. The ‘n’ parameter indicates that the bot is installed on a new machine. The ‘RU’ indicates that the victim machine is located in Russia. The ‘XP’ string indicates that the infected operating system is Windows XP. The ‘a’ parameter shows that the bot is installed using an account that has administrative rights. The string ‘kdskfksd’ is the identity of the bot generated in a pseudo random manner. The following shows how the bot sends information back to the IRC channel:

<new>{<COUNTRY>|<OPERATING SYSTEM><user type>}<random letters>

Figure 4 shows the NGR bot in action. The ‘~version’ command can be used to show the identity information from the NGR bot.

NGR bot sending identity information after successful installation

Figure 4. NGR bot sending identity information after successful installation

The bot is designed to communicate over SSL using an IRC channel. In order to set up the SSL communication, the IRC server must be configured to initiate an encrypted channel with the NGR bot. The bot binary is optimized and has a built-in module for testing the connection speed. The ‘+speed’ command on the IRC channel can be used to measure the speed for exchanging data. All the Inter Process Communication (IPC) among processes is encrypted. The NGR dropper deletes itself once the bot is successfully unpacked and installed on the victim’s machine. The bot also changes the extension of files to ‘.exe’ so that other files such as *.vbs can be executed successfully to trigger infections.

We have described the NGR bot functionality above. In the next sections, we will present the rest of the NGR bot framework.

Grabbers – browsers, FTP & POP3

The NGR bot uses a form-grabbing module to extract sensitive information from the victim’s machine. The latest version of the NGR bot is robust enough to execute hooking in both Internet Explorer and Mozilla Firefox. IE uses wininet.dll, whereas Firefox uses nspr4.dll for HTTP communication. The NGR bot hooks various functions in these libraries and captures the GET/POST requests to extract credentials in the forms. Since it uses form grabbing, the NGR bot does not have a keylogging module. We presented details of the form-grabbing technique in [7]. Additionally, the NGR bot has a built-in FTP grabber module that hooks the ws2_32.lib functions to extract the credentials for various FTP servers. Finally, a POP3 grabber module works in a similar way to the FTP grabber module.

Figure 5 shows how the NGR bot sends credentials back to the IRC server.

NGR bot sending form-grabbing credentials.

Figure 5. NGR bot sending form-grabbing credentials.

On the IRC channel, the ‘~logins’ and ‘~stats’ commands show the number of fetched credentials and related stats.

Spreaders

Spreader modules are used to spread the botnet across a variety of interfaces of the victim machine. These interfaces include USB devices and Instant Messengers (IMs) such as MSN. The NGR bot has the following built-in spreaders.

USB spreader: The NGR bot infects USB devices and replicates itself on them. Once the victim machine is infected with the bot, the built-in USB spreader module waits for USB devices to be inserted and tries to infect them. The USB spreader module uses a linking technique in which .lnk files are inserted into the USB drive with a path to the NGR bot. A desktop.ini file is also created to hide the folder in which the bot resides. In addition, the NGR bot is able to infect USB drives using an obfuscated autorun.inf method. This method can be activated using the ‘~mod usbi’ command on the IRC channel. This module works on all versions of Windows.

MSN spreader: The NGR bot also has a built-in MSN spreader module that hooks the ws2_32! send function to detect MSN messages being sent. The spreader module monitors the MSN communication channel and waits for a certain set of messages so that it can start injecting illegitimate messages. The spreader can successfully inject processes such as msmmgr.exe, wlcomm.exe, pidgin.exe and msmsgs.exe using protocols msnp10 and msnp21. The ‘~msn.int’ and ‘~msn.set’ commands are defined in the NGR bot for this purpose.

DNS modifier

DNS entry modifications are an important part of the NGR bot. Generally, DNS modification can be achieved in two ways:

  • Updating the hosts file – The bot can update the entries in the hosts file in order to manipulate the DNS resolution.

  • Hooking dnsapi.dll – The bot can hook the required DNS DLL file and manipulate the entry present in the rule file.

The NGR bot hooks the dnsapi.dll file to modify the DNS entries on the victim’s machine. This module is incorporated in the NGR bot so that virus detection websites such as VirusTotal, Kaspersky, and so on can be blocked on the host. The DNS modifier is also capable of setting a DNS redirection so that a legitimate website’s address is mapped to an illegitimate one. This feature is used to serve malware. The ‘~chdns’ command is used to perform those actions. Figure 6 shows the DNS modifier in action.

DNS modifier in action.

Figure 6. DNS modifier in action.

Proactive defence (PDEF+) and RUSKILL

Bot wars are on the rise as large botnets compete to infect the same computers. The NGR bot has a built-in module that kills other installed IRC bots in the system. PDEF+ is an active threat detection module that monitors and scrutinizes the various APIs and the file system to detect and remove infections. This module can detect and block malware that has been distributed using USB drives, IRC bots and browser exploits. The NGR bot has modified this module to detect and kill the butterfly bot, butterfly flooder, GBOT and all other IRC-based bots.

The built-in Ruskill module is designed to stealthily execute files. The NGR bot has the built-in command ‘~baja’ which is used to download malicious executables from a remote website. The downloaded binary executes automatically and triggers infection. The Ruskill module monitors the downloaded binary and flags it, then deletes the binary on system reboot. This functionality is widely used by IRC bots to remove downloaded files after execution.

Denial of Service (DoS)

Denial of Service is a primary functionality of IRC bots so the NGR bot is well equipped with DoS modules:

  • SYN flooder: The bot sends a continuous flow of TCP packets with the SYN flag. The SYN flood can take down web servers that other flooders fail to.

  • UDP flooder: The bot sends a continuous flow of UDP packets to take down the target. This module is designed to target small networks.

  • Slowloris: The bot has a built-in Slowloris module [8]. This conducts DoS attacks against Apache web servers in which the module opens many connections to the web server and holds them open for a long period of time. As a result, the target website’s connection pool becomes exhausted because the connection remains open and no new connections can be served by the web server.

Figure 7 shows the working of a Slowloris module.

Slowloris in action through IRC channel.

Figure 7. Slowloris in action through IRC channel.

Conclusion

In this paper, we have presented a detailed framework of the NGR bot and the different types of modules it supports. The NGR bot has been widely used to trigger infections and compromise machines. Our analysis has revealed that the bot is very effective and capable of running in a concealed manner. Looking at the development of the NGR bot, we can expect further advancement such as support for hooking 64-bit processes, Facebook IM spreaders and so on in the near future. The sophisticated framework of the NGR bot indicates that IRC-based botnets will continue to be a hard nut to crack.

Bibliography

[1] Characterizing the IRC-based Botnet Phenomenon. http://honeyblog.org/junkyard/reports/botnet-china-TR.pdf.

[3] Distributed Denial of Service: Taxonomies of Attacks, Tools and Countermeasures. http://palms.ee.princeton.edu/PALMSopen/DDoS%20Final%20PDCS%20Paper.pdf.

[4] Distributed Denial of Service Attacks. http://www.ensc.sfu.ca/~ljilja/papers/smc00_edited.pdf.

[7] Sood, A. K.; Enbody, R. J.; Bansal, R. The art of stealing banking information – form grabbing on fire. Virus Bulletin November 2011, p.19. http://www.virusbtn.com/pdf/magazine/2011/201111.pdf.

[8] Slowloris HTTP DoS. http://ha.ckers.org/slowloris/.

Appendix – NGR bot commands

CommandOptionsDetails
~baja<url>,<md5>,<-r>,<-n>Bot downloads and executes a file from the specified URL
~updt<url>,<md5>,<-r>Bot updates its file, but the update does not take effect until the system is restarted
~mata Bot disconnects from the IRC server
~l1mpia Bot removes itself from the system
~mudo[state]Enables/disables all output to IRC relating to commands and features
~version Bot displays its version, customer name, the MD5 hash of its file, and its installed file path
~v1sit[url][state]Bot creates a browser instance and visits the specified link
~rc<-n>,>-g>Bot disconnects from the IRC server and waits 15 seconds before reconnecting
~move<rule>,<options><channel>,<key>Bot joins the specified channel
~p4rt<rule>,<options><channel>Bot leaves the specified channel
~pais<rule>Bot joins the channel for its country
~mix<rule>Bot leaves the channel for its country
~speed Bot determines the average upload speed
~mod[module], [state]Enables/disables modules that use hooks
~stats<-l>,<-s>Retrieves statistics for spreading and/or login grabbing
~logins<site,-c>Retrieves all grabbed and cached logins
~stop Bot ends all running flood tasks
~ssyn[host],[port],seconds]SYN flooder
~udp[host],[port],seconds]UDP flooder
~msn.int[interval]Sets the number of MSN messages in a conversation before one is changed with the spreading message
~msn.set[message]Sets the message that will be used for MSN spreading
~chdns[url|[domain1 <domain2|ip2>]|Bot blocks access to or redirects the specified domain/IP address

Table 1. NGR bot commands

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.