Kaspersky: Parasitic IRCBot in the Wild

["Fergie" <fergdawg () netzero net>]

This is pretty interesting.

The last quoted paragraph is significant.

[snip]

Statistics show that the contemporary malware landscape is, in the main, somehow connected with Trojans: Backdoors, 
Trojan-Downloaders, Trojan-Droppers, etc.

Although we are still seeing the same kind of viruses as we were seeing 10 years ago, written by cyber hooligans, every 
now and then we find old style methods being incorporated into more serious malware.

Almost a year ago we wrote about Tenga, a classic file infector with worm and trojan-downloader functionality.

Recently we added detection for something similar: Virus.Win32.Virut.4960. While its name doesn't sound very 
interesting, or pretty for that matter, this is quite an interesting sample.

Like Tenga, Virut.4960 is a classic appending virus. This file infector infects .exe and .scr files by attaching its 
(encrypted) code.

The interesting part is that the encrypted code contains IRCBot functionality. When an infected sample is executed it 
tries to connect to a certain IRC server.

The IRCBot functionality is very limited, and simply downloads a file of the attacker's choice. However, even such 
restricted functionality is enough to introduce more malware onto the victim system.

[snip]

More here:
http://www.viruslist.com/en/weblog?weblogid=186375095

Has anyone else actually seen this, and if so, is it really
"in the wild"?

Thanks,

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.