Virut is a Windows file infector that propagates by infecting executable and Web-related files (such as .html, .php or .asp files). Its payload runs as a remote thread inside winlogon.exe, a well-known, critical Windows process.
The payload does two things:
- It infects other files.
- It connects to a command and control (C&C) server.
The C&C server is established over IRC. The IRC host names and ports are hardcoded inside the virus body, and may be updated during propagation. Based on variants, the protocol details vary. For instance, Virut may connect to a high TCP port and use encryption (custom symmetric algorithm). Beneath the encrypted layer are standard IRC commands. It’s worth noting that the key is never directly exchanged between the client and its server. This means the server has to bruteforce it, using a known-plaintext/known-ciphertext attack on the initial IRC nickname (NICK) request.
Other versions do not encrypt the communication channel and may use the HTTP port to evade firewalls that do not check packets at the application level. Either way, at the IRC level the protocol details are as follows. First, the client initiates a connection by sending NICK/USER commands:
NICK [EIGHT RANDOM CHARACTERS]
USER [RANDOM CHARACTERS][OS VERSION] . . :[%|#][VOLUME ID][CRC] [OS SERVICE PACK]
USER d020501 . . :%111111118 Service Pack 2
It then decrypts a hard-coded channel name embedded in the virus body, and joins it:
JOIN #.[HARD-CODED ID]
The bot then waits for IRC requests sent by the server. It does not send commands on its own. The bot replies to standard ping commands by a “pong” to show the server its well-being.
Commands are sent via standard private message commands (PRIVMSG), used to send messages to a specific nickname or to all users of a channel. Reverse engineering has shown that the bot understands two types of commands:
- Download and execute content pointed to by a URL.
- Update the host name of the C&C server for upcoming connections.
The server, if not properly configured and hardened, may give more information than the malware gang may be willing to share. In the case of Virut, the server is quite verbose:
:k. 351 hvhmdwhu hybrid-7.3beta(SVN). k. :egIKMZ6 TS6ow
The authors are using Hybrid 7.3, a well-known, open-source IRC server. The STATS command can then show us what commands are implemented on the server (either IRC compliant or Hybrid specific).
We may also get a list of IRC servers in their networks and how many bots (users) are currently connected:
:k. 015 hgjfyuis :k. ---------------------------------- | Users: 12202 (100.0%)
:k. 015 hgjfyuis : `- u. ------------------------------ | Users: 0 (0.0%)
:k. 015 hgjfyuis : |- i. -------------------------- | Users: 0 (0.0%)
:k. 015 hgjfyuis : `- j. -------------------------- | Users: 0 (0.0%)
We can also have the list of channels and the number of bots connected to them:
:k. 322 hgjfyuis #.3159 73 :
:k. 322 hgjfyuis #.3146 6 :
:k. 322 hgjfyuis #.3302 1 :
:k. 322 hgjfyuis #.2535 2 :
:k. 322 hgjfyuis #.3627 2 :
:k. 322 hgjfyuis #.3224 38 :
:k. 322 hgjfyuis #.7800 3 :
:k. 322 hgjfyuis #.1625 52 :
Multiple channels are used by different versions of Virut and likely segregated as they are sold off to different attackers.
The bots of a specific channel may also be retrieved. Here, the nicknames clearly show that the channel is populated by Virut’s clients:
:k. 353 hgjfyuis = #.3497 :wnepgxqd zfzguzcn ntvwgkpe drywxfuj hccrgway rkrapoxt jlbbemzr fhospudx itxtqdpi sylxrxwb mxujknoj mrbnarsy wwwotczf dgnjojew clzjzakc hgjfyuis cnethhfx …
Some channels are also poorly configured, meaning any connected user (a bot or a rogue client), can send private messages to all the bots on such channels. Once the download and execute command format is understood, you may easily imagine how malicious users could install their own malware or perform partial botnet takeover. It seems big channels, hosting thousands of bots, are properly configured and do not allow standard users to post to the channel. In these poorly configured channels, one can prevent bots from rejoining such that the attacker no longer has control on the infected system.
Below are the initial steps of a client connecting to a Virut IRC server:
Note that after the JOIN command, the server sent PRIVMSG commands instructing the bot to download more threats. Also note the LIST command output: the channel #.1794 has 27 users.
After shutting down the channel in such a way that bots cannot rejoin, we see only two users remain on the channel, which are likely to be the attackers themselves.
While we are able to shut down some of the channels, most of the larger channels are configured properly and cannot be controlled by outside parties. Unfortunately repeated requests to ISP administrators to shutdown the entire server have been ignored. Thus, while we can put a dent into some of Virut’s activities, it continues to survive.