W32.IRCBot.NG and W32.Phopifas
In a previous blog, my colleague Kevin Savage detailed a social engineering attack that utilized instant messaging applications. While the infection rates of W32.IRCBot.NG and W32.Phopifas have passed their peaks, the modules continue to be updated daily.
The infection routine of these threats has not changed since they were discovered, but the threat authors have added new file-hosting sites to use in order for the threats to be downloaded. W32.IRCBot.NG attempts to steal passwords that are used to log into the file-hosting sites from compromised computers. In addition, some modules are located on the servers of virtual server services and unfortunately one of the malicious URLs is listed in the Top 100 downloads at one ranking site. The threat has also added new languages and now uses 32 languages; the language it uses depends on the location of the compromised computer.
Minor & specific packer
Usually, successful malware adopts random and very obfuscated packers, and they also change the type of packer periodically. However, in this attack, the modules adopted a specific packer for over a week. It contains the following operation code at the second layer of the packer:
This code specifies that the malicious activities only continue to work if WakeUpRage.dll failed to load using the LoadLibrary API, which means the malware only runs on a computer that does not contain that DLL file. It appears that the purpose of this file is to stop the malware from running on the malware author’s computer.
Although nothing new, it changes its activities depending on the computer operating environment. This packer was discovered in September and has been used by several variants including W32.Yimfoca.B, W32.IRCBot, and Downloader. However, it is not widespread and appears to be a minor packer. The malware author may have been testing threats before this attack.
In any case, messaging with malicious links is an effective method for the malware to propagate itself even though it is not a new or unique way to spread. Internet users should always use caution when clicking on links and keep antivirus applications up to date.