IRC Control Bots And The Terror Exploit Kit Used in Malware Campaigns

Hackers are using IRC bots to control malware and infected hosts, as well as the Terror Exploit Kit to deliver viruses globally.

IRC Bots Image

IRC Control Bots Used In Malicious Malware Campaigns

Security analysts have spotted a dangerous new wave of IRC bots which are used to control and manage malware campaigns. The operators have named them as “Ziggy StarTux” which contain references to David Bowie and Tux the penguin. Such bots come in various types however the most common one is associated with replicating malicious files that contain IRC client code and respond to issued commands from a remote channel. As IRC is one of the most common protocols used for chat it is very easy to hackers to setup their own servers and automated bots that respond to the queries. The current wave of such bots are comprised of several different components which may consist of a base and modules that can be dynamically configured depending on the predefined targets. Some of the common ways in which bot operators generate income are the following:

  • DDOS Network For Hire – They are hired by computer hackers who want to coordinate large-scale DDOS attacks against specific web servers.

  • Extortion – Some bot networks are used to send out threatening emails that use various social engineering tricks to make the victims pay large amounts of money.

  • Spam – This is the most common case, the irc bots are used to send messages and launch application windows or reconfigure the installed web browsers (Internet Explorer, Mozilla Firefox, Google Chrome) in a manner similar to browser hijackers by changing the default homepage, new tabs page and search engine to point to a hacker-controlled site or a malicious ad networks which generates direct revenue for the operators.

  • Identity Theft – Sophisticated versions can be used to initiate screen captures, stored account credentials theft and keyloggers which makes it very easy for the hackers to gain sensitive information about the compromised machines.

  • Software Installation Revenue Income – Malicious IRC bots can persuade the users into installing various types of software which generate an affiliate payment for the hackers.

The identified bot (Ziggy StarTux) has been identified to use an encrypted SSH connection and open-source technology. The capabilities of the bot can be summarised in three separate categories.

DDOS Attack Image

DDOS Attacks & Functions

  • An advanced Syn packet flooder which can compromise most network drivers – configurable parameters are the target host, port and the rate of packets generation.

  • A UDP flooder – configurable parameters are the target host, port and the rate of packets generation.

  • Non-Spoof UDP Flooder – Configurable parameters are the target and the rate of packets generation.

  • New Generation ACK Flooder – Configurable parameters are the target host, port and the rate of packets generation.

  • New Generation SYN Flooder – Configurable parameters are the target host, port and the rate of packets generation.

  • Classic Syn Flooder – Configurable parameters are the target host, port and the rate of packets generation.

  • Classic ACK Flooder – Configurable parameters are the target host, port and the rate of packets generation.

  • Current Spoof Parameters Information Acquirement

  • Parameter Change For The Spoofed Subnet

  • Kill Switch For Current Packet Spoofing

Main IRC Bot Functions image

Main IRC Bot Functions

  • Nick Change

  • Server Change

  • Arbitrary Command Execution

  • Disable All Packets From Remote Client

  • Enable All Packets From Remote Client

  • Kills The Client

  • Displays The Help Text

  • Downloads A File From A Remote Server And Saves It To The Local Machine

  • Bot Update

  • Installs A Binary File From A Remote Server Via The HTTP Protocol

Command Prompt Window Image

Shell & Command Functions

  • Command Execution

  • Interactive Shell Execution

  • Daemon Service Execution

  • Executes Commands Via Bash

  • System Information Harvest

  • Remote Shell Configuration

  • PID Kill

Application window image

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

The Terror Exploit Kit Distributes Malware In Target Campaigns

This exploit kit is used to launch large-scale malware infection attacks. Unlike other similar tools this one contains two advanced features:

  1. Computer hackers host the exploits on a main domain instead of hosting numerous subdomains that redirect to a hacker-controlled array of servers.

  2. A direct request to the landing page results in a delivery of various exploits.

During the security analysis the researchers were able to spot eight different exploits which are used to deliver various malware to the victims machines:

  1. CVE-2014-6332 – OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka “Windows OLE Automation Array Remote Code Execution Vulnerability.”

  2. CVE-2016-0189 – The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Scripting Engine Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0187.

  3. CVE-2015-5119 – Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

  4. CVE-2015-5122 – Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property, as exploited in the wild in July 2015.

  5. CVE-2013-1670/CVE-2013-1710 – The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 does not prevent acquisition of chrome privileges during calls to content level constructors, which allows remote attackers to bypass certain read-only restrictions and conduct cross-site scripting (XSS) attacks via a crafted web site.

  6. CVE-2014-1510/CVE-2014-1511 – The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to execute arbitrary JavaScript code with chrome privileges by using an IDL fragment to trigger a window.open call.

  7. CVE-2014-8636 – The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors.

  8. CVE-2015-4495 – The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015.

Some of the researchers note that the Terror Exploit Kit is still a work in progress and future iterations of it might include additional target exploits. As it is a customizable utility it can be used to deliver different types of malware – computer viruses, ransomware and etc.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts