Threat Research

IRC bot lures social network users through IM

By Derek Manky | September 11, 2009

Malicious links through instant messaging protocols are nothing new (think IM worms), however, recent attacks have been launched that leverage the popularity of social networking sites. I investigated a new link reported to be spreading through MSN, which is simple, yet potentially quite effective given the popularity of social networking sites and the ongoing use of instant messaging clients nowadays. The message (see Figure 1 below) read: "Hey, is this you?? haha :P http://facebook-photo/viewimage.php?". The last part of the link, a parameter supposedly passed to and used by the viewimage php script contains the recipient's contact name. No doubt this enhances the effect of this lure.

Incoming malicious link Figure 1: Watch where you go, and what you download

Upon clicking on the link, the facebook-photo domain redirects the user to another domain (via HTTP 302) where the php script resides. The script simply executes a download for an executable, with "JPG.EXE" in the suffix (see Figure 1 above). This is a simple method: the facebook-photo domain from the original link was freshly registered (yesterday as of writing), and used as a redirect to a compromised server ( where the php and executables are loaded. The 302 redirect currently points to one directory on the compromised server, but I found at least five other directories containing more (and different) executables along with the same viewimage php script, one entitled "new". It looks as though the malware creators have been experimenting with variations of their work, and can simply change the 302 redirect from the original domain to point to whichever one they wish. Figure 2 below shows the added directories (highlighted in red) to the compromised server, each directory hosting a different executable and an instance of the viewimage.php script. The server is located in Instanbul, whereas the redirector is located in Washington state, USA.

Compromised index_ _

Figure 2: Injected malware directories for seeding

So exactly what is this malware, and where are these links coming from? Well, upon download and execution of one of the executables residing in the "new" directory, I discovered several things. First of all, it is not uncommon for instant messaging accounts to be hijacked / phished and used for spam or attacks (see a recent case here). This case seemed to be different in nature though. On execution, the original downloaded "image" file drops and executes a UPX packed file that ran as "msmsgrs.exe" in the Windows home directory. To create a diversion, a browser session is opened to the user index page of MySpace (Figure 3 below). This completes the social engineering tactic, while malicious code runs in the background. In fact, this should raise a red flag: the link suggests a Facebook photo site, whereas the opened browser window links to MySpace.

MySpace Diversion Figure 3: MySpace diversion to complete a social engineering attack

I observed the malware connecting to TCP port 1863 -- which happens to be MSN's. It first does a DNS lookup for the domain "", which returned a set of five IP addresses - not quite fast flux, since the TTL values were high. Most of these were down, but a couple remained active. On further inspection, I realized the malware is not using the MSN protocol but rather IRC through this port. Using the 1863 port merely disguises the process as to its true intentions. Figure 4 below shows a debug session with the IRC commands clearly present.

IRC commands upon connection to 1863

Figure 4: IRC commands issued after a successful connection to TCP 1863

On a successful connection, the bot will login with a nickname using the following format: "[xx|yyy|zz]", where yyy is the user's region, and zz is a pseudo-random number. The username is in the format: "aa * 0 :bb", where aa is the system information (version/build) and bb is the machine name. Following this, the bot will login to the channel "#!out!" where it will sit and await commands from its master. Like typical IRC bots, it accepts commands to update its own code, and download/execute further components. While monitoring commands, several executables were downloaded from a single domain, including the Buzus trojan and FraudPack - another rogue security software suite. This domain (as of writing) is hosting seven different executable components for offer.

The command set goes a bit further though, accepting commands to operate on three instant messaging protocols: AIM, MSN, and TIM (Triton). While monitoring commands, I only observed MSN to be used. And, not surprisingly, the MSN command observed was to send the message ".msn.msg Hey, is this you?? haha :P http://facebook-photo/viewimage.php?=". The last part of the link is supplied by the bot, on a per-message basis as the recipients contact name is appended. Look familiar? Yes, this is how the original message (Figure 1) spread - through an infected zombie. Figure 5 below shows commands being pushed from the botherder, along with visible replies from zombies and commands to download the malicious components.

C&C Commands via IRC

Figure 5: Commands from a bot herder, responses from zombies

In a nutshell, this malware is distributed through the three supported IM protocols and social engineering hook, leveraging the popularity of social networking sites. Social networking has become widely adopted: it becomes easy for users to become "trigger" happy out of interest, clicking on links that would seemingly lead them to familiar areas on the web. Remember to always observe where you are about to go, and to verify the indentity of whomever sent you the link. Koobface uses a similar strategy, as an example, by sending links to harvested social network accounts to fake videos which are in fact a copy of its malicious binary.

The appropriate registrars and compromised servers have been informed of malicious activity. FortiGuard Antivirus detects the droppers and bot agent as HackerTool/Injector.D and IRC/Pushbot!worm, while the malicious URLs are blocked via Web Content Filtering.

Thanks to Robin Liao from Fortinet for the original link and IM image (Figure 1).

Join the Discussion