NGRBot Spreads Via Chat

NGRBot is a worm that propagates through chat messengers, the Internet Relay Chat channel, social networking sites etc. It steals FTP and browser passwords and can cause a denial of service by flooding.

NGRBots use the IRC network for file transfer, sending and receiving commands between zombie network machines and the attacker’s IRC server, and monitoring and controlling network connectivity and intercept. It employs a user-mode rootkit technique to hide and steal its victim’s information. This family of bot is also designed to infect HTML pages with iframes, causing redirections, blocking victims from getting updates from security/antimalware products, and killing those services. The bot is designed to connect via a predefined IRC channel and communicate with a remote botnet.

Figure 1: We see “ngrbot” string in memory.

Once connected to the IRC channel, the bot can function as backdoor and receive commands from a remote attacker.

The following message box is displayed if someone tries to reverse engineer the malware:

Figure 2: NGRBot’s paths of operation and related activity.


A Look at NGRBot: Self-update and DNS-setting modification modules

         RushKill Module                                    Grabber Module

With the help of the Grabber module, the bot can intercept communications between the victim and browser chat and steals the username and password.

Flooder Module Strings

IRC Communicator Module Strings

Spreader Module

String Related to Bot Joining IRC Channel

Behavioral characteristics:

  • Injects into many running processes
  • Hooks several APIs of various loaded modules
  • Injects into explorer.exe and connects to  through post 7171
  • Can spread through removable devices with the autorun.inf
  • Name of sample copy dropped inside %appdata% folder by calling GetVolumeInformation() API for Hard Disk serial number

NGRBot uses mutual exclusion to ensure one of its instances is always running:

A message from the NGRBot author and the script file for deleting downloaded files

NGRBot downloads other malicious files onto a victim’s machine. We noticed the fake AV Live Platinum Security (8.exe in the next screen) and the trojan KillAV (7.exe) in the %appdata% folder and then executing.

The dropped malwares survive after rebooting by making “Run” entries on the machine.

The dropped KillAV Trojan has many antidebugging tricks to make it difficult to reverse-engineer. This Trojan also checks for more than 100 running security/antimalware processes and kills them.

scfmanager Fsaw livesrv mscif vir.exe
savser Fspex bdmcon mpft webproxy
savadmins fsm32 bdagent mpfser pavfnsvr
alsvc Tsanti xcommsvr mpfag avengine
almon Kavpf PXConsole mcvss avciman
npfmsg2 Kav PXAgent mcvs apvxdwin
zlh dpasnt kpf4ss mcupd avp
zanda Msfw kpf4gui mcupdm cavtray
cclaw msmps sunthreate mctsk cavrid
npfsvice mpeng sunserv mcshi
njeeves Msco sunprotect mcdet
nipsvc winssno counter mcage
nip symlcsvc clamwin zlcli
nvcsched spbbcsvc clamtray vsmon
nvcoas sndsrvc avgnt webroot
spidernt nscsrvce avguard spysw
spiderui navapsvc avesvc firewalln
drweb ccsetmgr avcenter vrmo
pxcons ccproxy ashwebsv vrfw
pxagent ccetvm ashdisp hsock
guardxkickoff Ccapp ashmaisv wmiprv
vba32ldr alusched ashserv mxtask
nod32kui Oascl isafe caissdt


The Trojan connects to two sites:


The Fake AV Live Security Platinum blocks victims from several files:

  • regsvr32.exe
  • cmd.exe
  • rundll32.exe
  • regedit.exe
  • verclsid.exe
  • ipconfig.exe

The malware stops the victim from downloading files with the following file extensions:

  • exe
  • com
  • pif
  • scr


Advice to Customers

McAfee successfully unhooks and completely cleans the malware. Update your scanners with the latest DATs. Avoid clicking on suspicious links in chat windows or on social networking sites without first searching online. Beware of social engineering tricks used by malware authors to lure victims into clicking malicious links. Make sure you have a reputable firewall installed in your machine.


Blackhole 2.0 Exploited to Push Advertisements

The popular Blackhole Exploit Kit has gained a lot of media attention recently when its author announced the imminent release of version 2.0, boasting a list of  new interesting features. Recently we were very surprised when we found a website hosting what is supposed to be version 2.0 of the Blackhole Exploit Kit. Naturally, we started investigating and soon discovered that something about the website was not right.

Figure 1. The (suspicious) statistics page of the exploit kit

Looking at Figure 1, you can see a label at the bottom of the page clearly saying Blackhole v.2.0, but apart from this difference, the rest of the page looks very similar to the old version:

Figure 2. The statistics page of the old version of the exploit kit

The main content section of both pages is the same. However, at the top of the “new” version (Figure 1) there is a light blue table containing some Russian text in the area where the Blackhole menu should be. The text roughly translates to:

Advertising: [REMOVED] - service encryption iframe / javascript code.
Advertising: Dedicated servers in its own data center in Syria under any projects. Experience 6 + years in the market. Quality sounds! ;-)
Advertising: Unique service domain registration packs. Under any topic. Fast, comfortable, safe. [REMOVED]

It is now clear that this page is merely using the Blackhole 2.0 name as bait in an attempt to lure users into visiting the page and reading the advertisements. This method is not new; spammers often use names of famous people and products or the latest news events to try to lure users into reading their spam emails. However, it is quite unusual to see a popular exploit kit name used in this manner.

So what is being advertised? A service for registering domain names, one for server hosting, and another for encrypting JavaScript and iframes. Altogether these services could offer cybercriminals a complete infrastructure to be used for hosting cybercrime operations. In fact, the website advertising encryption and the one advertising domain registering are both well known for providing infrastructures aimed at "dirty ops."

Further indications of this Blackhole Exploit Kit 2.0 page being forged include:

  • The name of this page is bhstat.php, which is a known file name of the old version and is accessible without authentication.
  • No other known Blackhole PHP page seems to be present on that website.
  • The Exploits section (ЭКСПЛОИТЫ in the image) conveniently reports a Java pack, which was also mentioned in the description of version 2.0, published by the exploit pack author.

In conclusion, the page is not the new Blackhole Exploit Kit 2.0; it is a rehashed version of the current Blackhole Exploit Kit page, pretending to be the new one. The people behind this page do not have version 2.0, they more than likely have nothing to do with Blackhole and are only trying to advertise their services by exploiting a well-known name to gain attention. Their targets are clearly cybercriminals who would be interested in using an exploit kit and who would need an infrastructure for hosting it.

I wonder if the Blackhole author will file a copyright complaint!

Open Season On Patents Starts Thursday, Thanks to Crowdsourced Platform

This drawing is from a patent granted in 1995 for a laser used to entertain a cat.

Hunting season is now open on software patents , and the U.S. Patent and Trademark Office, Stack Exchange and Google are teaming up to make it easy for geeks to shoot down overbroad and ridiculous patents.

Thanks to a change in patent law that went into effect this month, third parties who think a patent application is flimsy or invalid due to previous art or obviousness can now file evidence and comments to the USPTO, starting Thursday morning. Previously, it was illegal for the USPTO to take outside parties comments into account when evaluating a patent application.

Making the process even easier, Stack Exchange, the popular Q&A site for coders, has teamed up with the Patent Office and Google to crowdsource analysis of patents before they are issued.

The way it works is simple.

Visit, and you can find a list of patents that others have submitted for debunking or you can submit your own candidate. Users can then find prior art, discuss the patent’s validity, and ultimately submit their evidence directly to the USPTO with the click of a button. Rounding out the partnership, Google’s handy patent search site will show links to Stack Exchange discussions about patents surfaced in search results.

Given the scope of the ludricrous patent battles that are engulfing the world’s largest tech companies and sinking small startups, the partnership comes none-too-soon. Just this week a little known company based in a patent-friendly Texas town filed suit against some of the net’s giants including Apple, Rackspace and Github, citing, among other things, what seems to be a patent on using hashes to identify multiple copies of the same file. That’s just the most recent example in a long litany of frivolous patent lawsuits, many of them brought by so-called patent trolls, who have no business other than extracting rents from companies who often find it cheaper to settle with trolls than to battle in court.

Stack Exchange has been beta-testing the patent-busting forum and users have been questioning patents ranging from Microsoft’s recent application for a patent on hitting a phone to silence it  (discussion here) to a patent on bed management system in a healthcare facility.

Alex Miller, Stack Exchange’s chief of staff, says the patent forum a natural fit for its site, given its community of software engineers feels very strongly that out-of-control software patents are stifling innovation. (For a fantastic primer on software patents, listen to this American Life episode created in conjunction with NPR.)

“We think this is a powerful way to empower people,” Miller said. “Plus there’s a side benefit. At its heart Stack Exchange is a Q&A community of experts and this should bring more experts to contribute to the site.”

Though there’s no set rewards yet for busting a patent, Miller says Stack Exchange is thinking about giving a badge to those who bring down a patent application.

Miller said the PTO ended up working with Stack Exchange thanks to a 2007 collaborative experiment spearheaded by New York Law School professor Beth Noveck called Peer to Patent, which tested the idea of crowdsourced patent testing of patents submitted by applicants who agreed to be vetted. Though the experiment was limited, the site proved that “crowdsourcing can work,” according to Miller.

Noveck recently suggested that the PTO talk with Stack Exchange, which then approached Google about integrating its patent search engine. Google quickly agreed, according to Miller. Now, the trio has created a tri-part process Miller calls Discover, Discuss and Document.

That’s some clever marketing. We can only add “Let the hunting begin.”