NGRBot is a worm that propagates through chat messengers, the Internet Relay Chat channel, social networking sites etc. It steals FTP and browser passwords and can cause a denial of service by flooding.
NGRBots use the IRC network for file transfer, sending and receiving commands between zombie network machines and the attacker’s IRC server, and monitoring and controlling network connectivity and intercept. It employs a user-mode rootkit technique to hide and steal its victim’s information. This family of bot is also designed to infect HTML pages with iframes, causing redirections, blocking victims from getting updates from security/antimalware products, and killing those services. The bot is designed to connect via a predefined IRC channel and communicate with a remote botnet.
Figure 1: We see “ngrbot” string in memory.
Once connected to the IRC channel, the bot can function as backdoor and receive commands from a remote attacker.
The following message box is displayed if someone tries to reverse engineer the malware:
Figure 2: NGRBot’s paths of operation and related activity.
A Look at NGRBot: Self-update and DNS-setting modification modules
RushKill Module Grabber Module
With the help of the Grabber module, the bot can intercept communications between the victim and browser chat and steals the username and password.
Flooder Module Strings
IRC Communicator Module Strings
String Related to Bot Joining IRC Channel
- Injects into many running processes
- Hooks several APIs of various loaded modules
- Injects into explorer.exe and connects to 18.104.22.168 through post 7171
- Can spread through removable devices with the autorun.inf
- Name of sample copy dropped inside %appdata% folder by calling GetVolumeInformation() API for Hard Disk serial number
NGRBot uses mutual exclusion to ensure one of its instances is always running:
A message from the NGRBot author and the script file for deleting downloaded files
NGRBot downloads other malicious files onto a victim’s machine. We noticed the fake AV Live Platinum Security (8.exe in the next screen) and the trojan KillAV (7.exe) in the %appdata% folder and then executing.
The dropped malwares survive after rebooting by making “Run” entries on the machine.
The dropped KillAV Trojan has many antidebugging tricks to make it difficult to reverse-engineer. This Trojan also checks for more than 100 running security/antimalware processes and kills them.
The Trojan connects to two sites:
The Fake AV Live Security Platinum blocks victims from several files:
The malware stops the victim from downloading files with the following file extensions:
Advice to Customers
McAfee successfully unhooks and completely cleans the malware. Update your scanners with the latest DATs. Avoid clicking on suspicious links in chat windows or on social networking sites without first searching online. Beware of social engineering tricks used by malware authors to lure victims into clicking malicious links. Make sure you have a reputable firewall installed in your machine.