12 May 2007 12:11 GMT
All in a bots work
We all know that IRC bots are feature-packed beasts whose payloads can vary quite widely. The hacker(s) responsible have been able them to make money in a whole host of ways over the past few years. The three most common methods are:
- extortion, using the threat of a distributed denial of service (DDoS) attack as a “bargaining tool”.
- adware installation. Any bot worth its salt has the ability to download and execute files from a URL on command. When certain types of software offer affiliate payment schemes, whereby the affiliate is paid on a per-install basis, this mechanism provides an excellent money-making opportunity.
- traffic generation (’clicker’ malware). Web site traffic is money nowadays thanks in part to the widespread use of online advertising schemes. By directing traffic to specific sites using malware, hackers are able to increase site traffic, thereby generating more revenue.
Yesterday evening, a new IRC bot (added as W32/Sdbot-DEE) took this latter option. Upon execution, the bot installed itself on the victim machine, and connected back to the IRC server, but additionally it attempted to download and execute a binary from another remote server. This was a startpage Trojan (added as Troj/StartP-BEM) - malware whose sole purpose is to modify the default homepage for the web browser (usually Internet Explorer). In this case, the homepage was set to http://(blocked).hotinfolink.com, a site which appears to be some web portal:
At the time of checking the page there was no malicious content there, the purpose of this appears to purely be one of revenue generation through increased traffic. Of course it is not unlikely that the site may serve up a malicious script in order to deliver more malware. Fear not, we have already classified this site appropriately, to order to block access.
Fraser Howard, SophosLabs UK
