Sydney honeypots attract morphing botnet malware

The Sydney branch of West Coast Labs' global honeynet was amongst the first to record two new malware variants last week, as the RBot family continued to wreak havoc on global networks.

[NB – This is the first of what will become weekly updates on types of malware attacking Australian corporate networks through iTnews.com.au, using data gleaned from an international malware research network operated by West Coast Labs, the world's leading independent content security testing and research lab].

Of the 41 malware threats detected by West Coast Labs' Sydney honeypots last week, 29 were received there for the first time.

Two were brand new threats on a global level: a variant of the Allaple family and another of the Virut family.

The Virut virus

The Sydney honeypots detected a compressed file - generally agreed to be a member of the polymorphic Virut family of viruses.

This virus infects files with encrypted code which spreads further when each infected file is run.

The new threat contained the IRCBOT (internet relay chat bot) functionality – which enables remote users to take over an infected machine, adding it to a botnet and used for illicit purposes, such as distributing spam or generating Distributed Denial of Service attacks.

Such botnets are often used by hackers or to blackmail the owners of web properties.

The Virut attack picked up by the Sydney honeypots were determined to have originated from China in this case.

The Allaple worm

On December 4, the Sydney honeypots were also the first in the West Coast Labs network to pick up a worm thought to be part of the Allaple family. This worm spreads via networks and email, dropping the file urdvxc.exe into the System32 system directory of Windows machines and using this to spread itself further.

"Some variants of this worm carry a payload in the form of a DDoS tool, whilst others merely perpetuate themselves and clog up bandwidth," a senior member of the West Coast Labs Research and Development team told iTnews.

The attack was found in this case to have originated from Japan.

Earlier versions of this worm were found to have been used in DDoS attacks against a number of websites in Estonia.

Rbot family

One in five new malware threats detected by West Coast Labs' global honeynet last week were variants of the RBot family.

The RBot family of malware uses an exploit in the Windows operating system that leaves open IRC (internet relay chat) channels 24 hours a day.

According to security vendor BitDefender, the RBot family of threats uses this channel to find other computers on the internet, sending a script that once executed can perform various functions including disabling antivirus and other security tools, reproducing the exploit elsewhere on the computer, and connecting to an IRC channel to await further instructions.

These instructions might be to form part of a DDoS attack or spread other malware.

Variants of the threat have also been used to steal passwords, CD keys from software applications, or to shut down machines.

Fixes are available from several companies, including the following:

- Trend Micro

- F-Secure

- Sophos