NgrBot is a modified IrcBot. It has the capability to join different Internet Relay Chat (IRC) channels to perform various attacks according to the IRC-based commands from the command-and-control (C&C) server. Recently, our botnet monitoring system captured an NgrBot variant with hardcoded version 126.96.36.199.
Figure 1. Hardcoded version 188.8.131.52.
This new version of the bot carries new features that are much more harmful than before, including the ability to destroy data in the user’s hard drive.
Wiping The Hard Drive
This new version of the bot has added a destructive function that overwrites the hard drive of the compromised system.
This wiping behavior is triggered if there is any kind of failure in the decryption of its strings. When decrypting, NgrBot uses a string structure where the first dword is a pointer to an RC4-encrypted string; the second dword is the string length; and the third dword is the decrypted string’s CRC32 value.
The figure below shows some of these string structures, before and after decryption.
Figure 2. String structures.
After decrypting all the strings, it adds all the CRC32 hashes of the decrypted strings and compares it against a value that is stored at the end of the encrypted string structure list. If it does not match, it creates a new thread that calls the DeviceIoControl API to lock the hard disk, then calls WriteFile to write the first 0x200 bytes with 0x00s.
Figure 3. Code for wiping the hard disk.
Aside from filling the partition with zeroes, the bot displays the following message box to indicate its displeasure:
Figure 4. Message box displayed when CRC32 hash doesn’t match.
The figure below shows what the overwritten hard disk sector looks like.
Figure 5. Wiped hard disk sector.
When the system restarts, the victim’s system will hang and will be unable to boot.
Preventing AV Access
Another feature of this new version is the blocking of access to antivirus-related web sites.
To do this, the bot injects code into running processes and hooks the following APIs:
- DnsQuery_A (from dnsapi.dll)
- DnsQuery_W (from dnsapi.dll)
- GetAddrInfoW (from ws2_32.dll)
When these APIs are called, the hooking functions check if the address to connect to contains strings that are in the bot’s blacklist, which is shown in the following figure:
Figure 6. Blacklist of AV companies.
These strings are included in most web sites of major antivirus vendors. If the hooked APIs find any of these strings, access to those sites are blocked.
Connecting To The C&C Server
As mentioned above, NgrBot is an IRC server. It connects to an IRC channel in order to receive commands from its C&C server.
The following is the full list of C&C server commands that the current variant supports.
The network traffic that we have captured from this version still looks very similar to the previous one. So far, we have captured only two commands that are being sent from the C&C server. In the figure below, the botnet commands :~pu and :~dw can be seen in the IRC commands that begin with :001:Network 332.
Figure 7. Captured C&C commands.
Before we end, one might wonder why this bot is called NgrBot. The answer is that this is the name that the malware author has given, as seen in the binary code.
Figure 8. Hardcoded bot name.
With our brief analysis of this active version of NgrBot, we can now understand its new features, especially the more dangerous one of hard disk wiping. We will continue to do our best in capturing the new active commands. As botnets continue their activies, so will our botnet monitoring system’s tracking of their actions.