Social Networking Lure, IRC C&C and IM Propagation

Security researchers from network protection vendor Fortinet warn that a new version of Pushbot is using a social networking lure to spread via instant messaging protocols. The worm gives its authors the ability to control the infected computers via IRC.

According to Derek Manky, a security researcher at Fortinet who investigated this threat, the worm can propagate via AIM, MSN, and TIM (Triton), where it sends spam messages containing a malicious link. One such message read "Hey, is this you?? haha :P http://facebook-photo[removed]/viewimage.php?[contactname]," but there are signs that fake MySpace URLs were used to lure users as well.

Visiting the link will perform a silent redirection to another domain from where a malicious [random]-JPG.EXE file is served for download. This is the worm installer, which creates a msmsgrs.exe in the Windows directory in an attempt to disguise its process as the legit MSN Messenger.

It then establishes an IRC connection and joins a channel where it sits as a botnet client (drone) waiting for instructions. In order to hide this traffic from plain sight, it uses TCP port 1863 for the IRC connection, a port normally associated with MSN Messenger communications.

At the same time, it opens the MySpace main page in the browser, although it should have been Facebook in this case. This has the purpose of distracting the user's attention and making them believe that they need to authenticate in order to view the picture they just attempted to open.

"Like typical IRC bots, it accepts commands to update its own code, and download/execute further components. While monitoring commands, several executables were downloaded from a single domain, including the Buzus trojan and FraudPack – another rogue security software suite," notes Mr. Manky.

As always, users are advised to exercise extreme caution when choosing to visit links sent to them over the Internet, regardless if its via instant messaging, a social networking or e-mail. Having an up-to-date competent antivirus solution installed is also a must.