Tandem-type IRC Bots

Our automated malware analysis system, Lavasoft MAS, recently revealed an interesting incident. A system was infected by three IRC bots at a time: Nrgbot, Blazebot and Rbot. Analysis of Rbot showed that at least two C&C servers existed from which commands can be received by three bots at a time.

Each bot can periodically download updated modifications by commands issued via IRC. This causes difficulties in attempts to disinfect the compromised system. Detection rates for the latest modification of Rbot are shown below.

We revealed an interesting collection of IRC bots created by attackers.

The fact that the Nrgbot builder and source code as well as Rbot source code have become public and are returned as first results in google searches, gives attackers a wide range of possibilities on the affected system.

  • Back to articles


  • Share this post:    Twitter Facebook