Late Monday, we received samples of a malware that spreads through instant messaging. Detection was quickly added for this threat and David gave a nice summary of the events in a blog post.
When analyzing this binary, we found out that Win32/Inject.NBL has a couple of interesting characteristics. First of all, we were able to identify the list of functionalities of this bot:
- download
- update
- rm
- msn.msg
- msn.stop
- aim.msg
- aim.stop
- triton.msg
- triton.stop
In short, this malware can download new files, update itself and remove itself from an infected computer. It can also spread through three different instant messaging programs: msn messenger, aim and triton.
On a more technical side, Inject.NBL is interesting because after unpacking itself into memory, the packer doesn’t jump to the program’s original entry point. Instead of doing so, the packer starts a new instance of the executable and inject the unpacked code in the newly created process. This technique is probably aimed at fooling analysis and emulators used in antivirus products.
For the last three days, the network of computers infected by Inject.NB is still instructed to spread through msn using the same string to convince users into clicking on a malicious link. The command and control network uses the IRC protocol on a server that is currently located in Luxemburg.
Pierre-Marc Bureau
Researcher