SDBOT malware have been around since 2004. Most of the bots that use Internet Relay Chat (IRC) protocol communication such as AGOBOT, IRCBOT, RBOT, and others have been around as early as 2001 yet these kinds of malware rarely attract attention due to their ability to silently operate. These bot malware are neither heavy email spammers nor resource hogs. They hardly ever disrupt normal computer activities—say, Internet browsing—so their victims never notice that their computers have been infected.
“SDBOT IRC Botnet Continues to Make Waves,” the white paper being introduced here, focuses on SDBOT variants and their final payload—the installation of pay-per-install programs. It provides an overview of the SDBOT malware—how it works, how it is installed, and how it spreads using various social engineering techniques. Given the nature of SDBOT— that it is primarily geared toward downloading other malware files such as FAKEAV, Cutwail, Buzus, etc. that each have their own distinct payloads and strong connections with other malware families.
The paper goes behind the scenes to provide an overview of how the botnet operates underground, how it is structured, how it utilizes the pay-per-install business model to further its malicious cause and insights about the mindset and motivation behind the botnet. As stated, it appears that this botnet is also in the business of renting out its reach and download capability to cybercriminals. The use of the pay-per-install business model is also increasing as it is easy to use. A botnet owner gets paid to install malware on infected PCs. For instance, a FAKEAV creator pays the SDBOT gang, which already owns an IRC botnet and controls thousands of infected machines, to easily push the FAKEAV files to systems.
The entire white paper, “SDBOT IRC Botnet Continues to Make Waves,” is now available on TrendWatch.