Despite being already over 5 years old, SDBot and its variants are still going strong and haven’t followed the decline that other similar threats have taken.
Using IRC as a control channel for botnets is one of the older, possibly even the oldest method around – the newer bots most of the time use either P2P or HTTP for their control, allowing them to be stealthier and harder to trace back than their IRC-using counterparts.
But against all trends and all the hype over takedowns of big botnets of the recent years SDBot is still around and is now mostly being used to install pay-per-install software like fake Antvir and other malware. “A botnet owner gets paid to install malware on infected PCs. For instance, a FAKEAV creator pays the SDBOT gang, which already owns an IRC botnet and controls thousands of infected machines, to easily push the FAKEAV files to systems.” TrendMicro writes in their blogpost.
This is pretty big business, targeted installations of Fake AV products can earn the botnetters up to $150 – per user.
Why SDBot is still around is easily explained: It managed to be stealthy as it didn’t interrupt with the infected computers activities as much as its relatives.
TrendMicro notes “the only remaining question is, “Why use an ‘old’ technology such as an IRC botnet when lots of newer technologies can already be seen in the wild?” The answer is quite simple—because this kind of botnet is currently off the radar unlike several others (DOWNAD, ZEUS, WALEDAC, KOOBFACE, ILOMO, and PUSHDO), which are consistently being monitored by researchers. Using a simple but effective type of botnet makes cybercriminals feel like they are in “heaven.” They can opt to use not only one but several ways to spread malware.”
During their research they tried to track back to the origin of the botnet and stumbled upon the domains burimilol.net, burimilol.com and burimche.net that are related to this malware. “These findings suggest that these threats could originate from the Albanian, Macedonian or Montenegro regions” they conclude in their paper.
To avoid becoming part of the botnet, TrendMicro advises to “not click links sent via IM applications, especially if you do not know who sent them, update your security applications regularly to decrease the chances of becoming infected” and not to “open unsolicited email or spam”.