Creating a Simple Botnet Using the AutoIT Scripting Language

This post is made on behalf of my colleague Manoj Venugopalan, Malware Analyst for Symantec Hosted Services.
AutoIT, a free automation language for Windows platform-based development, is often used for scripting Windows-based applications and sometimes misused for creating malware. AutoIT scripts can be compiled into a compressed, standalone executable which will run without an interpreter. Auto2Exe is the application used to compile the AutoIT script into a standalone executiable.
Most of the malware based on AutoIT is in the form of worms and Trojans. Many such worms are well-known for logging into a user's IM client, changing their status message and then sending copies of the malware to all of the "buddies" in the victim's list.
MessageLabs Intelligence recently discovered an AutoIT Trojan using IRC (online chat) to connect an infected machine to a command and control channel without the user's knowledge. The malware is sent in the form of an enticing message containing an archive of .GIF files with a subject like "My Photos" to around 50 recipients to lure them into opening the attachment.

One of the files, disgused as a .GIF image is actually an executable using an icon for an image, and may give the illusion that the exeutable is a broken image (as seen in figure 2, below). If the user tries to open the file, it will (continue reading...)