BOTNETS

Ομάδα Εργασίας:Κωνσταντινίδης Κωνσταντίνος Α.Μ. Ε/08076Αναγνωστόπουλος Νικόλαος Α.Μ. Ε/08006Χατζής-Βώβας Βασίλειος Α.Μ. Ε/08179Γεωργακόπουλος Άγγελος Α.Μ. Ε/08023

1

Index

Botnets Overview…………………………3

Alternative Botnet C&C...............................11

Common Botnets…………………………..14

2

Botnets OverviewWhat Is a Botnet?What makes a botnet a botnet? In particular, how do you distinguish a botnetclient from just another hacker break-in? First, the clients in a botnet must beable to take actions on the client without the hacker having to log into theclient’s operating system (Windows, UNIX, or Mac OS). Second, manyclients must be able to act in a coordinated fashion to accomplish a commongoal with little or no intervention from the hacker. If a collection of computersmeet this criteria it is a botnet.

A botnet is the melding of many threats into one. Botnets with hundreds or a few thousands of botclients (calledzombies or drones) are considered small botnets. In this typical botnet, thebotherder communicates with botclients using an IRC channel on a remotecommand and control (C&C) server. In step 1, the new botclient joins a predesignatedIRC channel on an IRC server and listens for commands. In step2, the botherder sends a message to the IRC server for each client to retrieve.In step 3, the clients retrieve the commands via the IRC channel and performthe commands. In step 4, the botclients perform the commands—in thecase of Figure 1.2, to conduct a DDoS attack against a specified target. In step5, the botclient reports the results of executing the command.

3

The Botnet Life CycleBotnets follow a similar set of steps throughout their existence.The sets canbe characterized as a life cycle. Figure 2.1 illustrates the common life cycle ofa botnet client. Our understanding of the botnet life cycle can improve ourability to both detect and respond to botnet threat.

ExploitationThe life of a botnet client, or botclient, begins when it has been exploited.Aprospective botclient can be exploited via malicious code that a user is trickedinto running; attacks against unpatched vulnerabilities; backdoors left byTrojan worms or remote access Trojans; and password guessing and bruteforce access attempts. In this section we’ll discuss each of these methods ofexploiting botnets.

Malicious CodeExamples of this type of exploit include the following:■ Phishing e-mails, which lure or goad the user to a Web site thatinstalls malicious code in the background, sometimes while convincingyou to give them your bank userid and password, accountinformation, and such.This approach is very effective if you arelooking for a set of botnet clients that meet certain qualifications,such as customers of a common bank.■ Enticing Web sites with Trojan code (“Click here to see the DancingMonkeys!”).■ E-mail attachments that when opened, execute malicious code.. ■ Spam in instant messaging (SPIM). An instant message is sent to youby someone you know with a message like “You got to see this!” followedby a link to a Web site that downloads and executes malicious

4

code on your computer.

Backdoors Left by TrojanWorms or Remote Access TrojansSome botnets look for backdoors left by other bits of malicious code likeRemote Access Trojans. Remote Access Trojans include the ability to control another computer without the knowledge of the owner.They are easy to useso many less skilled users deploy them in their default configurations.Thismeans that anyone that knows the default password can take over theTrojan’ed PC.SDBot exploits the following backdoors:■ Optix backdoor (port 3140)■ Bagle backdoor (port 2745)■ Kuang backdoor (port 17300)■ Mydoom backdoor (port 3127)■ NetDevil backdoor (port 903)■ SubSeven backdoor (port 27347)

Password Guessing and Brute-Force Access AttemptsRBot and other bot families employ several varieties of password guessing.According to the Computer Associates Virus Information Center, RBotspreading is started manually through remote control. It does not have anautomatic built-in spreading capability. RBot starts by trying to connect toports 139 and 445. If successful, RBot attempts to make a connection to thewindows share (\\<target>\ipc$), where the target is the IP address or nameof the potential victim’s computer.If unsuccessful, the bot gives up and goes on to another computer. It mayattempt to gain access using the account it is using on the attacking computer.

5

Otherwise it attempts to enumerate a list of the user accounts on thecomputer. It will use this list of users to attempt to gain access. If it can’t enumeratea list of user accounts it will use a default list that it carries (see thesidebar).This information is valuable to the CISO trying to identify andremove botclients in their environment.The login attempts are recorded inthe workstation event logs.These will appear different from normal logins inthat the workstation name will not be the local machine’s name. In a laterchapter we will discuss how this information can be used to trace back tomany other members of the same botnet.

The passwords used with these attempts can vary.There is a default listprovided, but the botherder can replace it and the userID list with userIDsand passwords that have worked on other computers in the enterprise.Figure 2.1 The Botnet Life Cycle

6

7

Rallying and Securing the Botnet ClientAlthough the order in the life cycle may vary, at some point early in the life ofa new botnet client it must call home, a process called “rallying.” When rallying,the botnet client initiates contact with the botnet Command andControl (C&C) Server. Rallying is the term given for the first time a botnetclient logins in to a C&C server.The login may use some form of encryptionor authentication to limit the ability of others to eavesdrop on the communications.Some botnets are beginning to encrypt the communicated data.At this point the new botnet client may request updates.The updatescould be updated exploit software, an updated list of C&C server names, IPaddresses, and/or channel names.This will assure that the botnet client can bemanaged and can be recovered should the current C&C server be takenoffline.The next order of business is to secure the new client from removal.Theclient can request location of the latest anti-antivirus (Anti-A/V) tool fromthe C&C server.The newly controlled botclient would download this softwareand execute it to remove the A/V tool, hide from it, or render it ineffective.The following list contains a batch file, used by an Rbot client, to shutoff antivirus clients. An Rbot gains its access by password guessing or by abrute force attack against a workstation. Once Rbot has guessed or sniffed thepassword for a local administrator account, it can login to the computer as alegitimate local administrator. An instance of Rbot has been found that runs abat file that file executes net commands to turn off various A/V applications.Shutting off the A/V tool may raise suspicions if the user is observant.Some botclients will run a dll that neuters the A/V tool.With an Anti-A/V

8

dll in place the A/V tool may appear to be working normally except that itnever detects or reports the files related to the botnet client. It may alsochange the Hosts file and LMHosts file so that attempts to contact an A/Vvendor for updates will not succeed. Using this method, attempts to contactan A/V vendor can be redirected to a site containing malicious code or canyield a “website or server not found” error.

Waiting for Ordersand Retrieving the PayloadOnce secured, the botnet client will listen to the C&C communicationschannel. In this overview, we are describing botnets that are controlled usingIRC channels.

What Does a Botnet Do?A botnet is a collection of networked computers.They can do anything youcan imagine doing with a collection of networked computers.The next fewtopics describe some of the uses of botnets that have been documented todate.

Recruit OthersThe most basic thing each botclient does is to recruit other potential botclients.The botclient may scan for candidate systems.

The botclient may be equipped to sniff network traffic for passwords.Theclients use small, specialized password grabbers that collect only enough of thetraffic to grab the username and password data.

9

When the botherder discovers a botclient that uses encrypted traffic to aserver, he or she may include a tool, such as Cain and Abel, to perform manin-the-middle (MITM) attacks as part of the payload.

DDoSThe earliest malicious use of a botnet was to launch Distributed Denial ofService attacks against competitors, rivals, or people who annoyed the botherder.

Other DDoS attacks include:

■ UDP Flood.

■ Smurf attack.

The Botnet-Spam and Phishing ConnectionHow do spammers and phishers stay in business? As soon as you identify aspam source or phishing Web site you blacklist the IP address or contact theISP and he’s gone, right? Wrong.Today’s spammers and phishers operate or rent botnets. Instead of sending spam from one source, today’s spammers sendspam from multiple zombies in a botnet. Losing one zombie doesn’t affect theflow of spam to any great effect. For a botnet-supported phishing Web site,shutting down a phishing Web site only triggers a Dynamic DNS change tothe IP address associated with the DNS name. Some bot codebases, such asAgobot, include specific commands to facilitate use in support of spammingoperations.There are commands to harvest e-mails, download a list of e-mailsprior to spamming, start spamming, and stop spamming. Analyzing theheaders of similar spam payloads and phishing attacks may permit investigatorsto begin to discover members of common botnets. Monitoring activity

10

between these members and the bot server may yield enough information totake the botnet down. Cross-correlation of different kinds of attacks from thesame zombie may permit investigators to begin to “follow the money.”Using a botnet, the botherder can set up an automated spam network.

RansomwareAs a category this includes any of the ways that hackers may hold a person’scomputer or information hostage. Ransomware, for this book, includes usinga botnet to DDoS a computer or a company until a ransom is paid to makethe DOS stop.The hacker may use Paypal or Western Union to arrange fordifficult-to-trace money transactions. When a botnet handler realizes theyhave a computer that might be worth ransoming, they can encrypt importantfiles and demand a ransom for the key and/or software to decrypt them.

Data MiningThe final payload type we will cover is data mining.This can be added to anyof the other types of functionality pertaining to botnet clients. For this, thebotherder employs tools to gather information from each of the botnet clientsor their users.They will at a minimum enumerate the users of the computerand note which accounts have local administrator accounts.They may collectthe Security Accounts Manager (SAM) database or any password cachestorage to be broken. Breaking these passwords may take place on the clientor the information may be reformatted and sent to another computer to have

11

a password cracking program run against it.The botnet client can be searched for numbers that look like credit cardnumbers or Social Security Account Numbers (SSANs). Credit card andSSAN information can be sold on special Web sites established for that purpose.Some botnets establish keylogger programs that record every keystroketaken on the computer. Later, userIDs and passwords can be harvested fromthe logs. Recent malicious code has been very precisely targeted. Code hasbeen found that piggybacks a legitimate user as they login to an e-Goldaccount. Once in, they initiate an electronic funds transfer and siphon off theuser’s money.

Erase the Evidence, Abandon the ClientIf the botherder believes that the botclient has been discovered or if a portionof the botnet in the same domain has been found or the botclient is nolonger suitable (too slow, too old), the botherder may execute a prestagedcommand that erases the payload and hacker tools.We’ve observed caseswhere the security event logs and antivirus risk histories have been cleared orerased. A tool like clearlogs.exe automates the process. Sometimes when thebotherder abandons a client, our antivirus tool will pick up several componentswhen the hide capability is turned off. When this happens, the detectiondate reflects their exit date instead of the actual date of infection.

Spam and Phishing AttacksMost people can’t understand how anyone could make money sending out

12

spam. It is the global scope of the Internet that makes it possible. WhenJeremy Jaynes was arrested as one of the top ten spammers in the worldauthorities say he earned $750,000 a month selling fake goods, services, andpornography via spam. Evidence presented during the trial showed that hehad made $24 million through various e-mail schemes. For every 30,000 emailshe sent one person bought what he was selling, earning him $40. It isestimated that he sent over 10 million e-mails. He was arrested in December2003 and convicted in November 2004.

RansomwareIn an online article titled “Script Kiddies Killing The Margins In OnlineExtortion,” published in the online magazine TechDirt Corporate Intelligence(www.techdirt.com), the author (who goes by Mike) claims that the goingrate to decrypt online ransoms of files has been between $50 and$100.TheZippo ransomware Trojan demanded $300 be paid to an e-gold account forthe password to decrypt ransomed files.The codebreakers at Sophos determinedthe password was:C:\Program Files\Microsoft Visual Studio\VC98The Arhiveus ransomware Trojan encrypts all of the files in the MyDocuments folder with a 30-character password. Sophos has determined thispassword to be:mf2lro8sw03ufvnsq034jfowr18f3cszc20vmwWithout the password, victims were forced to make a purchase from one ofthree online drug stores.The Ransom A Trojan is a budget ransomware package. It encrypts theuser’s data, and then instructs the user to wire $10.99 to a Western UnionCIDN. Once the CIDN number is entered in the ransomware, the software

13

promises to remove itself and restore access to the data.

Alternative Botnet C&CIntroduction: Why Are There

Alternative C&Cs?IRC technology is robust and has been around for a long time, but thereare several key issues that make it last longer than most other technologieswhen used for botnet C&Cs:■ It’s interactive: While being a relatively simple protocol, IRC is interactiveand allows for easy full-duplex and responsive communicationbetween both sides (client and server).■ It’s easy to create: Building an IRC server is very easy, and there areenough established servers to use if necessary.■ It’s easy to create and control several botnets using one server: Usingfunctionality such as nicknames and chat channels, password protectingchannels, etc.■ It’s easy to create redundancy: By linking several servers, redundancyis achieved.IRC has proven itself many times over, but it also has an Achilles’ heel—itis centralized.

Historical C&CTechnology as a Road Map

14

In the beginning, bots and botnets indeed were legitimate tools usedmainly for functional purposes, such as maintaining an IRC channel openwhen no user is logged in or maintaining control of the IRC channel.The first botnets of the new age of Trojan horses (Trojan horses havebeen here for years, but became popular mass-infection devices in1996–1997). Controlling one compromised computer is easy. Controlling athousand becomes a logistical nightmare. When an infection would happen,the Trojan horse would phone home by connecting to an IRC server. Oncelogged on to the server, the Trojan horse (now bot, more commonly referred to back then as a drone) would seek to let its master know it was there.Thiswould most commonly be achieved by sending a private message to a loggedon user (the botnet controller) or by joining a chat channel.The bot wouldthen echo something such as:“Hi! I am here master! My IP is 127.0.0.1 and I am listening on port666!”The nickname or chat channel would be the control channel, while theannouncement message sent would be the echo.

Domain NamesBy using DNS, the bots were given a host address to connect to (such as aThird-Level Domain [3LD]

MultihomingMultihoming is a concept in network administration for when a DNS recordhas several IP addresses.

15

Alternative Control ChannelsAlternative control channels are exactly as named, an alternative communicationchannel by which to control a botnet.When the C&C server (or servers) is down, the botnet is effectively dead.There is no way for the botnet controller to issue instructions or even knowwhat bots are under his control. For that reason, if all else fails, the alternativecontrol channels are introduced.

Echo-Based BotnetsEcho-based means the bot would simply announce its existence to the C&C.There are several ways of doing this with different volumes of data relayed.■ Connect & forget■ File data■ URL data

Command-Based BotnetsWeb-based botnets that are command based are an addition to any other typeof botnet, which helps the botnet controller manage the army.

P2P BotnetsP2P (or peer-to-peer) has been discussed in botnet circles for a long time,both by the good guys and the bad guys.The first P2P botnet to be spotted was Sinit (aka Calyps.a or Calypso) in2003, by Joe Stewart at LURHQ (now SecureWorks). Later on, Agobot variantshad a P2P option and Phatbot made the leap to P2P for real.This technology presented botnet controllers with both pros and cons. Onthe plus side, the bots were decentralized and not reliant on one point offailure. On the negative side, programming could potentially be injected from

16

any peer in the botnet. Some solved this by introducing cryptographic keys,but one could still study the bot itself and potentially discover the entire networkof bots.Another type of P2P botnets are those that rely on a centralized locationfor “tracking,” much like P2P networks.

Instant Messaging (IM) C&CsIn the past couple of years, the spread of worms over IM has become commonplace.The worms can then report to any C&C, on IRC or elsewhere.However, the use of IM accounts as echo control channels is seen in the wild.In such a scenario, computers infected with a bot would communicate tothe said account over IM, whether using AIM,Yahoo!, ICQ, MSN, or anyother network. Much the same as on IRC, the same can be said for discussiongroups or chat channels, where the bot would send the echo there, or justjoin and await new instructions.Unlike IRC, IM networks are controlled, meaning, they operate underrules of the provider and are enforced on the central server.This fact makes iteasy on the IM services to detect C&Cs over IM, much like infections, andfilter them out, making their shelf-life rather short, making them not veryoverall effective in managing the botnet. IM services often watch for this, justnot as much as they could.

Drop Zones and FTP-Based C&CsLike many other protocols, FTP has also been experimented with as a controlchannel for botnets.Today, it isn’t commonly seen in the wild. However, thereis a type of bot that regularly reports back (echoes) to an FTP C&C, and thatis the phishing or banking Trojan horse.

17

These bots, such as Dumador or Haxdoor, are basically key loggers, onlyvery advanced ones.They listen in (sniff ) communication when the user onthe compromised computer surfs the Web. When the user enters an HTTPS(encrypted) Web site, they perform a man-in-the-middle attack on the computeritself.Maybe we should call this a man-on-the-inside attack, since theattack takes place inside the victim’s computer.Then the bot presents the userwith a fake Web site locally.This way, they break through the encryption andlog the user’s credentials (such as a username and password).The stolen credentials are then uploaded to an FTP server maintained bythe botnet controller. Botherders maintain elaborate statistics about the credentialsstolen and where they come from.

Common Botnets

SDBotThe SDBot family of bots has been around for almost five years and hasgrown to include hundreds of variants and offshoots. One of the elements that has added to the longevity of the SDBot family is that the original developeressentially made it into an open-source malware program.The originalSDBot author released the source code for the bot and included his contactinformation, providing a means of public collaboration and evolution to continuedeveloping and improving the code.

18

The other key to the success of SDBot is poor security on the compromisedsystems. SDBot relies on spreading itself primarily via network sharesusing blank or common passwords. Systems with solid security and morecomplex passwords will not be compromised by SDBot.With so many variants, a comprehensive description of each wouldrequire a book of its own.The following are the general details of howSDBot works and propagates and how you can recognize common signs thatcould indicate that your computer has been compromised by SDBot.

AliasesAntivirus and security vendors rarely agree on naming conventions, so thesame threat can have multiple names, depending on which vendor is supplyingthe information. Here are some aliases for SDBot from the topantivirus vendors:■ McAfee: IRC-SDBot■ Symantec: Backdoor.Sdbot■ Trend Micro: BKDR_SDBOT■ Sophos:Troj/Sdbot■ Kaspersky: Backdoor.IRC.Sdbot■ CA:Win32.SDBot

InfectionThe method of infection varies from one variant to the next, but SDBot traditionallytakes advantage of insecure network shares or uses known vulnerabilityexploits to compromise systems. Once SDBot is able to connect to avulnerable system, it will execute a script that will download and executeSDBot to infect the system. SDBot typically includes some sort of backdoor that allows an attacker togain complete access to compromised systems.The Remote Access Trojan

19

(RAT) component of SDBot connects to an IRC server and lies silentlywaiting for instructions from a botherder.Using the RAT, a botherder can collect information about the compromisedsystem, such as the operating system version, computer name, IPaddress, or the currently logged-in username.A botherder can also run IRCcommands directing the compromised computer to join an IRC channel,download and execute files, or connect to a specific server or Web site to initiatea distributed denial-of-service (DDoS) attack.

Unexpected TrafficAnother sign that might identify an SDBot infection is open ports or unexpectednetwork connections on your system. Some variants of SDBot willestablish an IRC connection via TCP port 6667, and others have beenknown to use port 7000. The SDBot program might attempt to communicate with a variety ofIRC channels using its own IRC client software. Some examples of IRCchannels used by known SDBot variants are:■ Zxcvbnmas.i989.net■ Bmu.h4x0rs.org■ Bmu.q8hell.org■ Bmu.FL0W1NG.NET

PropagationTo spread effectively, SDBot relies on weak security on target systems or theability to leverage the current user credentials to connect with other networkresources. SDBot assumes the same access rights and privileges as the user thatis currently logged into the system.SDBot will attempt to connect to and spread via default administrative

20

shares found on a typical Windows system, such as PRINT$, C$, D$, E$,ADMIN$, or IPC$. Some variants come bundled with a listing of commonusername and password combinations, such as abc123 or password for the password,which can be used to attempt to connect with network resources aswell.Variants of SDBot are also known to scan for Microsoft SQL Serverinstallations with weak administrator passwords or security configurations.

SDBotOne of the oldest bot families. It has existed for more than five years.Released by the author as open source, providing the source code forthe malware to the general public.Spreads primarily via network shares. It seeks out unprotected sharesor shares that use common usernames or weak passwords.Modifies the Windows registry to ensure that it is started each timeWindows starts.

RBotThe RBot family of bots is one of the most pervasive and complex out there.Originated in 2003, the core functionality of RBot continues to drive theprimary functionality of hundreds of RBot variants. By its very nature, however,RBot morphs and evolves over time. Filenames and techniques varyfrom one variant to the next and might even be randomized as a function ofthe malware, making accurate identification difficult.RBot was the first of the bot families to use compression or encryptionalgorithms. Most RBot variants rely on one or more runtime executablepackingutilities such as Morphine, UPX,ASPack, PESpin, EZIP, PEShield,PECompact, FSG, EXEStealth, PEX, MoleBox, or Petite.

21

Once infected with RBot, a compromised system can be controlled by abotherder and used for a variety of functions, including downloading or executingfiles from the Internet, retrieving CD keys for some computer games,creating a SOCKS proxy, participating in DDoS attacks, sending e-mail, loggingkeystrokes, or capturing video from a Webcam if the compromisedsystem has one connected.

AliasesAntivirus and security vendors rarely agree on naming conventions, so thesame threat can have multiple names, depending on the vendor supplying theinformation. Here are some aliases for RBot from the top antivirus vendors:■ McAfee: W32/SDbot.worm.gen.g■ Symantec: W32.Spybot.worm■ Trend Micro:Worm_RBot■ Kaspersky: Backdoor.RBot.gen■ CA:Win32/RBot

InfectionThe RBot family of worms uses a few different methods to seek out vulnerabletargets and find systems to infect. Like the SDBot family, RBot attemptsto exploit weak passwords and poor security on administrative shares tospread across the network. Systems with simple or blank passwords on networkshares are easy prey.In addition to spreading via weak security on network shares, RBot alsoleverages a variety of known software vulnerabilities in the Windows operatingsystem and common software applications. Some variants are alsocapable of exploiting backdoors or open ports created by other malwareinfections.

22

Unexpected TrafficOnce a system is infected, RBot will attempt to connect to the IRC server itis configured to join.The IRC server, channel, port number, and passworddiffer among variations, so it is not possible to list them here. Aside fromlooking for unknown or suspicious connections or open ports on yoursystem, you can also look for activity on TCP port 113 (ident). RBot uses thisport for ident services required by some IRC servers.

TIPRBot (and many of the other bot programs as well as other malware)often attempts to connect to network shares and other resourcesusing the credentials and access rights of the currently logged-in user.You should use a login with restricted or limited access for day-to-daytasks and only log in with full administrative privileges when it is necessary.This practice will limit malware’s ability to exploit the privilegesof the logged-in user to spread itself.

PropagationThe primary means of propagation for the RBot family is through Windowsnetwork shares. RBot scans on ports 139 and 445 looking for open connections.If a target is found, RBot then attempts to connect to the IPC$ administrativeshare on that system.

RBotOriginated in 2003.Uses one or more runtime executable packing utilities such asMorphine, UPX,ASPack, PESpin, EZIP, PEShield, PECompact, FSG,EXEStealth, PEX, MoleBox, or Petite to encrypt the bot code.Terminates the processes of many antivirus and security products toensure it remains undetected.

23

AgobotAgobot, also commonly referred to as Gaobot or Phatbot, depending on thevariant and the AV vendor naming it, introduced the idea of modular functionalityto the world of malicious bots. Rather than infecting a system withall the Agobot functionality at once, this threat occurs in three distinct stages.First, Agobot infects the computer with the bot client and opens a backdoorto allow the attacker to communicate with and control the machine.The second phase attempts to shut down processes associated with antivirusand security programs, and the final phase tries to block access from theinfected computer to a variety of antivirus and security-related Web sites.The modular approach makes sense from a design perspective because itallows the developer to update or modify one portion, or module, withouthaving to rewrite or recompile the entire bot code.

AliasesAntivirus and security vendors rarely agree on naming conventions, so thesame threat can have multiple names, depending on which vendor is supplyingthe information. Here are some aliases for Agobot from the topantivirus vendors:■ McAfee: W32/Gaobot.worm■ Symantec: W32.HLLW.Gaobot.gen■ Trend Micro:Worm_Agobot.Gen■ Kaspersky: Backdoor.Agobot.gen■ CA:Win32/Agobot Family■ Sophos: W32/Agobot-Fam

InfectionThe Agobot family of malware propagates via network shares, as is common

24

among the major bot families. However, Agobot also adds the ability to propagateusing peer-to-peer (P2P) networking systems such as Kazaa, Grokster,BearShare, and others.Agobot makes itself available on the P2P network usinga randomized filename that is designed to have mass appeal in an attempt tolure unsuspecting users into downloading and executing it on their computers.The offshoot variants dubbed Phatbot use WASTE, a P2P protocoldesigned by AOL.WASTE was designed to use encryption for more securefile transfers via P2P, but the sharing of public keys was too complicated andAOL eventually scrapped the project. Using WASTE creates some uniquemethods of propagation but also limits the scalability of the bot army becauseWASTE can only manage 50 to 100 client nodes at a time.It seeks to terminate a wide variety of antivirus and security programs oninfected systems and attempts to modify the Hosts file on the infected computer,to prevent the ability to communicate with Web sites associated withantivirus and security applications. Agobot singles out the Bagle worm, terminatingprocesses associated with that malware if they exist on the infectedsystem.

Theft of InformationAnother aspect of Agobot that sets it apart from some of the other major botfamilies is the theft of information. Specifically, Agobot will seek out and stealthe CD keys for a variety of popular games

Unexpected TrafficLike other bot families,Agobot variants also open a backdoor on the infectedsystem and establish communication with a designated IRC server.This allows a

25

botherder to issue commands to or take control of the compromised system. The backdoor provides functionality for the botherder to do just aboutanything, including executing files on the infected machine, downloadingadditional files from Web or FTP sites, redirecting TCP traffic to the system,using the compromised system as a part of a DDoS attack, and more.

PropagationLike other bot families, Agobot variants attempt to spread via open networkshares. Once a system is infected, Agobot will seek out usernames and passwordson the network using NetBEUI. It will then search for open sharessuch as the default administrative shares (c$, admin$, print$, etc.) and attemptto log in using the usernames and passwords it has found as well as a preconfigured list of common usernames and passwords.

AgobotCapable of spreading via peer-to-peer (P2P) networks.Modifies the Hosts file to block access to certain antivirus andsecurity firm Web sites.Steals the CD keys from a preconfigured group of popular games.Uses predefined groups of keywords to create filenames designed toentice P2P downloaders.

SpybotSpybot is an evolution of SDBot. Like SDBot, the Spybot code is open sourceand available for the public to modify and contribute to, to help develop furtherfunctionality for the product.The main differentiator for Spybot from SDBot is that Spybot adds a

26

number of spyware-like capabilities such as keystroke logging, e-mail addressharvesting,Web-surfing activities, and more.

AliasesAgain, antivirus and security vendors rarely agree on naming conventions, sothe same threat can have multiple names, depending on which vendor is supplyingthe information. Here are some aliases for Spybot from the topantivirus vendors:■ McAfee: W32/Spybot.worm.gen■ Symantec: W32.Spybot.Worm■ Trend Micro:Worm_Spybot.gen■ Kaspersky:Worm.P2P.SpyBot.Gen■ CA:Win32.Spybot.gen■ Sophos: W32/Spybot-Fam

InfectionSpybot spreads through a variety of methods, including the standard attemptto propagate by finding open network shares with weak or nonexistent security.Spybot also spreads via some P2P networks and seeks out systems compromisedby other worms or malware to leverage existing backdoors or openports to infect systems.Spybot contains the standard bot functionality of providing a backdoor fora botherder to command and control the infected machine, but it also addssome unique new features, such as the ability to broadcast Spam over InstantMessaging (SPIM). It also attempts to modify the registry to prevent variousfunctions such as blocking the user from installing Windows XP SP2 or disablingthe Windows XP Security Center.

27

Unexpected TrafficSpybot will connect to a designated IRC server, specified by the Spybotvariant, and join an IRC channel to receive commands from a botherder.Some variants will also start a local HTTP, FTP, or TFTP server. Scans of thecomputer that show unusual services or unknown ports open could be evidenceof these types of connections.

Keystroke Logging and Data CaptureAn added feature of Spybot is the ability to capture keystrokes and retrievepersonal information that can be used for further system compromise oridentity theft.Variants of Spybot will scan the infected computer for cachedpasswords and will log the keystrokes typed on the computer to try to getinformation such as usernames, passwords, credit card or bank account numbers,and more. The keystroke logging specifically targets windows with titlesthat include bank, login, e-bay, ebay, or paypal.

PropagationSpybot propagates through the same standard means as other bot families.Locating open or poorly secured network shares and leveraging them tospread and compromise other systems is a primary method of propagation.Spybot comes preconfigured with a list of commonly used usernames andpasswords for general purposes as well as passwords designated specifically forSQL Server account logins.In addition to network shares, Spybot also seeks out and targets systemsthat are vulnerable to specific vulnerabilities (see Table 4.9). Spybot will do

28

vulnerability scans of the computers it can communicate with and find systemsthat can be exploited using these known vulnerabilities.

SpybotCore functionality is based on the SDBot family.Incorporates aspects of spyware, including keystroke logging andpassword stealing.Spreads via insecure or poorly secured network shares and byexploiting known vulnerabilities common on Microsoft systems.

References1.http://en.wikipedia.org/wiki/Botnet2.ftp://www.tik.ee.ethz.ch/pub/students3.http://portal.acm.org/citation.cfm?id=12512884.http://www.virusbtn.com/5.http://www.eweek.com/ dt:oct16,20066.www.eweek.com/article2/0,1895,2029720,00.asp7.http://www.microsoft.com/windows/antivirus-partners/windows-xp.aspx8. E. Cooke, F. Jahanian, and D. McPherson, "The zombie roundup: Understanding, detecting, and disrupting botnets,"9. Peer to Peer botnets: overview and case study.10.http://tor.eff.org/download.html.en11.http://www.rkdetector.com/12.www.symantec.com/security_response/writeup.jsp?13.www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=3943714.www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FAGOBOT%2EGEN&VSect=T15. www.symantec.com/security_response/writeup.jsp?docid=2003-053013-5943-99&tabid=216.http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=132158&affid=108

29