427 Botnet fm qxd

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\RemoteRegistry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Messenger
Spybot may modify the following registry key to prevent Windows XP
SP2 from being installed:
■
Value: “DoNotAllowXPSP2” = “1”
■
Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate
Spybot may modify the following registry key to disable the Microsoft
Security Center:
■
Value:
“UpdatesDisableNotify” = “1”
“AntiVirusDisableNotify” = “1”
“FirewallDisableNotify” = “1”
“AntiVirusOverride” = “1”
“FirewallOverride” = “1”
■
Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Security Center
Spybot may modify the following registry key(s) to disable the Windows
Firewall:
■
Value: “EnableFirewall” = “0”
■
Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win
dowsFirewall\DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win
dowsFirewall\StandardProfile
www.syngress.com
Common Botnets • Chapter 4
121
427_Bot_ch04.qxt 1/9/07 3:03 PM Page 121

Unexpected Traffic
Spybot will connect to a designated IRC server, specified by the Spybot
variant, and join an IRC channel to receive commands from a botherder.
Some variants will also start a local HTTP, FTP, or TFTP server. Scans of the
computer that show unusual services or unknown ports open could be evi-
dence of these types of connections.
Keystroke Logging and Data Capture
An added feature of Spybot is the ability to capture keystrokes and retrieve
personal information that can be used for further system compromise or
identity theft. Variants of Spybot will scan the infected computer for cached
passwords and will log the keystrokes typed on the computer to try to get
information such as usernames, passwords, credit card or bank account num-
bers, and more. The keystroke logging specifically targets windows with titles
that include bank, login, e-bay, ebay, or paypal.
Propagation
Spybot propagates through the same standard means as other bot families.
Locating open or poorly secured network shares and leveraging them to
spread and compromise other systems is a primary method of propagation.
Spybot comes preconfigured with a list of commonly used usernames and
passwords for general purposes as well as passwords designated specifically for
SQL Server account logins.
In addition to network shares, Spybot also seeks out and targets systems
that are vulnerable to specific vulnerabilities (see Table 4.9). Spybot will do
vulnerability scans of the computers it can communicate with and find sys-
tems that can be exploited using these known vulnerabilities.

Download 6,98 Mb.

Do'stlaringiz bilan baham: