427 Botnet fm qxd

net stop "network associate mcshields"
net stop "surveyor"
Shutting off the A/V tool may raise suspicions if the user is observant.
Some botclients will run a dll that neuters the A/V tool. With an Anti-A/V
dll in place the A/V tool may appear to be working normally except that it
never detects or reports the files related to the botnet client. It may also
change the Hosts file and LMHosts file so that attempts to contact an A/V
vendor for updates will not succeed. Using this method, attempts to contact
an A/V vendor can be redirected to a site containing malicious code or can
yield a “website or server not found” error.
Increasingly, botnet clients have also employed a rootkit or individual tools
to try to hide from the OS and other applications that an IT professional
might use to detect them. Consequently, some botnet clients scan for rootkits
using the Rootkit Revealer from www.sysinternals.com or rkdetector from
http://www.rkdetector.com, to check to see if the computer already has a
rootkit. One tool, hidden32.exe, is used to hide applications that have a GUI
interface from the user. Its use is simple; the botherder creates a batch file that
executes hidden32 with the name of the executable to be hidden as its
parameter. Another stealthy tool, HideUserv2, adds an invisible user to the
administrator group.
Another common task for this phase is that of mundane organization and
management. After securing the computer against antivirus tools, previous
hackers, and detection by the user, the botherder might check to see what
else might be here. In the case of our Rbot infection, the botherder used a
batch file called find.bat, which tells the botherder if another hacker had been
there before or where he or she put his or her tools on this client. It may also
tell the botherder about things on the computer that could be useful. For
some payloads it is useful to categorize a client according to hard drive space,
processor speed, network speed to certain destinations, and so forth. For this
task, our example botnet used a batch file to launch a series of utilities and
concatenate the information into a text file (see the sidebar titled “A Batch
File Used to Discover the Nature of a New Botnet Client”).

Download 6,98 Mb.

Do'stlaringiz bilan baham: