427 Botnet fm qxd

SDBot typically includes some sort of backdoor that allows an attacker to
gain complete access to compromised systems.The Remote Access Trojan
(RAT) component of SDBot connects to an IRC server and lies silently
waiting for instructions from a botherder.
Using the RAT, a botherder can collect information about the compro-
mised system, such as the operating system version, computer name, IP
address, or the currently logged-in username. A botherder can also run IRC
commands directing the compromised computer to join an IRC channel,
download and execute files, or connect to a specific server or Web site to ini-
tiate a distributed denial-of-service (DDoS) attack.
Signs of Compromise
If you believe that your computer might be infected with SDBot, there are a
few clues you can look for to verify your suspicions.
System Folder
Upon execution, SDBot will place a copy of itself in the System folder.
Typically, this folder is C:\Windows\System32, but SDBot uses the
%System% variable to find out where it is and then places a copy of itself in
that folder.The filename used can vary, but Table 4.1 contains a list of known
filenames.
Table 4.1
Known Filenames Used by Backdoor
*
Aim95.exe
service.exe
CMagesta.exe
sock32.exe
Cmd32.exe
spooler.exe
Cnfgldr.exe
Svchosts.exe
cthelp.exe
svhost.exe
Explorer.exe
Sys32.exe
FB_PNU.EXE
Sys3f2.exe
IEXPL0RE.EXE
Syscfg32.exe
iexplore.exe
Sysmon16.exe
ipcl32.exe
syswin32.exe
www.syngress.com
100
Chapter 4 • Common Botnets
Continued
427_Bot_ch04.qxt 1/9/07 3:03 PM Page 100

Download 6,98 Mb.

Do'stlaringiz bilan baham: