427 Botnet fm qxd

use this technique in an attempt to prevent security researchers or antivirus
firms from being able to analyze the malware and determine how it works.
Msdirectx.sys is designed to provide rootkit functionality for the software
and allow an attacker to gain complete access and control of the target system
without being detected.
Unexpected Traffic
Another sign that might identify an SDBot infection is open ports or unex-
pected network connections on your system. Some variants of SDBot will
establish an IRC connection via TCP port 6667, and others have been
known to use port 7000.
Are You Owned?
Check for Open Ports on Your System
Windows comes with a built-in command-line utility that you can use
to see what ports are active on your system. Click Start | Run and type
cmd, then press Enter. At the command prompt, type netstat –a fol-
lowed by pressing Enter to get a complete listing of the open ports on
your system and the current state of communication. 
For more information about the features of netstat, you can also
type netstat /? to find out what other switches are available and the
functions they perform.
If you are really paranoid that your system could be compromised,
even the netstat utility could be called into question. Perhaps the mal-
ware has replaced it with a modified or malicious version. If you are
concerned that this might be the case, you can use nmap from a remote
system and scan the suspected computer for open ports instead.
The SDBot program might attempt to communicate with a variety of
IRC channels using its own IRC client software. Some examples of IRC
channels used by known SDBot variants are:
■
Zxcvbnmas.i989.net
■
Bmu.h4x0rs.org
■
Bmu.q8hell.org

Download 6,98 Mb.

Do'stlaringiz bilan baham: