Common Botnets • Chapter 4

Propagation
The primary means of propagation for the RBot family is through Windows
network shares. RBot scans on ports 139 and 445 looking for open connec-
tions. If a target is found, RBot then attempts to connect to the IPC$ admin-
istrative share on that system.
If RBot is successful at connecting with the target system, it will try to
obtain a list of the usernames on the target machine that it can use to gain
access. If RBot cannot get the list of usernames from the target system, some
variants will simply try a default list of usernames (like those listed in Table
4.4), which are preconfigured into the malware.
Table 4.4
Usernames That Some RBot Variants Will Attempt to Use to
Connect With Network Resources
administrator
student
administrador
teacher
administrateur
wwwadmin
administrat
guest
admins
default
admin
database
staff
dba
root
oracle
computer
db2
owner
Source: CA (www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39437)
For each username that RBot finds on the target system or the usernames it
is preconfigured with, RBot attempts to authenticate using a list of commonly
used weak passwords.The list of passwords varies from one version of RBot to
the next, but it commonly includes passwords like those found in Table 4.5.
Table 4.5 
Weak Passwords Commonly Found in RBot Variants
*
007
chris
intranet
pwd
1
cisco
jen
qaz
12
compaq
joe
qwe
www.syngress.com
108
Chapter 4 • Common Botnets
Continued
427_Bot_ch04.qxt 1/9/07 3:03 PM Page 108

Download 6,98 Mb.

Do'stlaringiz bilan baham: