427 Botnet fm qxd

If it authenticates successfully with the target machine, RBot then
attempts to copy itself to the following locations and schedules a remote job
to execute the RBot software and infect the target machine:
■
\Admin$\system32
■
\c$\winnt\system32
■
\c$\windows\system32
■
\c
■
\d
Using Known Vulnerability Exploits
Another method RBot uses to propagate itself is to use exploits of known
vulnerabilities. RBot variants may attempt to exploit one or more of the vul-
nerabilities listed in Table 4.6. If a vulnerable target is found, RBot executes a
small program instructing the target machine to connect to a remote server to
download the complete RBot code.The connections back to the RBot
source may use alternate port assignments but are typically made via HTTP
(port 81) or TFTP (port 69).
Table 4.6 
Known Vulnerabilities Commonly Exploited by RBot Variants 
Microsoft Windows LSASS buffer overflow vulnerability (TCP port 445)
Microsoft Windows ntdll.dll buffer overflow vulnerability (Webdav vulner-
ability) (TCP port 80)
Microsoft Windows RPC malformed message buffer overflow vulnerability
(TCP ports 135, 445, 1025)
Microsoft Windows RPCSS malformed DCOM message buffer overflow vul-
nerabilities (TCP port 135)
Exploiting weak passwords on MS SQL servers, including Microsoft SQL
Server Desktop Engine blank sa password vulnerability (TCP port 1433)
Microsoft Universal Plug and Play (UPnP) NOTIFY directive buffer overflow
and DoS vulnerabilities (TCP port 5000)
DameWare Mini Remote Control buffer overflow (TCP port 6129)
Microsoft Windows Workstation service malformed message buffer over-
flow vulnerability (TCP port 445)

Download 6,98 Mb.

Do'stlaringiz bilan baham: