427 Botnet fm qxd

Table 4.6 continued 
Known Vulnerabilities Commonly Exploited by RBot
Variants 
Microsoft Windows WINS replication packet memory overwrite
vulnerability (TCP port 42)
RealSystem Server SETUP buffer overflow vulnerability
Microsoft SQL Server 2000 Resolution service buffer overflow vulnerability
Microsoft Windows Plug and Play service buffer overflow vulnerability
Source: CA (www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39437)
Exploiting Malware Backdoors
Some variants of RBot take the easy route and let other malware do the hard
work.These variants are programmed to seek out the default backdoors
opened by other malware such as the Bagle or Mydoom worms. Malware
backdoors known to be targeted by some RBot variants include:
■
Bagle worm (TCP port 2745)
■
Mydoom worm (TCP port 3127)
■
OptixPro Trojan (TCP port 3410)
■
NetDevil Trojan (TCP port 903)
■
Kuang Trojan (TCP port 17300)
■
SubSeven Trojan (TCP port 27347)
Agobot
Agobot, also commonly referred to as 
Gaobot
or 
Phatbot
, depending on the
variant and the AV vendor naming it, introduced the idea of modular func-
tionality to the world of malicious bots. Rather than infecting a system with
all the Agobot functionality at once, this threat occurs in three distinct stages.
First, Agobot infects the computer with the bot client and opens a back-
door to allow the attacker to communicate with and control the machine.
The second phase attempts to shut down processes associated with antivirus
and security programs, and the final phase tries to block access from the
infected computer to a variety of antivirus and security-related Web sites.

Download 6,98 Mb.

Do'stlaringiz bilan baham: