427 Botnet fm qxd

■
Recent exploit scanning. According to John Canavan’s whitepaper titled
“The Evolution of Malicious IRC Bots,” variants in 2005 included:
■
Microsoft Windows DCOM RPC Interface Buffer Overrun
(MS03-026)
■
Microsoft Windows Local Security Authority Service Remote
Buffer Overflow (MS04-011)
■
Microsoft Windows SSL Library Denial of Service (MS04-011)
■
Microsoft SQL Server User Authentication Remote Buffer
Overflow (MS02-056)
■
UPnP NOTIFY Buffer Overflow (MS01-059)
■
Microsoft Windows Workstation Service Buffer Overrun (MS03-
049)
■
DameWare Mini Remote Control Server Pre-Authentication
Buffer Overflow (CAN-2003-0960)
■
VERITAS Backup Exec Agent Browser Remote Buffer Overflow
(UNIRAS 20041217-00920)
■
Microsoft Webdav Buffer Overrun (MS03-007)
■
Beagle
■
MyDoom
■
Netdevil
■
OptixPro
■
SubSeven
■
Kuang2
For more information, go to www.symantec.com/avcenter/reference/
the.evolution.of.malicious.irc.bots.pdf.
RBot
RBot first appeared in 2003. According to the June 2006 MSRT report from
Microsoft (“MSRT: Progress Made,Trends Observed” by Matthew
Braverman), the RBot family had the most detections, with 1.9 million PCs
www.syngress.com
14
Chapter 1 • Botnets: A Call to Action
427_Bot_01.qxd 1/8/07 11:53 AM Page 14

infected. It is a backdoor Trojan with IRC C&C. It introduced the idea of
using one or more runtime software package encryption tools (for example,
Morphine, UPX, ASPack, PESpin, EZIP, PEShield, PECompact, FSG,
EXEStealth, PEX, MoleBox, and Petite). RBot scans for systems on ports 139
and 445 (systems with open Microsoft shares). It then attempts to guess weak
passwords. It can use a default list or a list provided by the botherder. It can
attempt to enumerate a list of users on the target system, a default list of user
IDs and passwords, or try a list of user IDs and password combinations it
found on other systems.
Polybot
The Polybot appeared in March of 2004 and is derived from the AgoBot
code base. It is named for its use of polymorphism, or its capability to appear
in many different forms. Polybot morphs its code on every infection by
encasing the compiled code in an “envelope” code.The envelope re-encrypts
the whole file every time it is run.
Mytob
The Mytob bot was discovered in February 2005.The bot is characterized as
being a hybrid since it used source code from My Doom for the e-mail mass
mailing portion of code and bot IRC C&C functionality. Note that “tob” is
“bot” backwards.
Mytob uses social engineering and spoofed e-mail addresses, carries its
own SMTP client, and has C&C capabilities similar to Spybot.
Capabilities Coming to a Bot Near You
This section contains brief descriptions of a few new bot components:
■
GpCoder
A potential bot component that encrypts a user’s files
then leaves a message to the user on how they can buy the decoder.
Current versions can be decrypted by A/V vendor “fix” tools, but if
later versions use stronger encryption the potential for damage could
be big.
■
Serv-U
Installed on botclients, the Serv-U ftp server enables both-
erders to store stolen movies, software, games, and illegal material (for
example, child pornography) on their botnets and serve the data

Download 6,98 Mb.

Do'stlaringiz bilan baham: