427 Botnet fm qxd



Download 6,98 Mb.
Pdf ko'rish
bet296/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   292   293   294   295   296   297   298   299   ...   387
Bog'liq
Botnets - The killer web applications

www.syngress.com
Using Sandbox Tools for Botnets • Chapter 10
363
427_Botnet_10.qxd 1/9/07 3:06 PM Page 363

Here we can see the probable reason for the second command-line
parameter of arman.exe: It is used to inform the application where the orig-
inal malware file can be found for deleting it. We do not know the regular
distribution mechanism of this bot. Since it was collected by a honeypot, we
can assume that it is usually copied to a remote host after this host has been
exploited. Depending on the exploit used, the malware file would be copied
to a temporary or application-dependent directory.The existence of an .exe
file in such a folder would raise suspicion or it would be deleted automati-
cally due to some system cleanup routine.Therefore, in nearly all cases we
have seen, malware first copies itself to the Windows folder and then deletes
the initial source file.
Many applications use named mutexes to ensure that only one instance of
them is running.The funny thing about this is that very often you can learn
more information about the malware from the name of their mutexes.
Sometimes you can determine the malware name in the form the author has
intended. Also very often you can recognize the malware family by that, since
the mutex does not change from version to version or simply uses the same
value plus a newer version number.The mutex of our sample probably reveals
its intended name:



The malware opens the registry section
HKLM\SOFTWARE\Microsoft\Windows \CurrentVersion\Run, whose
entries are loaded automatically on system startup. It checks whether an entry
for the arman.exe file already exists. Because this is not the case, a new entry
is created. After that, the malware checks whether the entry could be created
successfully.This modifies the system startup sequence such that arman.exe
will be started automatically each time the machine boots up:

subkey_or_value="SOFTWARE\Microsoft\Windows\CurrentVersion\Run"/>
key="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
subkey_or_value="Arman"/>
key="HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   292   293   294   295   296   297   298   299   ...   387



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish