427 Botnet fm qxd

■
Bmu.FL0W1NG.NET
Propagation
To spread effectively, SDBot relies on weak security on target systems or the
ability to leverage the current user credentials to connect with other network
resources. SDBot assumes the same access rights and privileges as the user that
is currently logged into the system.
SDBot will attempt to connect to and spread via default administrative
shares found on a typical Windows system, such as PRINT$, C$, D$, E$,
ADMIN$, or IPC$. Some variants come bundled with a listing of common
username and password combinations, such as abc123 or 
password
for the pass-
word, which can be used to attempt to connect with network resources as
well.
Variants of SDBot are also known to scan for Microsoft SQL Server
installations with weak administrator passwords or security configurations.
RBot
The RBot family of bots is one of the most pervasive and complex out there.
Originated in 2003, the core functionality of RBot continues to drive the
primary functionality of hundreds of RBot variants. By its very nature, how-
ever, RBot morphs and evolves over time. Filenames and techniques vary
from one variant to the next and might even be randomized as a function of
the malware, making accurate identification difficult.
RBot was the first of the bot families to use compression or encryption
algorithms. Most RBot variants rely on one or more runtime executable-
packing utilities such as Morphine, UPX, ASPack, PESpin, EZIP, PEShield,
PECompact, FSG, EXEStealth, PEX, MoleBox, or Petite.
Once infected with RBot, a compromised system can be controlled by a
botherder and used for a variety of functions, including downloading or exe-
cuting files from the Internet, retrieving CD keys for some computer games,
creating a SOCKS proxy, participating in DDoS attacks, sending e-mail, log-
ging keystrokes, or capturing video from a Webcam if the compromised
system has one connected.

Download 6,98 Mb.

Do'stlaringiz bilan baham: