427 Botnet fm qxd

Solutions Fast Track
Each of the bot families discussed in this chapter provides a fairly significant
amount of information.This section boils the information down to the most
pertinent or relevant points that you should keep in mind about each bot
family.
SDBot
One of the oldest bot families. It has existed for more than five years.
Released by the author as open source, providing the source code for
the malware to the general public.
Spreads primarily via network shares. It seeks out unprotected shares
or shares that use common usernames or weak passwords.
Modifies the Windows registry to ensure that it is started each time
Windows starts.
RBot
Originated in 2003.
Uses one or more runtime executable packing utilities such as
Morphine, UPX, ASPack, PESpin, EZIP, PEShield, PECompact, FSG,
EXEStealth, PEX, MoleBox, or Petite to encrypt the bot code.
Terminates the processes of many antivirus and security products to
ensure it remains undetected.
Agobot
Capable of spreading via peer-to-peer (P2P) networks.
Modifies the Hosts file to block access to certain antivirus and
security firm Web sites.
Steals the CD keys from a preconfigured group of popular games.
www.syngress.com
Common Botnets • Chapter 4
129
427_Bot_ch04.qxt 1/9/07 3:03 PM Page 129

Uses predefined groups of keywords to create filenames designed to
entice P2P downloaders.
Spybot
Core functionality is based on the SDBot family.
Incorporates aspects of spyware, including keystroke logging and
password stealing.
Spreads via insecure or poorly secured network shares and by
exploiting known vulnerabilities common on Microsoft systems.
Mytob
Mytob is actually a mass-mailing worm, not a bot, but it infects target
systems with SDBot.
A hybrid attack that provides a faster means of spreading and
compromising systems to create bot armies.
Harvests e-mail addresses from designated file types on the infected
system.
Eliminates addresses with certain domains to avoid alerting antivirus
or security firms to its existence.

Download 6,98 Mb.

Do'stlaringiz bilan baham: