427 Botnet fm qxd

The SDBot exploits two server application vulnerabilities: WebDav (port
80) and MSSQL (port 1433). It exploits two third-party application vulnera-
bilities: DameWare remote management software (port 6129) and Imail
IMAPD Login username vulnerability (port 143). It also exploits the fol-
lowing Cisco router vulnerability: CISCO IOS HTTP authorization (Port
80) vulnerability.
The following backdoors are exploited by SDBot:
■
Optix backdoor (port 3140)
■
Bagle backdoor (port 2745)
■
Kuang backdoor (port 17300)
■
Mydoom backdoor (port 3127)
■
NetDevil backdoor (port 903)
■
SubSeven backdoor (port 27347)
If an exploit is successful, the worm creates and runs a script that down-
loads SDBot onto the new victim and executes it. Once executed, the new
victim is infected. Note that many of these attacks are still used today, espe-
cially brute force and password guessing attacks targeted at ports 139, 445,
and 1433.
Today, variants are spread by many other means including spam attacks in
Instant Messaging (SPIM), CDs, infected attachments to e-mails, and hidden
downloads on phishing sites. In 2002, the motivation for SDBot was to build
a capability to launch DoS attacks. In November 2006, Panda labs reported
that SDBot.ftp.worm, a component of SDBot, was the most frequently
detected virus.This is a testament to the staying power and adaptability of this
approach.The June 2006 Microsoft report about the Malicious Software
Removal Tool listed the SDBot as having been detected on 678,000 infected
PCs, the second-highest total.
Agobot
Agobot (aka Gaobot) arrived in 2002 and added modular design and signifi-
cant functionalities. By modular design, we mean that Agobot does not infect
a system with the entire bot code at one time. Agobot has three modules.

Download 6,98 Mb.

Do'stlaringiz bilan baham: