note
of family names like Spybot, MyTob, and Polybot. While MyTob does
indicate a code base, it is also a new characteristic, the
mass mailing bot that
happens to be based on MyDoom. Similarly, detections by antivirus (A/V)
vendors are becoming less concerned with identifying the overall bot. Instead,
they are tagging components they find with functional identifiers. Symantec,
for example, tags individual components it finds with names like
Hacktool.HideWindow and Trojan.Dropper.The overall bot was an RBot,
but Symantec never identified that connection.To the A/V vendor, they’ve
done their job if they find the malicious code and deal with it. However, the
corporate security officer would really like to know more.The organizing
schema for the bot tells the security officer what potential
attack vectors were
used to infect the computer so that they might plug the holes instead of just
fixing the broken machines.
Each of the original bot families has evolved to incorporate improvements
that are seen in other bots. Since many of the bots are open source, modular,
and in C/C++, it is easy to take source from one
bot and add its capabilities
to another bot.There is also a tendency for the A/V companies to use the
names that they designated to the exclusion of other vendor-created names.
Partially, this is because there are so many variants of each bot family that two
bots in the same family can have significantly different capabilities. For
example, one variant may use IRC as its C&C and have keylogging capabili-
ties, while the other variant may use P2P networks for C&C
and search its
botclients for PGP public and private keys, cached passwords, and financial
account information. One vendor may call them
both variants while another
may tag one of the variants as a new family.
New family names from this point have tended to highlight a new
capability.
Spybot
Spybot is an open source Trojan, a derivative of SDBot. It has also been called
Milkit. Spybot emerged in 2003. Spybot
adds spyware capabilities, such as col-
lecting logs of activity, data from Web forms, lists
of e-mail addresses, and lists
of visited URLs. In addition to spreading via file sharing applications (PnP
apps) and by exploiting known vulnerabilities, Spybot also looks for systems
that were previously compromised by the SubSeven or the Kuang2 Trojan.
Do'stlaringiz bilan baham: