427 Botnet fm qxd

Download 6,98 Mb.

Pdf ko'rish

bet	88/387
Sana	03.12.2022
Hajmi	6,98 Mb.
	#878307

1 ... 84 85 86 87 88 89 90 91 ... 387

Bog'liq
Botnets - The killer web applications

Table 4.1 continued
Known Filenames Used by Backdoor
*
Mssql.exe
vcvw.exe
MSsrvs32.exe
winupdate32.exe
MSTasks.exe
xmconfig.exe
quicktimeprom.exe
YahooMsgr.exe
Regrun.exe
*
SDBot copies itself to the %System% folder, according to Symantec.
Source: Symantec Corp. (www.symantec.com/security_response/writeup.jsp?
docid=2002-051312-3628-99&tabid=2)
Registry Entries
SDBot also makes modifications to the Windows Registry, aimed primarily at
making sure that the SDBot software is automatically started each time
Windows is booted up.Typically, one of the Registry values displayed in Table
4.2, or something similar, is added to one of the following Registry keys:
■
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
■
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\
RunServices
■
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Source: Symantec Corp. (www.symantec.com/security_response/writeup.jsp?
docid=2002-051312-3628-99&tabid=2)
Table 4.2
Registry Values Used by SDBot
*
“Configuration Loader” = “%System%\iexplore.exe”
“Configuration Loader” = “MSTasks.exe”
“Configuration Loader” = “aim95.exe”
“Configuration Loader” = “cmd32.exe”
“Configuration Loader”= “IEXPL0RE.EXE”
“Configuration Manager” = “Cnfgldr.exe”
www.syngress.com
Common Botnets • Chapter 4
101
427_Bot_ch04.qxt 1/9/07 3:03 PM Page 101

Table 4.2 continued
Registry Values Used by SDBot
*
“Fixnice” = “vcvw.exe”
“Internet Config” = “svchosts.exe”
“Internet Protocol Configuration Loader” = “ipcl32.exe
“MSSQL” = “Mssql.exe”
“MachineTest” = “CMagesta.exe”
“Microsoft Synchronization Manager” = “svhost.exe”
“Microsoft Synchronization Manager” = “winupdate32.exe”
“Microsoft Video Capture Controls” = “MSsrvs32.exe”
“Quick Time file manager” = “quicktimeprom.exe”
“Registry Checker” = “%System%\Regrun.exe”
“Sock32” = “sock32.exe”
“System Monitor” = “Sysmon16.exe”
“System33” = “%System%\FB_PNU.EXE”
“Windows Configuration” = “spooler.exe”
“Windows Explorer” = “ Explorer.exe”
“Windows Services” = “service.exe”
“Yahoo Instant Messenger” = “Yahoo Instant Messenger”
“cthelp” = “cthelp.exe”
“stratas” = “xmconfig.exe”
“syswin32” = “syswin32.exe”
*
These registry values are used to modify the Windows registry so that
SDBot is started when Windows starts.
Source: Symantec Corp. (www.symantec.com/security_response/writeup.jsp?
docid=2002-051312-3628-99&tabid=2)
Additional Files
Some variants of SDBot can also create new files in the %System% directory
for additional functionality.Two files that have been identified from known
SDBot variants are SVKP.sys and msdirectx.sys.
The SVKP.sys file is a component of SVK Protector, a copy protection
utility that prevents the software from being reverse-engineered. Some variants

Download 6,98 Mb.

Do'stlaringiz bilan baham:

1 ... 84 85 86 87 88 89 90 91 ... 387