427 Botnet fm qxd

Aliases
Antivirus and security vendors rarely agree on naming conventions, so the
same threat can have multiple names, depending on the vendor supplying the
information. Here are some aliases for RBot from the top antivirus vendors:
■
McAfee: W32/SDbot.worm.gen.g
■
Symantec: W32.Spybot.worm
■
Trend Micro: Worm_RBot
■
Kaspersky: Backdoor.RBot.gen
■
CA: Win32/RBot
Infection
The RBot family of worms uses a few different methods to seek out vulner-
able targets and find systems to infect. Like the SDBot family, RBot attempts
to exploit weak passwords and poor security on administrative shares to
spread across the network. Systems with simple or blank passwords on net-
work shares are easy prey.
In addition to spreading via weak security on network shares, RBot also
leverages a variety of known software vulnerabilities in the Windows oper-
ating system and common software applications. Some variants are also
capable of exploiting backdoors or open ports created by other malware
infections.
Signs of Compromise
If you believe that your computer might be infected with RBot, there are a
few clues you can look for to verify your suspicions.
System Folder
On initial execution, RBot copies itself into the %System% directory (typi-
cally C:\Windows\System32). A common filename RBot uses is
wuamgrd.exe, but different variants may use different filenames. Some variants
might actually randomize the filename so that it is different for each infected
system.The file is copied to the %System% directory with the read-only,
www.syngress.com
Common Botnets • Chapter 4
105
427_Bot_ch04.qxt 1/9/07 3:03 PM Page 105

hidden, and system file attributes set and the date/timestamp of the file
altered to match the date/timestamp on the explorer.exe file. As a result, even
if a user stumbles on the file, it gives the appearance of being an old file that
was installed with the operating system.
Registry Entries
RBot is highly configurable and has evolved significantly over time. RBot
will add entries to the Windows registry to ensure that it runs automatically
each time Windows is started.The registry value is configurable, though, so it
changes from one variant to the next. A common one among some RBot
variants is wuamgrd.exe.The registry keys RBot typically modifies are:
■
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
■
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
■
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
(The source of the aforementioned registry keys is CA. Go to www3.ca.
com/securityadvisor/virusinfo/virus.aspx?ID=39437 for more information.)
RBot has some added intelligence as well. Some variants of RBot are pro-
grammed to check the registry periodically and reset the registry values if
they have been changed or deleted. RBot also creates a mutex to make sure
that only one copy of RBot runs on a system at a time. Different variants of
RBot use different names for the mutex, but one example that has been iden-
tified is rxlsass01b.
Terminated Processes
Many of the RBot variants also attempt to terminate processes associated
with various security or antivirus programs, to avoid being detected or
removed. Some variants also seek out and terminate processes from other
malware, such as the Blaster worm.Table 4.3 lists some of the processes
known to be targeted by some RBot variants.

Download 6,98 Mb.

Do'stlaringiz bilan baham: