427 Botnet fm qxd

The modular approach makes sense from a design perspective because it
allows the developer to update or modify one portion, or module, without
having to rewrite or recompile the entire bot code.
Aliases
Antivirus and security vendors rarely agree on naming conventions, so the
same threat can have multiple names, depending on which vendor is sup-
plying the information. Here are some aliases for Agobot from the top
antivirus vendors:
■
McAfee: W32/Gaobot.worm
■
Symantec: W32.HLLW.Gaobot.gen
■
Trend Micro: Worm_Agobot.Gen
■
Kaspersky: Backdoor.Agobot.gen
■
CA: Win32/Agobot Family
■
Sophos: W32/Agobot-Fam
Notes from the Underground…
Naming Confusion
Another major bot family is the Polybot family. There is a great deal of
confusion when it comes to malware naming, however. One vendor
might decide to call a threat one thing, and a different vendor might
give it a completely different name. The other issue when it comes to
bots is that many of the bots are offshoots or evolutions of each other,
blurring the lines and sometimes making it difficult to choose whether
a new variant is part of the original or part of the new offshoot strain
of malware. 
Polybot is an example of such a threat. Polybot is essentially
Agobot but with a polymorphic technique thrown in. Polybot adds an
“envelope” to the Agobot code that reencrypts the whole file each
time it runs, essentially providing each new infection a unique signa-
ture to evade detection by antivirus or intrusion detection products.
www.syngress.com
112
Chapter 4 • Common Botnets
427_Bot_ch04.qxt 1/9/07 3:03 PM Page 112

Infection
The Agobot family of malware propagates via network shares, as is common
among the major bot families. However, Agobot also adds the ability to propa-
gate using peer-to-peer (P2P) networking systems such as Kazaa, Grokster,
BearShare, and others. Agobot makes itself available on the P2P network using
a randomized filename that is designed to have mass appeal in an attempt to
lure unsuspecting users into downloading and executing it on their computers.
The offshoot variants dubbed Phatbot use WASTE, a P2P protocol
designed by AOL. WASTE was designed to use encryption for more secure
file transfers via P2P, but the sharing of public keys was too complicated and
AOL eventually scrapped the project. Using WASTE creates some unique
methods of propagation but also limits the scalability of the bot army because
WASTE can only manage 50 to 100 client nodes at a time.
It seeks to terminate a wide variety of antivirus and security programs on
infected systems and attempts to modify the Hosts file on the infected com-
puter, to prevent the ability to communicate with Web sites associated with
antivirus and security applications. Agobot singles out the Bagle worm, termi-
nating processes associated with that malware if they exist on the infected
system.
Signs of Compromise
If you believe that your computer is infected with Agobot, there are a few
clues you can look for to verify your suspicions.
System Folder
Agobot will drop a copy of itself into the %System% folder (typically
C:\Windows\System32) on the target system.The filename used depends on
the variant, but common filenames Agobot uses include syschk.exe,
svchost.exe, sysmgr.exe, and sysldr32.exe.
Registry Entries
To ensure that the bot functionality is operational, Agobot creates registry
entries to automatically start the bot each time Windows starts. Some variants
add a value called 
Config Loader
and others add a value called 
Svhost Loader
to

Download 6,98 Mb.

Do'stlaringiz bilan baham: