427 Botnet fm qxd

the HKEY_Local_Machine\Software\Microsoft\Windows\
CurrentVersion\Run key in the registry.
Agobot will sometimes add a registry entry aimed at the Windows 95,
Windows 98, or Windows ME operating systems. By referencing the dropped
malicious file using the HKEY_Local_Machine\Software\Microsoft\
Windows\CurrentVersion\RunServices registry key, the bot software will
execute, but the service will not be displayed on the Close Program dialog
box, making it effectively invisible to the user.
Terminated Processes
Agobot contains arguably the most comprehensive listing of programs and
services to target for termination. Agobot seeks out processes associated with
antivirus or other security software, as well as processes associated with com-
peting malware, and shuts them down.
Modify Hosts File
Above and beyond terminating the processes associated with antivirus and
security software, variants of Agobot also modify the hosts file of the infected
machine to redirect attempts to reach the Web sites of antivirus and security
vendors.
The Hosts file, typically found at %System%\drivers\etc\hosts, is
appended with entries for Web sites such as Symantec’s LiveUpdate site or
McAfee’s download site, among others.The entries direct any attempts to
connect with these sites to the loopback address, 127.0.0.1, preventing the
connection and blocking the machine from communicating with those sites.
Theft of Information
Another aspect of Agobot that sets it apart from some of the other major bot
families is the theft of information. Specifically, Agobot will seek out and steal
the CD keys for a variety of popular games (see Table 4.7).
www.syngress.com

Download 6,98 Mb.

Do'stlaringiz bilan baham: