Chapter 4 • Common Botnets

Table 4.7
Games Vulnerable to Agobot Searches 
Battlefield 1942
Industry Giant 2
Battlefield 1942: 
James Bond 007 Nightfire
Secret Weapons Of WWII
Battlefield 1942: 
Medal of Honor: Allied Assault
The Road To Rome
Battlefield 1942: Vietnam
Medal of Honor: Allied Assault:
Breakthrough
Black and White
Medal of Honor: Allied Assault:
Spearhead
Call of Duty
Nascar Racing 2002
Command and Conquer: Generals Nascar Racing 2003
Command and Conquer: Generals: Need For Speed: Hot Pursuit 2
Zero Hour
Command and Conquer: 
Need For Speed: Underground
Red Alert2
Command and Conquer: 
Neverwinter Nights
Tiberian Sun
Counter-Strike
NHL 2002
FIFA 2002
NHL 2003
FIFA 2003
Ravenshield
Freedom Force
Shogun: Total War: Warlord Edition
Global Operations
Soldier of Fortune II - Double Helix
Gunman Chronicles
Soldiers Of Anarchy
Half-Life
The Gladiators
Hidden and Dangerous 2
Unreal Tournament 2003
IGI2: Covert Strike
Unreal Tournament 2004
Source:Trend Micro Inc. (www.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=WORM%5FAGOBOT%2EGEN&VSect=T)
Unexpected Traffic
Like other bot families, Agobot variants also open a backdoor on the infected
system and establish communication with a designated IRC server.This allows a
botherder to issue commands to or take control of the compromised system.
www.syngress.com
Common Botnets • Chapter 4
115
427_Bot_ch04.qxt 1/9/07 3:03 PM Page 115

The backdoor provides functionality for the botherder to do just about
anything, including executing files on the infected machine, downloading
additional files from Web or FTP sites, redirecting TCP traffic to the system,
using the compromised system as a part of a DDoS attack, and more.
Vulnerability Scanning
Agobot variants can also spread via a variety of exploitable vulnerabilities.
Aside from the common vulnerabilities in Microsoft Windows and SQL
Server, which are exploited by many bot families, Agobot variants also target
well-known vulnerabilities in CPanel and DameWare.
Propagation
Like other bot families, Agobot variants attempt to spread via open network
shares. Once a system is infected, Agobot will seek out usernames and pass-
words on the network using NetBEUI. It will then search for open shares
such as the default administrative shares (c$, admin$, print$, etc.) and attempt
to log in using the usernames and passwords it has found as well as a precon-
figured list of common usernames and passwords.
Agobot also attempts to spread malware via P2P networks by making itself
available on those networks using enticing filenames designed to draw atten-
tion and increase the odds that the file will be downloaded and executed. It
uses a predefined list of options (see Table 4.8) to randomly create filenames
that could be of interest to users. For example, Agobot will take a random
entry from Set A in Table 4.8 and combine it with a variable entry from Set
B to create a filename.

Download 6,98 Mb.

Do'stlaringiz bilan baham: