SDBot Botnet - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

SDBot Botnet

Description:

Deliver system and network information to the attacker ... This worm spreads via network shares, using NetBEUI functions to get available lists of user ... – PowerPoint PPT presentation

Number of Views:63
Avg rating:3.0/5.0
Slides: 11
Provided by: Home1724
Category:
Tags: botnet | sdbot | worm

less

Transcript and Presenter's Notes

Title: SDBot Botnet


1
SDBot Botnet
  • SDBot According to Symantec the SDBot is a
    trojan horse that opens a back door and allows a
    remote attacker to control a computer by using
    Internet Relay Chat (IRC). The Trojan can update
    itself by checking for newer versions on the
    Internet. It was initially released on May 1,
    2002 and latest updated version was found today.
    It has affected Operating systems from Windows 95
    to Windows XP.

2
How SDBots work
  • Once the SDBot file is executed it immediately
    searchs for the SYSTEM32 folder then copies
    itself into that folder. Next it adds a value
    from inside that floder , such as the INTERNET
    EXPLORER execution file or the MS Config file.
    It also may add values from the Registry Subkeys
    for example

Adding System32 values to itself "Configuration
Loader" "System\iexplore.exe""Configuration
Loader" "MSTasks.exe""Configuration Loader"
"aim95.exe""Configuration Loader"
"cmd32.exe""Configuration Loader"
"IEXPL0RE.EXE""Configuration Manager"
"Cnfgldr.exe""Fixnice" "vcvw.exe" Adding
Registry Subkeys HKEY_LOCAL_MACHINE\Software\Micr
osoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHIN
E\Software\Microsoft\Windows\CurrentVersion\RunSe
rvicesHKEY_CURRENT_USER\Software\Microsoft\Window
s\CurrentVersion\Run
3
How SDBots Work Contd
  • The Bot can also create additional files
  • System\SVKP.sys (This is a clean driver that
    can be used for malicious purposes.)
  • System\msdirectx.sys (This file is intended to
    provide rootkit functionality and may be detected
    as Hacktool.Rootkit.)
  • Next the Bot opens a backdoor by connecting to
    an IRC channel using its own IRC client. Some
    examples of IRC servers that it may connect to
    are
  • bmu.h4x0rs.org
  • bmu.q8hell.org
  • bmu.FL0W1NG.NE
  • The attacker now command the bot via the IRC
    channel using password authentication protection.
    The Bot stands by for commands. Some example of
    commands are
  • Manage the installation of the back door
  • Control the IRC client on a compromised computer
  • Dynamically update the Trojan
  • Send the Trojan to other IRC channels to attempt
    to compromise other computers
  • Download and execute files
  • Deliver system and network information to the
    attacker
  • Perform Denial of Service attacks against a third
    party
  • Completely uninstall itself by removing the
    relevant registry entries.

4
How the Bot Spreads
  • Microsoft Security Bulletin MS03-026
  • It also takes advantage of the Buffer Overflow in
    SQL Server 2000 vulnerability.
  • Microsoft Security Bulletin MS02-061
  • This worm also exploits the IIS5/WEBDAV buffer
    overrun vulnerability affecting Windows NT
  • platforms, which enables arbitrary codes to
    execute on the server.
  • Microsoft Security Bulletin MS03-007
  • It also exploits the Windows LSASS vulnerability.
    This is a buffer overrun vulnerability that
  • allows remote code execution. Once successfully
    exploited, a remote attacker is able to gain full
  • control of the affected system.
  • Microsoft Security Bulletin MS04-011
  • This worm spreads via network shares, using
    NetBEUI functions to get available lists of user
  • names and passwords. It then searches for and
    lists down the following shared folders, where it
  • drops a copy of itself using the gathered
    information
  • Admin\system32
  • C\windows\system32
  • C\winnt\system32
  • Ipc

5
How it spreads Contd
  • When the Botnet has compromised a machine on the
    network it uses a list of weak user name to gain
    access to other machines. Trendmicro has put
    together a list of some of the names
  • Accounting, accounts, administrador, administrat,
    administrateur, administrator, admins, backup,
    blank, brian etc.
  • It then uses a preselected list of password with
    the above usernames. Trendmicro also put together
    a list of those
  • 12345, 123456, 1234567, 12345678, 123456789,
    1234567890, access, bitch, changeme,
    databasepass, databasepassword, db1234, dbpass,
    dbpassword etc.

6
Bot Attacks
  • Distriuted Denial of Service
  • The Denial of Service attack can be used to flood
    a network with traffic in order to break
    communication using these different protocols
  • HTTP
  • ICMP
  • SYN
  • UDP
  • The Bot also has other backdoor capabilities such
    as
  • Update malware from HTTP and FTP URL, Steal CD
    keys of games, Execute a file, Download from
  • HTTP and FTP URL, Open a command shell, Open
    files, Display the driver list, Get screen
    capture,
  • Capture pictures and video clips, Display
    netinfo, Make a bot join a channel, Stop and
    start a
  • thread, List all running process, Rename a file
    and many more.

7
Bot Attacks
  • The Bot can use sniffers in order and checks the
    following strings
  • auth
  • login
  • auth
  • login
  • 'auth
  • -auth
  • 'login
  • -login
  • login
  • Paypal
  • PAYPAL
  • paypal.com
  • PAYPAL.COM
  • And More.

8
Bot Attacks
  • The Bot can also attempt to steal Windows product
    Serial and keys as well as other application.
  • Some keys which have been stolen are
  • NHL 2003
  • NOX
  • Rainbow Six III
  • RavenShield
  • ShogunTotal War
  • Warlord Edition Soldier of Fortune II
  • Double Helix Soldiers of Anarchy
  • The Gladiators
  • Unreal Tournament 2003
  • Unreal Tournament 2004

9
Conclusion
  • All these actions were taken by a SDBot which was
    caught by Trend Micro antivirus. The Bot
  • name was WORM_SDBOT.UH . There are many other
    kinds of Bots but the SD bot is one of the
  • More common ones. Three different anti virus
    producers considers the threat level to be
    moderate
  • which may mean that it doesnt usually harm the
    infected computer but uses all resources to
    attack
  • the target.

10
Reference
  • Background Photo
  • http//www.wired.com/politics/security/magazine/15
    -09/ff_estonia_bots
  • TrendMicro
  • http//www.trendmicro.com/vinfo/virusencyclo/defau
    lt5.asp?VNameWORM_SDBOT.UHVSectT
  • Symantec Definition
  • http//www.symantec.com/security_response/writeup
    .jsp?docid2002-051312-3628-99tabid2
  • Sun-Belt Software Definition
  • http//research.sunbelt-software.com/threatdisplay
    .aspx?nameBackdoor.SDBotthreatid50488
Write a Comment
User Comments (0)
About PowerShow.com