An added feature of Spybot is the ability to capture keystrokes and retrieve personal information that can be used for further system compromise or identity theft. Variants of Spybot will scan the infected computer for cached passwords and will log the keystrokes typed on the computer to try to get information such as usernames, passwords, credit card or bank account num-bers, and more. The keystroke logging specifically targets windows with titles that include bank, login, e-bay, ebay, or paypal.
Propagation
Spybot propagates through the same standard means as other bot families.
Locating open or poorly secured network shares and leveraging them to spread and compromise other systems is a primary method of propagation.
Spybot comes preconfigured with a list of commonly used usernames and passwords for general purposes as well as passwords designated specifically for SQL Server account logins.
In addition to network shares, Spybot also seeks out and targets systems that are vulnerable to specific vulnerabilities (see Table 4.9). Spybot will do vulnerability scans of the computers it can communicate with and find sys-tems that can be exploited using these known vulnerabilities.
Table 4.9Vulnerabilities Exploited by Spybot Variants to Help It Propagate Vulnerability Port(s) Microsoft Security Bulletin DCOM RPC vulnerability TCP 135 MS03-026
LSASS vulnerability TCP ports 135, MS04-011 139, 445
Table 4.9 continuedVulnerabilities Exploited by Spybot Variants to Help It Propagate
Vulnerability Port(s) Microsoft Security Bulletin SQL Server and MSDE 2000 UDP 1434 MS02-061
vulnerabilities
WebDav vulnerability TCP 80 MS03-007
UPnP NOTIFY buffer MS01-059
overflow vulnerability
Workstation Service buffer TCP 445 MS03-049 overrun vulnerability
Microsoft Windows SSL MS04-011
Library DoS vulnerability
Microsoft Windows Plug MS05-039
and Play buffer overflow vulnerability
Microsoft Windows Server MS056-040
Service remote buffer overflow vulnerability
Source: Symantec Corp. (www.symantec.com/security_response/
writeup.jsp?docid=2003-053013-5943-99&tabid=2)
Mytob
The Mytob family of worms is an example of the converging world of mal-ware.The originators of Mytob took a mass-mailing worm and combined it with bot functionality based on the SDBot family.The hybrid combination results in faster propagation and more compromised systems lying dormant, waiting for a botherder to give them direction.
Aliases
Antivirus and security vendors rarely agree on naming conventions, so the same threat can have multiple names, depending on which vendor is sup-plying the information. Here are some aliases for Mytob from the top antivirus vendors:
■ McAfee: W32/Mytob.gen@MM
■ Symantec: W32.Mytob@mm
■ Trend Micro: Worm_Mytob.gen
■ Kaspersky: Net-Worm.Win32.Mytob.Gen
■ CA: Win32.Mytob Family
■ Sophos: W32/Mytob-Fam
N
OTEAt the beginning of 2005, the authors of the Mytob worm entered into a malware war against the Sober worm. Each malware attempted to outdo the other, sometimes disabling or removing the opposing worm in the process of infecting a system. The malware war kept antivirus vendors and corporate administrators on their toes because the escala-tion sometimes resulted in many new variants of each on a given day.
Infection
Mytob arrives on the target system via e-mail with some sort of file attach-ment.The purpose of the e-mail is to trick or lure the user into opening and executing the file attachment, thereby installing the worm on the user’s system and continuing the cycle of infection and propagation.
Signs of Compromise
If you believe that your computer could be infected with Mytob, there are a few clues you can look for to verify your suspicions.
System Folder
When a system becomes infected with the Mytob worm, a copy of the mal-ware is placed in the %System% directory (typically C:\Windows\System32) named wfdmgr.exe.
Registry Entries
Mytob alters one or more of the following registry keys to ensure that it is started each time Windows starts:
■ HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run “LSA” = wfdmgr.exe
■ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run “LSA” = wfdmgr.exe
■ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\
RunServices “LSA” = wfdmgr.exe
■ Additional keys/values are created, which are typically associated with W32/Sdbot.worm:
■ HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\
Control\Lsa “LSA” = wfdmgr.exe
■ HKEY_CURRENT_USER\Software\Microsoft\OLE
“LSA” = wfdmgr.exe
Unexpected Traffic
Mytob is a mass-mailing worm first and foremost. However, it earned a spot in this book by virtue of being a very successful piece of malware that also includes bot functionality from the SDBot family. An infected system will attempt to connect to irc.blackcarder.net and join a specific IRC channel for further instructions.
Propagation
Mytob spreads almost exclusively via e-mail. Once a system is infected, Mytob will scan the system for files with file extensions like those shown in Table 4.10 from which to harvest e-mail addresses The worm tries to fly under the radar and remain undetected, though. So, the domains listed in Table 4.11 are eliminated from the harvested e-mail addresses before Mytob starts generating the spam e-mail messages to try to propagate itself.
W
ARNINGMytob sends itself out using its own SMTP engine, but it attempts to guess the recipient mail server to make the malware e-mail more con-vincing. Mytob will try to use any of the following with the target domain name to guess the right mail server: mx, mail, smtp, mx1, mxs, mail1, relay, or ns.
Table 4.10File Extensions Known to Be Commonly Targeted by Mytob for Harvesting E-mail Addresses
wab php
adb sht
tbb htm
dbx txt
asp pl
Source: McAfee, Inc. (http://us.mcafee.com/virusInfo/default.asp?id=descrip-tion&virus_k=132158&affid=108)
Table 4.11Mytob Eliminates Harvested E-mail Addresses with the Following Domains
.gov gov. mydomai
.mil hotmail nodomai
abuse iana panda
acketst ibm.com pgp
arin. icrosof rfc-ed
avp ietf ripe.
berkeley inpris ruslis
borlan isc.o secur
bsd isi.e sendmail
example kernel sopho
fido linux syma
Table 4.11 continuedMytob Eliminates Harvested E-mail Addresses with the Following Domains
foo. math tanford.e
fsf. mit.e unix
gnu mozilla usenet
google msn. utgers.ed
Source: McAfee, Inc. (http://us.mcafee.com/virusInfo/default.asp?id=
description&virus_k=132158&affid=108)
Summary
Bots are a serious threat to Internet and computer network security. Viruses and worms have certainly wreaked havoc on the Internet, and phishing
attacks and spyware are both growing threats to computer security as well, but bots are unique among malware in their ability to provide tens or hundreds of thousands of compromised systems lying dormant and waiting to be used as an army for all kinds of malicious activities.
In this chapter we learned about some of the major bot families—specifi-cally, SDBot, RBot, Agobot, Spybot, and Mytob.These bots have been around for as many as five years, and new variants based on the core of the original bot code are still created. Some of these bot families have hundreds and hun-dreds of variants.
We discussed how almost all the bot families share one propagation method. Seeking out unprotected or poorly secured network shares to attack is a common means shared by virtually every bot family. We also covered ways different bot families have introduced different unique aspects that set them apart. For example, RBot introduced the use of compression algorithms to encrypt the bot code. Agobot pioneered the use of P2P networks as a propa-gation method. Spybot added spyware functionality such as keystroke logging, and the Mytob worm combined a bot (SDBot) with a mass-mailing worm, marking a shift in malware code to hybrid attacks that combine different types of malware.
The bots discussed in this chapter are by no means all the bot threats out there. Malware has shifted from “carpet-bombing style” viruses and worms, intended to spread the fastest and gain infamy for the malware author, to pre-cision stealth attacks aimed at financial gain. Some worms, such as those in the Mytob family, still gain attention by spreading quickly. But the true goal is to create as many compromised bot systems as possible that will lie dormant and wait for orders from a botherder to initiate some sort of malicious activity.
Solutions Fast Track
Each of the bot families discussed in this chapter provides a fairly significant amount of information.This section boils the information down to the most pertinent or relevant points that you should keep in mind about each bot family.
SDBot
One of the oldest bot families. It has existed for more than five years.
Released by the author as open source, providing the source code for the malware to the general public.
Spreads primarily via network shares. It seeks out unprotected shares or shares that use common usernames or weak passwords.
Modifies the Windows registry to ensure that it is started each time Windows starts.
RBot
Originated in 2003.
Uses one or more runtime executable packing utilities such as
Morphine, UPX, ASPack, PESpin, EZIP, PEShield, PECompact, FSG, EXEStealth, PEX, MoleBox, or Petite to encrypt the bot code.
Terminates the processes of many antivirus and security products to ensure it remains undetected.
Agobot
Capable of spreading via peer-to-peer (P2P) networks.
Modifies the Hosts file to block access to certain antivirus and security firm Web sites.
Steals the CD keys from a preconfigured group of popular games.
Uses predefined groups of keywords to create filenames designed to entice P2P downloaders.
Spybot
Core functionality is based on the SDBot family.
Incorporates aspects of spyware, including keystroke logging and password stealing.
Spreads via insecure or poorly secured network shares and by exploiting known vulnerabilities common on Microsoft systems.
Mytob
Mytob is actually a mass-mailing worm, not a bot, but it infects target systems with SDBot.
A hybrid attack that provides a faster means of spreading and compromising systems to create bot armies.
Harvests e-mail addresses from designated file types on the infected system.
Eliminates addresses with certain domains to avoid alerting antivirus or security firms to its existence.
Q: What is one of the most common methods bots use to spread and infect new systems?
A: All the major bot families target insecure or poorly secured network shares.Typically, the bot contains a list of common usernames and pass-words to attempt, as well as some capability to seek out usernames and passwords found on the target system.
Q: How do bots typically ensure that they continue running?
A: Bots generally modify the Windows registry to add values to registry keys to make sure that the bot software is automatically started each time Windows starts.
Q: What unique method of propagation was introduced by the Agobot family?
A: The Agobot family of bots (also known as Gaobot or Phatbot) uses P2P networking as a unique method of spreading to new systems.
Q: Which bot family pioneered the use of encryption algorithms to protect the code from being reverse-engineered or analyzed?
A: The RBot family uses one or more runtime executable packing utilities such as Morphine, UPX, ASPack, PESpin, EZIP, PEShield, PECompact, FSG, EXEStealth, PEX, MoleBox, or Petite to encrypt the bot code.
Q: What is unique about the Spybot family of bots?
A: Spybot is based on SDBot but adds spyware capabilities such as keystroke logging and data theft or password stealing.
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts pre-sented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author”
form.
Q: What sets Mytob apart among the bot families discussed in this chapter?
A: Mytob is not a bot in and of itself. It is a mass-mailing worm that includes SDBot as part of its payload, providing a hybrid attack that can compro-mise more systems with the bot software faster.
Q: What is a common method bot families use to avoid detection or removal?
A: Many bots, and even viruses, worms, and other malware, search for and terminate processes associated with common antivirus or security applica-tions to shut them down.
Q: How do some bots ensure that infected systems are not able to research information or obtain updates from antivirus vendors?
A: Some bots modify the Hosts file on the compromised system to redirect requests for antivirus and other security-related Web sites to the loopback address of 127.0.0.1, blocking attempts to reach those sites.
Q: Which bot family creates entries in the Windows registry to prevent users from installing Windows XP Service Pack 2?
A: The Spybot family adds registry entries to block the installation of Windows XP SP2, as well as registry entries to disable the Windows Firewall and the Windows Security Center.