My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Backdoor.Rbot

MEDIUM
MEDIUM
varies
(Backdoor.Rbot.Gen, )

Symptoms

The symptoms vary with each variant:
- suspect running process(es) - the name of the executable varies
- suspect registry keys, usually it's an entry in

[HKLM\Software\Microsoft\Windows\Current Version\Run]
[HKLM\Software\Microsoft\Windows\Current Version\RunServices]

- unusual internet traffic
- unusual TCP/UDP open ports listed by netstat -a command
- unusual computer behaviour

Removal instructions:

Once an infected file has been identified, the process should be terminated, the registry key
removed and the file deleted.
 

Analyzed By

Patrik Vicol, virus researcher

Technical Description:

These viruses are malicious IRC Bots, with worm capabilities.

The name of the virus has changed from Backdoor.Rbot.Gen to Backdoor.Rbot.???????? where ? may be any digit 0-9 or character from A-F (eg: Backdoor.RBot.1F3BDE9C) for identification purposes.

First, what is an IRC Bot?

An IRC bot is a program that stays in an IRC channel, keeping it open 24 hours a day,
looking like a normal user but just waiting for specific commands to be issued to it.
Normally, they are NOT malicious and were developed to help maintain an IRC channel or
an IRC Community. Those IRC Bots are operaded by Channel Operators and they are safe.

Now, all these families (and also others):

Backdoor.Rbot
Backdoor.SDBot
Backdoor.Agobot.3
Win32.P2P.Spybot

are Irc Bots based on the same "evil" Bot source.

The bot/worm installed on a computer searches for other computers in the same network or even in the internet. Once it finds a computer, it sends a malformed TCP packet that will cause the target computer to execute the content of the packet, which is a batch script - detected as Backdoor.BotGet.FtpA.Gen.

Once the bot/worm has been run on the victim's computer, it will perform the following actions:

- attempts to terminate various antivirus/security applications
- create and hide a copy of itself on another location (usually inside Windows folder, and inside P2P shared folders)
- create a registry key that will start the Bot each time at Windows start.
- connect to a predefined irc server and join a specific channel. There, it waits for
commands to be issued by an attacker.
- other types of malicious activities

Using these Bots, an attacker could do:

Using the victim's computer:
- using multiple infected computers, perform a Ddos attack on a specific IP address/website.
- perform various types of flood on a target IP address
- attack other computers or a website using specific exploits/vulnerabilities (RPC/DCOM, RPC/Locator, WebDAV, etc - this is also done automatically by the virus)
- scan/search for other vulnerable hosts and attempt to install itself on them

On the victim's computer:
- change bot internal parameters, update the bot with a newer version, etc
- use the host as a TCP proxy (as a send-through)
- redirect HTTP traffic
- steal CD keys from various applications/games
- steal personal information, paswwords, etc
- display/change various information
- download and upload files
- delete/modify files
- execute programs
- terminate processes
- reboot, shutdown the computer

and much more, depending on what has been added to the original source.

Each newer version operates on the same ground as the old ones, but it also new code is added to make the Bot more powerfull and more hard to detect.

The exploits bots usually use are listed below:

Unchecked Buffer in Universal Plug and Play can Lead to System Compromise

Elevation of Privilege in SQL Server Web Tasks (Q316333)

Unchecked Buffer in Locator Service Could Lead to Code Execution (810833)


Unchecked Buffer In Windows Component (IIS5/WEBDAV) Could Cause Server  Compromise (815021)

Buffer Overrun In RPC Interface Could Allow Code Execution (823980)

Buffer Overrun in the Workstation Service Could Allow Code Execution (828749)

Buffer Overrun in LSASS Could Allow Code Execution (835732)