SDBot Botnet

1
SDBot Botnet

• SDBot According to Symantec the SDBot is a
  trojan horse that opens a back door and allows a
  remote attacker to control a computer by using
  Internet Relay Chat (IRC). The Trojan can update
  itself by checking for newer versions on the
  Internet. It was initially released on May 1,
  2002 and latest updated version was found today.
  It has affected Operating systems from Windows 95
  to Windows XP.

2
How SDBots work

• Once the SDBot file is executed it immediately
  searchs for the SYSTEM32 folder then copies
  itself into that folder. Next it adds a value
  from inside that floder , such as the INTERNET
  EXPLORER execution file or the MS Config file.
  It also may add values from the Registry Subkeys
  for example

Adding System32 values to itself "Configuration
Loader" "System\iexplore.exe""Configuration
Loader" "MSTasks.exe""Configuration Loader"
"aim95.exe""Configuration Loader"
"cmd32.exe""Configuration Loader"
"IEXPL0RE.EXE""Configuration Manager"
"Cnfgldr.exe""Fixnice" "vcvw.exe" Adding
Registry Subkeys HKEY_LOCAL_MACHINE\Software\Micr
osoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHIN
E\Software\Microsoft\Windows\CurrentVersion\RunSe
rvicesHKEY_CURRENT_USER\Software\Microsoft\Window
s\CurrentVersion\Run
3
How SDBots Work Contd

• The Bot can also create additional files
• System\SVKP.sys (This is a clean driver that
  can be used for malicious purposes.)
• System\msdirectx.sys (This file is intended to
  provide rootkit functionality and may be detected
  as Hacktool.Rootkit.)
• Next the Bot opens a backdoor by connecting to
  an IRC channel using its own IRC client. Some
  examples of IRC servers that it may connect to
  are
• bmu.h4x0rs.org
• bmu.q8hell.org
• bmu.FL0W1NG.NE
• The attacker now command the bot via the IRC
  channel using password authentication protection.
  The Bot stands by for commands. Some example of
  commands are
• Manage the installation of the back door
• Control the IRC client on a compromised computer
• Dynamically update the Trojan
• Send the Trojan to other IRC channels to attempt
  to compromise other computers
• Download and execute files
• Deliver system and network information to the
  attacker
• Perform Denial of Service attacks against a third
  party
• Completely uninstall itself by removing the
  relevant registry entries.

4
How the Bot Spreads

• Microsoft Security Bulletin MS03-026
• It also takes advantage of the Buffer Overflow in
  SQL Server 2000 vulnerability.
• Microsoft Security Bulletin MS02-061
• This worm also exploits the IIS5/WEBDAV buffer
  overrun vulnerability affecting Windows NT
• platforms, which enables arbitrary codes to
  execute on the server.
• Microsoft Security Bulletin MS03-007
• It also exploits the Windows LSASS vulnerability.
  This is a buffer overrun vulnerability that
• allows remote code execution. Once successfully
  exploited, a remote attacker is able to gain full
• control of the affected system.
• Microsoft Security Bulletin MS04-011
• This worm spreads via network shares, using
  NetBEUI functions to get available lists of user
• names and passwords. It then searches for and
  lists down the following shared folders, where it
• drops a copy of itself using the gathered
  information
• Admin\system32
• C\windows\system32
• C\winnt\system32
• Ipc

5
How it spreads Contd

• When the Botnet has compromised a machine on the
  network it uses a list of weak user name to gain
  access to other machines. Trendmicro has put
  together a list of some of the names
• Accounting, accounts, administrador, administrat,
  administrateur, administrator, admins, backup,
  blank, brian etc.
• It then uses a preselected list of password with
  the above usernames. Trendmicro also put together
  a list of those
• 12345, 123456, 1234567, 12345678, 123456789,
  1234567890, access, bitch, changeme,
  databasepass, databasepassword, db1234, dbpass,
  dbpassword etc.

6
Bot Attacks

• Distriuted Denial of Service
• The Denial of Service attack can be used to flood
  a network with traffic in order to break
  communication using these different protocols
• HTTP
• ICMP
• SYN
• UDP
• The Bot also has other backdoor capabilities such
  as
• Update malware from HTTP and FTP URL, Steal CD
  keys of games, Execute a file, Download from
• HTTP and FTP URL, Open a command shell, Open
  files, Display the driver list, Get screen
  capture,
• Capture pictures and video clips, Display
  netinfo, Make a bot join a channel, Stop and
  start a
• thread, List all running process, Rename a file
  and many more.

7
Bot Attacks

• The Bot can use sniffers in order and checks the
  following strings
• auth
• login
• auth
• login
• 'auth
• -auth
• 'login
• -login
• login
• Paypal
• PAYPAL
• paypal.com
• PAYPAL.COM
• And More.

8
Bot Attacks

• The Bot can also attempt to steal Windows product
  Serial and keys as well as other application.
• Some keys which have been stolen are
• NHL 2003
• NOX
• Rainbow Six III
• RavenShield
• ShogunTotal War
• Warlord Edition Soldier of Fortune II
• Double Helix Soldiers of Anarchy
• The Gladiators
• Unreal Tournament 2003
• Unreal Tournament 2004

9
Conclusion

• All these actions were taken by a SDBot which was
  caught by Trend Micro antivirus. The Bot
• name was WORM_SDBOT.UH . There are many other
  kinds of Bots but the SD bot is one of the
• More common ones. Three different anti virus
  producers considers the threat level to be
  moderate
• which may mean that it doesnt usually harm the
  infected computer but uses all resources to
  attack
• the target.

10
Reference

• Background Photo
• http//www.wired.com/politics/security/magazine/15
  -09/ff_estonia_bots
• TrendMicro
• http//www.trendmicro.com/vinfo/virusencyclo/defau
  lt5.asp?VNameWORM_SDBOT.UHVSectT
• Symantec Definition
• http//www.symantec.com/security_response/writeup
  .jsp?docid2002-051312-3628-99tabid2
• Sun-Belt Software Definition
• http//research.sunbelt-software.com/threatdisplay
  .aspx?nameBackdoor.SDBotthreatid50488