- WkD Bot
WkD Bot is a Trojan horse that was created in 2001 by a
script kiddie using the nickname "Wicked" (born March 1988). It is a tool used toDDoS persons, servers or websites. Recent insights have revealed that WkD Bot was only an editor to hexedit the cleartext settings in the evilbot.exe file, and was never recompiled from source, hence contains no new features.Working method
WkD Bot is a trojan that, once installed on the victim computer, makes a file hide in the Windows-directory and will go by the name of RundIl.exe. The capital "i" makes it hard to distinguish the file from Rundll.exe (with an uncapitalized "l"), which is a major part of the Windows Operating System. It also saves a few lines in the Registry, so WkD Bot is opened every time the computer is booted up.Once WkD Bot it started, it will enter
IRC with a randomly generated nickname. The victim's computer will have a bot join the server and channel of the controller's choice. The botowner can now enter the following commands in the IRC channel:*!p1
- will send ping packets to the chosen IP
*!p2- will do the same as with !p1, only now in a greater number
*!p3- will do the same as with !p2, only now in a greater number
*!p4- will do the same as with !p3, only now in a greater number
*!j- the bot will join the chosen channel
*!l- the bot will leave the chosen channel
*!nick- the bot will change its nickname to the chosen example
*!newnick- the bot will generate a new random nickname
*!r - shows the bot's version.If the owner has more than 10 WkD Bots at his disposal, he's safe to use the following command:
*!udpEspecially the commands !p4 and !udp can do a lot of damage. It sends 10.000 64kb ping-packets to the chosen destination. In total, that's worth 655mb of datastrings. If multiple machines do this at the same time, a lag will be clearly visible on the destination. !udp is even more dangerous than !p4. Rather than just sending 10.000 files, it can drown a server with a flood of up to 9.999.999 bits and pieces of UDP and ICMP packets.
History
The script kiddie, living in
Kenosha, Wisconsin , based his bot on another piece ofmalware , calledEvilbot created by a programmer using the nickname of "Evilgoat". According to the then 13 year old Wicked, Evilgoat's original bot was not good enough. Although the source code showed that the author was skilled, Wicked noted that Evilbot was rather buggy, uncreative and was programmed from a narrowminded point of view. These are the reasons which supposedly motivated Wicked to develop the variant. Although he claims to have improved upon Evilbot by reverse engineering and directly modifying it using assembly instructions, in actuality Wicked simply used ahex editor to alter the name. Thus, "WkD Bot 1.0" was born.The WkD Bot attracted a lot of attention in the media when
Steve Gibson , webmaster of GRC.com [http://www.grc.com] , was six times under siege by a large number of WkD Bots. These bots (that were controlled by their original author) were set toDDoS attack GRC.com, because Wicked did not appreciate being called a 'script kiddie' by Gibson in a newsgroup dispute. The total number of malicious packets sent to Gibson's website was 2.4 billion. Gibson investigated on the matter, and quickly revealed how Wicked was performing his attacks, by making a performance onTechTV and a dedicating a special page on his website to the six attacks.In the readme.txt that was included with the program, Wicked announced that he was going to work on updates for WkD Bot, but those never saw the light. Even up to today, 1.0 is still the most recent version.
References
* [http://swatit.org/bots/wicked.html Interview with Wicked]
* [http://grc.com/dos/grcdos.htm Steve Gibson's investigation on the WkD Bot]
* [http://www.megasecurity.org/trojans/w/wickedbot/Wickedbot.html Readme.txt file]
Wikimedia Foundation. 2010.
