- Agobot (computer worm)
Agobot, also frequently known as Gaobot, is a family of
computer worm s. A German named Axel Gembe was responsible for writing the first version. [Infosecurity 2008 Threat Analysis, page 16, ISBN-10: 1597492248 ISBN-13: 978-1597492249] [http://online.wsj.com/public/article_print/SB116900488955878543-yrMHYlacFyxijV14BxFZfXeU1_8_20070216.html How Legal Codes Can Hinder Hacker Cases] [http://wsjclassroom.com/archive/05feb/onln_hacker.htm Hacker Hitmen - Cyber Attacks Used to Be for Thrill Seekers. Now They're About Money.] The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of theGNU General Public License . Agobot is a multi-threaded and mostly object oriented program written inC++ as well as a small amount of assembly. Agobot is an example of aBotnet that requires little or no programming knowledge to use.Details
New versions, or variants, of the worm appeared so rapidly that the Agobot family quickly grew larger than other bot families. Other bots in the Agobot family are: Forbot, Phatbot, Urxbot, Rxbot,
Rbot . Agobot now has several thousand variants. The majority of the development force behind Agobot is targeting theMicrosoft Windows platform; as a result the vast majority of the variants are notLinux compatible. In fact the majority of modern Agobot strains must be built withVisual Studio due to its reliance on Visual Studio's SDK and Processor Pack. An infectious Agobot can vary in size from ~500kbyte to ~12kbyte depending on features, compiler optimizations and binary modifications.Due to Agobot's modularity and popularity it has turned into a kitchen sink platform of attack and control. A module written for one member in the Agobot family can usually be ported with ease to another bot. This mix-matching of modules to suit the owner's needs has inspired many of the worm's variants.
Most Agobots have the following features:
* Password Protected IRC Client control interface
* Remotely update and remove the installed bot
* Execute programs and commands
*Port scanner used to find and infect other hosts
*DDoS attacks used to takedown networksThe Agobot may contain other features such as:
*Packet sniffer
*Keylogger
*Polymorphic code
*Rootkit installer
* Information harvest
** Email Addresses
** Software Product Keys
** Passwords
*SMTP Client
** Spam
** Spreading copies of itself
*HTTP client
** Click Fraud
**DDoS Attackspreading
The following propagation methods are sub-modules to the port scanning engine:
* [http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx MS03-026] RPC DCOM Remote Buffer Overflow
* [http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx MS03-026] LSASS Remote Buffer Overflow
* [http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx MS05-039]Plug and Play Remote Buffer Overflow
* Attempts to hijack common Trojan horses which accept incoming connections via an open port.
* The ability to spread to systems by brute forcing a login. A good example is Telnet or Microsoft'sServer Message Block Naming
Because there is no standard of detection nor classification for the Agobot family, there is also no standard naming convention. Most anti-virus programs detect variants generically with no attempt made to classify specific variants (e.g. W32/Agobot.worm).
External links
* [http://www.infectionvectors.com/vectors/kitchensink.htm Agobot and the “Kit”-chen Sink]
* [http://www.lurhq.com/phatbot.html Phatbot Command Reference]References
* [http://www.symantec.com/security_response/writeup.jsp?docid=2004-051816-5418-99 W32.Gaobot.DX Symantec] Retrieved 20070618
* [http://www.symantec.com/security_response/writeup.jsp?docid=2005-012609-1021-99&tabid=2 W32.Gaobot.CEZ Symantec] Retrieved 20070618
Wikimedia Foundation. 2010.
