Agobot, also frequently known as Gaobot, is a family of

computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wi ...

s. Axel "Ago" Gembe, a German programmer also known for leaking

Half-Life 2 ''Half-Life 2'' is a 2004 first-person shooter game developed by Valve. It was published by Valve through its distribution service Steam. Like the original ''Half-Life'' (1998), ''Half-Life 2'' combines shooting, puzzles, and storytelling, and a ...

a year before release, was responsible for writing the first version. The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the

GNU General Public License The GNU General Public License (GNU GPL or simply GPL) is a series of widely used free software licenses that guarantee end user In product development, an end user (sometimes end-user) is a person who ultimately uses or is intended to ulti ...

. Agobot is a multi-threaded and mostly object oriented program written in C++ as well as a small amount of

assembly Assembly may refer to: Organisations and meetings * Deliberative assembly, a gathering of members who use parliamentary procedure for making decisions * General assembly, an official meeting of the members of an organization or of their representa ...

. Agobot is an example of a

Botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its co ...

that requires little or no programming knowledge to use.

Technical details

New versions, or variants, of the worm appeared so rapidly that the Agobot family quickly grew larger than other bot families. Other bots in the Agobot family include Phatbot and Forbot. Agobot now has several thousand known variants. The majority of these target the Microsoft Windows platform; as a result the vast majority of the variants are not

Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which i ...

compatible. Modern Agobot strains were most likely built with

Visual Studio Visual Studio is an integrated development environment (IDE) from Microsoft. It is used to develop computer programs including websites, web apps, web services and mobile apps. Visual Studio uses Microsoft software development platforms such ...

due to their reliance on Visual Studio's SDK and Processor Pack. An infectious Agobot can vary in size but is typically around 12 to 500

kilobytes The kilobyte is a multiple of the unit byte for digital information. The International System of Units (SI) defines the prefix '' kilo'' as 1000 (103); per this definition, one kilobyte is 1000 bytes.International Standard IEC 80000-13 Quantit ...

depending on features, compiler optimizations, and binary modifications. A module written for one member in the Agobot family can usually be ported with ease to another bot. This mix-matching of modules to suit the owner's needs has inspired many of the worm's variants. Most Agobots have the following features: * Password Protected IRC Client control interface * Remotely update and remove the installed bot * Execute programs and commands *

Port scanner A port scanner is an application designed to probe a server or host for open ports. Such an application may be used by administrators to verify security policies of their networks and by attackers to identify network services running on a host a ...

used to find and infect other hosts *

DDoS In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connect ...

attacks used to takedown networks The Agobot may contain other features such as: *

Packet sniffer A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or ...

Keylogger Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...

Polymorphic code In computing, polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact - that is, the ''code'' changes itself every time it runs, but the ''function'' of the code (its semantics) will not chang ...

Rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...

installer * Information harvest ** Email Addresses ** Software Product Keys ** Passwords *

SMTP The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typic ...

Client ** Spam ** Spreading copies of itself *

HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...

client ** Click Fraud **DDoS Attacks

Spreading

The following propagation methods are sub-modules to the port scanning engine:
MS03-026

RPC RPC may refer to: Science and technology * Rational polynomial coefficient * Reactive Plastic Curtain, a carbon-dioxide-absorbing device used in some rebreather breathing sets * Regional Playback Control, a regional lockout technology for DVDs * ...

DCOM Remote Buffer Overflow
MS04-011
LSASS Remote Buffer Overflow
MS05-039

Plug and Play In computing, a plug and play (PnP) device or computer bus is one with a specification that facilitates the recognition of a hardware component in a system without the need for physical device configuration or user intervention in resolving resou ...

Remote Buffer Overflow * Attempts to hijack common

Trojan horses The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...

that accept incoming connections via an open port. * The ability to spread to systems by brute forcing a login. A good example is Telnet or Microsoft's

Server Message Block Server Message Block (SMB) is a communication protocol originally developed in 1983 by Barry A. Feigenbaum at IBM and intended to provide shared access to files and printers across nodes on a network of systems running IBM's OS/2. It also provide ...

Generally, it has been observed that every custom modified variant of Agobot features a selection of the above methods as well as some "homebrew" modules, which essentially are released exploits ported to its code. Names and such can be added via the XML files to produce variable shuffle imports.

Variants

Gaobot.ee

Gaobot.ee is a variant of Agobot. It is also known as the W32.HLLW.Gaobot.EE. It is a malicious

that tends to come from the P2P network Ares, installing from its virus form, ''Ares.exe''. It has rather odd characteristics for a virus, with the unique ability to

download In computer networks, download means to ''receive'' data from a remote system, typically a server such as a web server, an FTP server, an email server, or other similar system. This contrasts with uploading, where data is ''sent to'' a remo ...

and install random files (perhaps to create more sharers) from its members, such as

music Music is generally defined as the The arts, art of arranging sound to create some combination of Musical form, form, harmony, melody, rhythm or otherwise Musical expression, expressive content. Exact definition of music, definitions of mu ...

pornography Pornography (often shortened to porn or porno) is the portrayal of sexual subject matter for the exclusive purpose of sexual arousal. Primarily intended for adults,

, and even full

game A game is a structured form of play, usually undertaken for entertainment or fun, and sometimes used as an educational tool. Many games are also considered to be work (such as professional players of spectator sports or games) or art (su ...

s. Gaobot.ee is a worm that sends large numbers of unsolicited e-mails using its own

engine. This worm also opens a backdoor on a random

TCP TCP may refer to: Science and technology * Transformer coupled plasma * Tool Center Point, see Robot end effector Computing * Transmission Control Protocol, a fundamental Internet standard * Telephony control protocol, a Bluetooth communication s ...

port, notifies attackers through a predetermined

IRC Internet Relay Chat (IRC) is a text-based chat system for instant messaging. IRC is designed for Many-to-many, group communication in discussion forums, called ''#Channels, channels'', but also allows one-on-one communication via instant messa ...

channel, and attempts to terminate various security products and system monitoring tools. Its security level is low, hardly doing any damage to a computer. However, it has been reported to download and install spyware, more viruses, trojans, and worms, although this is not as yet officially been proven.

References

{{reflist

External links

W32.Gaobot.DX Symantec
Retrieved 20070618
W32.Gaobot.CEZ Symantec
Retrieved 20070618 Computer worms Hacking in the 2000s