HOME

TheInfoList



Click Here for Items Related To - Agobot (computer Worm)
OR:
Agobot (computer Worm) on:   [Wikipedia]   [Google]   [Amazon]

Agobot, also frequently known as Gaobot, is a family of
computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...
s. Axel "Ago" Gembe, a German programmer also known for leaking Half-Life 2 a year before release, was responsible for writing the first version. The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the
GNU General Public License The GNU General Public License (GNU GPL or simply GPL) is a series of widely used free software licenses that guarantee end users the Four Freedoms (Free software), four freedoms to run, study, share, and modify the software. The license was th ...
. Agobot is a multi-threaded and mostly object oriented program written in C++ as well as a small amount of
assembly Assembly may refer to: Organisations and meetings * Deliberative assembly, a gathering of members who use parliamentary procedure for making decisions * General assembly, an official meeting of the members of an organization or of their representa ...
. Agobot is an example of a Botnet that requires little or no programming knowledge to use.


Technical details

New versions, or variants, of the worm appeared so rapidly that the Agobot family quickly grew larger than other bot families. Other bots in the Agobot family include Phatbot and Forbot. Agobot now has several thousand known variants. The majority of these target the
Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
platform; as a result the vast majority of the variants are not
Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...
compatible. Modern Agobot strains were most likely built with
Visual Studio Visual Studio is an integrated development environment (IDE) from Microsoft. It is used to develop computer programs including web site, websites, web apps, web services and mobile apps. Visual Studio uses Microsoft software development platfor ...
due to their reliance on Visual Studio's SDK and Processor Pack. An infectious Agobot can vary in size but is typically around 12 to 500 kilobytes depending on features, compiler optimizations, and binary modifications. A module written for one member in the Agobot family can usually be ported with ease to another bot. This mix-matching of modules to suit the owner's needs has inspired many of the worm's variants. Most Agobots have the following features: * Password Protected IRC Client control interface * Remotely update and remove the installed bot * Execute programs and commands *
Port scanner A port scanner is an application designed to probe a server or host for open ports. Such an application may be used by administrators to verify security policies of their networks and by attackers to identify network services running on a host and ...
used to find and infect other hosts *
DDoS In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host A ...
attacks used to takedown networks The Agobot may contain other features such as: * Packet sniffer *
Keylogger Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...
* Polymorphic code * Rootkit installer * Information harvest ** Email Addresses ** Software Product Keys ** Passwords * SMTP Client ** Spam ** Spreading copies of itself *
HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...
client ** Click Fraud **DDoS Attacks


Spreading

The following propagation methods are sub-modules to the port scanning engine:
MS03-026
RPC DCOM Remote Buffer Overflow
MS04-011
LSASS Remote Buffer Overflow
MS05-039
Plug and Play Remote Buffer Overflow * Attempts to hijack common Trojan horses that accept incoming connections via an open port. * The ability to spread to systems by brute forcing a login. A good example is Telnet or Microsoft's Server Message Block Generally, it has been observed that every custom modified variant of Agobot features a selection of the above methods as well as some "homebrew" modules, which essentially are released exploits ported to its code. Names and such can be added via the XML files to produce variable shuffle imports.


Variants


Gaobot.ee

Gaobot.ee is a variant of Agobot. It is also known as the W32.HLLW.Gaobot.EE. It is a malicious
computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...
that tends to come from the
P2P P2P may refer to: * Pay to play, where money is exchanged for services * Peer-to-peer, a distributed application architecture in computing or networking ** List of P2P protocols * Phenylacetone, an organic compound commonly known as P2P * Point- ...
network Ares, installing from its virus form, ''Ares.exe''. It has rather odd characteristics for a virus, with the unique ability to download and install random files (perhaps to create more sharers) from its members, such as
music Music is generally defined as the art of arranging sound to create some combination of form, harmony, melody, rhythm or otherwise expressive content. Exact definitions of music vary considerably around the world, though it is an aspect ...
,
pornography Pornography (often shortened to porn or porno) is the portrayal of sexual subject matter for the exclusive purpose of sexual arousal. Primarily intended for adults,
, and even full
game A game is a structured form of play (activity), play, usually undertaken for enjoyment, entertainment or fun, and sometimes used as an educational tool. Many games are also considered to be work (such as professional players of spectator s ...
s. Gaobot.ee is a worm that sends large numbers of unsolicited e-mails using its own SMTP engine. This worm also opens a backdoor on a random
TCP TCP may refer to: Science and technology * Transformer coupled plasma * Tool Center Point, see Robot end effector Computing * Transmission Control Protocol, a fundamental Internet standard * Telephony control protocol, a Bluetooth communication s ...
port, notifies attackers through a predetermined IRC channel, and attempts to terminate various security products and system monitoring tools. Its security level is low, hardly doing any damage to a computer. However, it has been reported to download and install spyware, more viruses, trojans, and worms, although this is not as yet officially been proven.


References

{{reflist


External links


W32.Gaobot.DX Symantec
Retrieved 20070618
W32.Gaobot.CEZ Symantec
Retrieved 20070618 Computer worms Hacking in the 2000s