Home / malwarePDF  

Backdoor:Win32/Rbot.SR


First posted on 27 November 2010.
Source: SecurityHome

Aliases :

Backdoor:Win32/Rbot.SR is also known as Trojan.Win32.Buzus.doef (Kaspersky), IRC-Worm.SuspectCRC (Ikarus), Trj/Buzus.AH (Panda), W32.IRCBot (Symantec), TROJ_BUZUS.BHY (Trend Micro).

Explanation :

Backdoor:Win32/Rbot.SR is a backdoor trojan that runs in the background, gathers software installation and computer configuration details, and connects to an IRC server to receive commands from remote attackers. Commands could include instructions to spread to other computers via open network shares or by exploit of a security vulnerability, or to launch a denial of service (DoS) attack against specified targets.
Top

Backdoor:Win32/Rbot.SR is a backdoor trojan that runs in the background, gathers software installation and computer configuration details, and connects to an IRC server to receive commands from remote attackers. Commands could include instructions to spread to other computers via open network shares or by exploit of a security vulnerability, or to launch a denial of service (DoS) attack against specified targets. Installation When executed, Backdoor:Win32/Rbot.SR copies itself to the Windows system folder using a random file name composed of six letters. It sets this copy to have 'hidden', 'system', and 'read-only' attributes. It then executes its copy. Spreads via... Network shares Backdoor:Win32/Rbot.SR spreads to other computers across a network by dropping a copy of itself in the following folders, if they are accessible:

  • Admin$\system32
  • C$\WinNT\system32
  • C$\Windows\system32
    • If these shares are not readily accessible, it attempts to gain access as an administrator by using a predefined list of weak passwords. Software exploits Backdoor:Win32/Rbot.SR exploits known vulnerabilities, such as the following:
  • DCOM RPC vulnerability using TCP port 135, fixed in Microsoft Security Bulletin MS03-026
  • WebDav vulnerability using TCP port 80, fixed in Microsoft Security Bulletin MS03-007
  • Workstation service buffer overrun vulnerability using TCP port 445, fixed in Microsoft Security Bulletin MS03-049 and Microsoft Security Bulletin MS03-043
  • Locator service vulnerability using TCP port 445, fixed in Microsoft Security Bulletin MS03-001; the worm specifically targets Windows 2000 machines using this exploit
  • UPnP vulnerability, fixed in Microsoft Security Bulletin MS01-059
  • Vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit using UDP port 1434, fixed in Microsoft Security Bulletin MS02-061
    • Payload Lowers security settings Backdoor:Win32/Rbot.SR modifies the following registry entries to lower the security settings on the computer:
  • Disables DCOM:
    • In subkey: HKLM\Software\Microsoft\OLE Sets value: "EnableDCOM" With data: "n"
  • Does not allow enumeration of SAM accounts and names:
    • In subkey: HKLM\SYSTEM\CurrentControlSet\Control\Lsa Sets value: "Restrictanonymous" With data:"1" Allows backdoor access and control Backdoor:Win32/Rbot.SR connects to TCP port 113, similar to similar to Internet relay chat (IRC) clients, for authentication. It connects to a remote IRC server and channel using TCP port 6667, and awaits commands from remote attackers. Commands may include the following instructions:
  • Capture a screen image
  • Conduct DoS attacks against specified targets
  • Initiate a remote shell
  • Log keystrokes
  • Perform a DNS look-up
  • Remove itself from the infected computer
  • Search for files
  • Send process list, network configuration, system information, or clipboard data
  • Send, receive, or execute files
  • Steal account credentials
  • Steal games registration keys
  • Terminate threads


    • Analysis by Marian Radu

    Last update 27 November 2010

     

    TOP

    Malware :

    Family: