Well Known Bot Families
Created: November 6, 2011
Botnets evolve over time and there may be hundreds of variations of the same bot in numerous botnets. These variations may be individually named or not depending on the hacker group that maintains the particular version. Cyber-criminal groups develop large botnets typically based on one or more bot families. Hackers sometimes use obfuscation techniques to change the appearance that the bot presents to anti-virus/malware packages. When obfuscation is the only change to a bot, the bot retains the same name but the signature count for the bot increases. At the time of this writing there are over 150,000 bot signatures monitored by Spybot Search & Destroy. (SaferNetworking.org, 2008). Many of these bots fall within the following major bot families:
- The home of Spybot-S&D!
SaferNetworking.org (2008). Spybot Search and Destroy. Available from http://www.safer-networking.org/en/index.html
Agobot
Agobot is according to Bacher, et al. (2005); the best know bot with an ever-increasing count of over 500 known variations. Other members of this bot-family include Phatbot, Forbot, and XtreclientmBot. Using libpcap, a well known packet sniffer, in conjunction with Perl Compatible Regular Expressions (PCRE) enables Agobot to listen in on other traffic. Agobot also offers rootkit capability to hide from detection tools and detect debuggers and virtual machines.
SDBot
One of the most active bot-families according to Bacher, et al. (2005), is the SDBot family. This bot family is poorly designed but very popular with hackers as demonstrated by the number of instances occurring in the wild. SDBot offers similar functionality to Agobot and the bot’s popularity may be attributed to the simplified command set and ease of use. Other members of the SDBot family include RBot, RxBot, UrBot, UrXBot, and JrBot.
- Know your Enemy: Tracking Botnets | The Honeynet Project
Bacher, P., Holz, T., Kotter, M., and Wicherski, G. (2005). Know your enemy: Tracking botnets. Using honeynets to learn more about bots. The Honeynet Project & Research Alliance. Available from http://www.honeynet.org/papers/bots/
GT Bots
The largest group of threats are classified as Global Threats or abbreviated as GT. “GT-Bots spread by exploiting weaknesses on remote computers and uploading themselves to compromised hosts” (Bacher, et al., 2005). Bots based on the Microsoft IRC client are classified as mIRC-based bots and referred to as GT-Bots because of the sheer volume of varieties. These bots rely on the functionality of the mIRC protocol for C&C and include various scripts. Dynamic Link Library (DLL) modules extend the bot’s functionality and promote the infection of other hosts. The mIRC script files are often identified by the file extension mrc. Finding the HideWindows rootkit on a host provides a good indication that the host may be a member of a GT-Bot-based botnet.
Dataspy Network X (DSNX)
The DSNX bot is a highly extendable bot and includes many plug-in interfaces. Hackers must, however, write or download the plug-ins necessary to spread the bot according to Bacher, et al. (2005). Available plug-ins includes those necessary to launch DDoS attacks and create HTTP servers used to host malicious web sites.
Q8 Bots
What is most notable about the Q8bot is that this bot is specifically written for UNIX/Linux systems and is very small as noted by Bacher, et al. (2005). This bot contains most of the common features of bots except for one: there is no native functionality for the bot to spread so the hot-herder must actively spread this threat.
Kaiten
The kaiten bot is another small bot written for the UNIX/Linux OS. This bot has one flaw, which is a weak authentication method. This deficiency makes the bot easy to hijack. (Bacher, et al., 2005). The most notable feature of the kaiten bot is a remote shell that gives the hacker the ability to search for other vulnerabilities and actively explore infected systems. Bot-herders often loose botnets based on kaiten because of the weak authentication method.
Pearl Based Bots
The final family of bots includes those based on the Perl programming language. “These bots are very small and contain in most cases only a few hundred lines of code. They offer only a rudimentary set of commands (most often DDoS-attacks) and are used on Unix-based systems” (Bacher, et al., 2005).
What do you think, do you know of other bot-families?
As always, the author appreciates all comments.
References
Bacher, P., Holz, T., Kotter, M., and Wicherski, G. (2005). Know your enemy: Tracking botnets. Using honeynets to learn more about bots. The Honeynet Project & Research Alliance. Retrieved May 1, 2008 from http://www.honeynet.org/papers/bots/
SaferNetworking.org (2008). Spybot Search and Destroy. Available from http://www.safer-networking.org/en/index.html