Agobot (computer worm)

From Wikipedia, the free encyclopedia

Agobot, also frequently known as Gaobot, is a family of computer worms. The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the Gnu General Public License. Agobot is a multi-threaded and mostly object oriented program written in C/C++ as well as a small amount of assembler. Agobot is an example of a Botnet that requires little or no programming knowledge to use.

Contents 1 Details 2 Spreading 3 Naming 4 External links 5 References

[edit] Details

New versions, or variants, of the worm appeared so rapidly that the Agobot family quickly grew larger than other bot families. Other bots in the Agobot family are: Forbot, Phatbot, Urxbot, Rxbot, Rbot. Agobot now has several thousand variants. The majority of the development force behind Agobot is targeting the Microsoft Windows platform; as a result the vast majority of the variants are not Linux compatible. In fact the majority of modern Agobot strains must be built with Visual Studio due to its reliance on Visual Studio's SDK and Processor Pack. An infectious Agobot can vary in size from ~500kbyte to ~12kbyte depending on features, compiler optimizations and binary modifications.

Due to Agobot's modularity and popularity it has turned into a kitchen sink platform of attack and control. A module written for one member in the Agobot family can usually be ported with ease to another bot. This mix-matching of modules to suit the owner's needs has inspired many of the worm's variants.

Most Agobots have the following features:

• Password Protected IRC Client control interface
• Remotely update and remove the installed bot
• Execute programs and commands
• Port scanner used to find and infect other hosts
• DDoS attacks used to takedown networks

The Agobot may contain other features such as:

• Packet sniffer
• Keylogger
• Polymorphic code
• Rootkit installer
• Information harvest
  • Email Addresses
  • Software Product Keys
  • Passwords
• SMTP Client
  • Spam
  • Spreading copies of itself
• HTTP client
  • Click Fraud
  • DDoS Attacks

[edit] Spreading

The following propagation methods are sub-modules to the port scanning engine:

• MS03-026 RPC DCOM Remote Buffer Overflow
• MS03-026 LSASS Remote Buffer Overflow
• MS05-039 Plug and Play Remote Buffer Overflow
• Attempts to hijack common Trojan horses which accept incoming connections via an open port.
• The ability to spread to systems by brute forcing a login. A good example is Telnet or Microsoft's Server Message Block

[edit] Naming

Because there is no standard of detection nor classification for the Agobot family, there is also no standard naming convention. Most anti-virus programs detect variants generically with no attempt made to classify specific variants (e.g. W32/Agobot.worm).

[edit] External links

• Agobot and the “Kit”-chen Sink
• Phatbot Command Reference

[edit] References

• W32.Gaobot.DX Symantec Retrieved 20070618
• W32.Gaobot.CEZ Symantec Retrieved 20070618