[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <018301c464c8$79564430$1b833a0a@cbs.gov.il>
Date: Thu, 8 Jul 2004 10:49:26 +0200
From: "Gadi Evron" <gadie@....gov.il>
To: <bugtraq@...urityfocus.com>
Subject: current leading bots used in drone armies [June/July 2004]
[For the list of the most used Trojan horses in drone armies for June/July,
2004, please skip to the end of this email message.]
I figured a list of this nature once in a while (maybe quarterly or monthly
depending on the changing threats) can be useful to some administrators who
wish to actively combat drone armies and/or to inform them as to what they
can expect, capabilities-wise, when planning the defense of their networks.
The information is gathered from the relevant professionals in several
networks who actively follow and combat this threat. In no way do I take any
credit for it (beyond admitting to writing it down under my name and
vouching for the details).
Most of the Trojan horses used for infecting users and creating drone armies
the past year are sd/phat/rbot variants.
Sdbots have spawned numerous variants and were separated into new groups of
malware which in turn were further separated into new groups. Agobots,
Phatbots, etc.
Agobots are most likely to reach and move beyond the three letters counting
(Agobot.ABC).
It's (kind of) a new world, the world of open-source malware. It's been
going on for a while, but there are now over a thousand new variants a month
for different Trojan malware (mostly Trojan horses). The numbers speak for
themselves. These are not lonely cases, this is "code a virus" opportunity
for the masses. Usually with tech-support..
It's always funny to me how some in the AV industry would at times hype new
worms or new barely different variations of worms, in the media, while
ignoring drone armies almost completely.
Just in recent months, due to in many cases me making weird noises, we start
hearing about drone armies.
Over-time, a drone army can reach hundreds of thousands of infected drones
in size, and new armies/drone are created daily. There are a lot more than
just a few drone armies out there, and the Trojan horses used change
constantly.
The basic threat is DDoS from a few thousands of Cable/DSL users (simple
DDoS, gang blackmail) and it grows all the way to big words such as
espionage and the fabled hype which may perhaps one day turn true; "the
death of the Internet". We've had a few close calls (African router, DDoS on
backbone).
Usually though, the goal of these drone armies is simple: SPAM.
Trojan horses used in drone armies and Trojan horses installed on "lonely"
infected machines far outnumber the amounts of infected users from _most_
worms.
The main _spread_ of any worm is usually in the first hours to days of its
creation and release to "the wild". Worms continue to spread over the
Internet for years and there are always infected users who have them. Unlike
worms, most of these Trojan horses remain _overtime_ undisturbed, in huge
exponentially increasing numbers.
The (specific) Trojan horses most used as bots in drone armies for
June/July, 2004, are:
1. Korgobots:
Use in drone armies: _everywhere_.
[For example: Korgobot is a variation of Rbot which in turn was a
stripped down version of a Phatbot,
which in turn is a variation of Agobot which in turn is a variation of
SDbot (KWbot).]
2. dfgbots:
Use in drone armies: huge.
3. Optix Pro.
Use in drone armies: wide-spread.
[Important: Optix Pro is an mIRC (IRC client for Windows) script. People
download this thing from an
official web site. A checksum for "verification" is available. Cute
ancient trick. Originally most infections were in Australia.]
4. Memory bots
Use in drone armies: wide-spread.
As an after-thought, I'd like to officially announce the long-awaited end of
the Girlbots plague. There are still huge Girlbots drone armies out there,
but the balance is shifting and they are seen far less often.
You can Google each of these Trojan horses for details. Feel free to contact
me for help with anything using my home email address.
Contributions? Corrections? Mistakes? Please email me.
--
Gadi Evron,
Senior Security Consultant
Central Bureau of Statistics, Israel.
+972-50-428610 (Cell)
+972-2-6592257 (Office)
gadie@....gov.il
ge@...uxbox.org (Home)
[If the opinions I express publicly were Israeli government policy, I'd have
had Shin Bet bodyguards!]
**************************************************************************************************
** eSafe (R) scanned this email for viruses, vandals and malicious content **
**************************************************************************************************
Powered by blists - more mailing lists