sign in sign up
<<
Home , Bagle (computer worm), Botnet, Conficker, Sality, Storm Worm

ipTrust / Dictionary This list shows the most common botnet and malware variants tracked by ipTrust. This is not intended to be an exhaustive list, since new threat intelligence is always being added into our global Reputation Engine.

NAME DESCRIPTION

Conficker A/B A/B is a downloader worm that is used to propagate additional malware. The original malware it was after was rogue AV - but the army's current focus is undefined. At this point it has no other purpose but to spread.

Propagation methods include a server service vulnerability (MS08-067) - weakly protected network shares - and removable devices like USB keys.

Once on a machine, it will attach itself to current processes such as explorer.exe and search for other vulnerable machines across the network. Using a list of passwords and actively searching for legitimate usernames - the ...

Mariposa Mariposa was first observed in May 2009 as an emerging botnet. Since then it has infected an ever- growing number of systems; currently, in the millions. Mariposa works by installing itself in a hidden location on the compromised system and injecting code into the critical process ͞ĞdžƉůŽƌĞƌ͘ĞdžĞ͘͟/ƚŝƐknown to affect all modern Windows versions, editing the registry to allow it to automatically start upon login. Additionally, there is a guard that prevents deletion while running, and it automatically restarts upon crash/restart of explorer.exe. In essence, Mariposa opens a on the compromised computer, which grants full shell access to ...

Unknown A botnet is designated 'unknown' when it is first being tracked, or before it is given a publicly- known common name.

P2P - Limewire P2P - Limewire

P2P - Gnucleus P2P - Gnucleus

Conficker C Conficker C is an updated variant of the Conficker A/B worm. It is capable of blocking access to security-related services including and software. Conficker C is self-updating and runs many payloads.

P2P - Bearshare P2P - Bearshare

IRC Bot Various tcp-based bots communicating through IRC for Command and Control.

Generic Dropper dŚŝƐĞǀĞŶƚĐŽƌƌĞƐƉŽŶĚƐƚŽĂŐĞŶĞƌŝĐĐůĂƐƐŽĨ͞ĚƌŽƉƉĞƌ͟ƉƌŽŐƌĂŵƐǁŚŝĐŚĂƌĞĚĞƐŝŐŶĞĚƚŽƐƚĂLJ resident on infected machines, communicate with external command and control servers and load additional malware.

HTTP Bot Generic HTTP Bot interface.

PoisonIvy Poison Ivy is an advanced encrypted "reverse connection" - -bypassing remote administration tool that gives an attacker the option to access - monitor - or even take complete control of an infected user's system. This allows the following types of theft: * passwords * usernames * banking or credit card information * other personal information The default settings is for the malicious 'server' file to inject itself into the target system's Default Browser memory

space and then run as a phony 'duplicate' browser process - which enables it to bypass detection by firewalls and routers. If enabled - the server ...

BlackEnergy BlackEnergy is an HTTP-based botnet used primarily for DDoS attacks. Unlike most common bots, this bot does not communicate with its master using IRC. Additionally, there are no known originating exploit activities bot, unlike a traditional IRC bot. This is a small (<50kb) binary for the Windows platform that uses a simple grammar to communicate.

Bluenose/Metus A TCP-based bot that generally has a GUI server connector for all clients to report to via specific IP ranges specified in the client built bot. It can be used as a DDoS tool or remote access tool. There are many variants and targets many platforms.

Zeus (also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber) is a that steals banking information by . Zeus is spread mainly through drive-by downloads and schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation it became more widespread in March 2009.

P2P - Shareaza P2P - Shareaza

Hamweq Hamweq -- aka IRCbrute or worm -- is a backdoor worm that copies itself onto the system and any removable drive it finds. Any time the removable drives are accessed, it automatically executes. While an effective spreading mechanism, the malware may also be passed on through other means. The malware creates registry entries to enable its automatic execution at every system startup and injects itself into explorer.exe. Hamweq uses IRC communication to enable the botmaster to execute commands and receive information on the compromised system.

P2P - DNET P2P - DNET

Baglanti N/A

Storm Storm is a botnet that has been linked by the , a trojan horse spread through spam e- mail. It has been used in a variety of criminal activities; the US FBI considers the botnet a risk for increased bank fraud, identity theft, and . The botnet displays defensive behaviors that potentially indicate that its masters actively protect it against tracking.

Buzus Buzus opens a backdoor on the infected machine and tries to steal information such as personal finance data (e.g. credit card numbers, online banking details) and passwords from various e-mail and FTP applications (e.g. Trillian, Microsoft Outlook, CuteFTP). It also tries to compromise security settings of various security-related products. Buzus installs an unauthorized, undesirable file on the infected system; the file is typically a worm, capable of spreading via removable USB devices. The trojan may be distributed as an executable file attached to an e-mail message. Alternatively, it may be downloaded directly onto the computer from a malicious or compromised ...

RBot The RBot family of malware opens a communication channel with the malware distributor via IRC. RBots typically disable any and can act as proxy servers for IRC or HTTP traffic. Once the victim computer is compromised, the attacker is able to perform malicious operations such as spreading via Windows shares or the DCOM RPC exploit. The backdoor can also be instructed to: - Download and execute additional malware - Export sensitive documents - Log and report keystrokes - Start a SOCKS proxy, or rlogin, HTTP, and/or TFTP servers. The ports used for these are configurable. - Capture and ...

Sequence N/A

Sality is a family of file-infecting viruses that spread by infecting .exe and .scr files. The virus also includes an autorun worm component that allows it to spread to any removable or discoverable drive. Additionally, Sality includes a downloader trojan component that installs additional malware via the Web.

RAT RAT refers to a Remote Access Trojan. There are hundreds of slightly different RATs with the following commonalities:

x - Ability to communicate with its Command and Control domain(s). x - Grants the bot master complete control of the compromised system.

RATs are more likely to be used for targeted identity theft and malicious activities than most other types of bots. RATs are designed to be steathy, defensive, and resilient, which makes effective removal from a compromised system difficult.

DaRK Bot Dark Bot is an IRC ( Relay Chat) trojan, which can strongly compromise the user's privacy and security. By using its specific algorithms, this pest infects IRC client and starts performing various destructive actions, such as sending spam messages, logging user's keystrokes, or even damaging system's components.

Spam Generic Interface.

Bobax The Bobax family of malware turns the infected computer into a remote spam machine. Bobax viruses use DLL injection to insert the spam code into Internet Explorer - activating the virus every time Internet Explorer is run. Members of this family spread by exploiting the LSASS vulnerability (as described in Microsoft Security Bulletin MS04-11).

Bobax viruses can also perform bandwidth and network analysis to see precisely how much spam they can send - and thus are able to tailor their so as not to tax the network - which helps them avoid detection.

Some variants are able ...

Kraken The BotArmy is stealthy and robust; it includes redundancy mechanisms to allow the bot master to recover victims in the event that one or more primary Command and Control servers is disabled. Kraken also uses encrypted communications to frustrate identification and understanding attempts. Research indicates that primary Kraken C2 servers are hosted in RU, FR, and US.

Kraken is believed to use a social engineering-based propagation technique -- the very same used by Storm and other targeted attacks. Kraken, self-updating, is flexible enough to be used as a general-purpose bot for data theft or attack activity. Kraken presents itself ...

CIA The Cruel Intentions Administrator (C.I.A.) family of malware are trojans that open backdoors to an infected machine - allowing the malware distributor to access local files and other sensitive information.

Members of this family can transfer files between the infected machine and the distributor - log keystrokes - and even take screenshots of the computer. C.I.A. will also transfer arbitrary files back to the distributor - but specifically look for keys to popular software. These viruses often come packed - making their detection difficult.

Prosti Prosti is a remote trojan whose primary function is keylogging. Some variants can end security processes while others have been seen downloading additional malware. Given its ability to communicate with a command site, and given the behavior of these variants, Prosti is capable of tasks far beyond keylogging.

Bifrose Bifrose is a Remote Access Trojan, which allows an attacker full access to a compromised system. This trojan uses a connect-back function in order to communicate with Command and Control. This

connect-back method bypasses most firewall- and proxy-based security measures. Bifrose has kernel-level hooking functionality, and can be exceptionally difficult to remediate.

HostBooter HostBooter is a very simple botnet application used primarily to turn compromised systems into DDoS nodes. However, Command and Control does have the ability to instruct the system to update the malware, or to invisibly download and execute any new type of malware.

SDBot There are several thousand members of the SDBot family of viruses. SDBots contain a backdoor element that will join an IRC channel and wait for commands. They usually connect to an IRC server using a high port number. Depending on what command an SDBot receives, it may perform one of the following tasks:

- Perform a DoS attack using SYN floods, UDP packets, or Ping of Death. x - Update itself. x - Send CPU details, memory statistics, or thread information to the attacker. x - Join another iRC channel, change its NICK, or log out of ...

Ruskill N/A

Beagle Several versions of the Beagle malware are in circulation - many labeled as worms and others as trojans. The worm is mass mailing and - with its own SMTP engine - sends itself to addresses found on the compromised computer.

It can set up its own proxy - terminate security features - and even prevent the user from visiting AV and security websites. It will download other files or trojans to carry out varying threats - such as password stealing and keylogging.

Beagle - or - has mainly spread through email but has also spread through ...

Protoride Protoride opens an IRC backdoor allowing botmaster to perform the following commands on the compromised computer:

Change IRC nickname x Create a SOCKS4 server x Download - execute - and upload files x Hide and unhide program windows x Hide its own processes x List all active windows x List and kill processes x List currently running processes and TCP connections x Perform Denial of Service and UDP flood attacks x Provide system information x Register and unregister the worm as a service process x Retrieve the victim's IP address x Start - stop - pause - and resume a port scan x Steal passwords x Remotely Update or stop the worm

FirePassword FirePassword is infected with a password-stealing trojan that decrypts and steals any password stored in the Firefox browser.

Agobot is a self-replicating program that can easily and uncontrollably spread across a - and requires little programming knowledge to implement. Partly for this reason it has easily been shaped into thousands of variants - each suited to the attacker's specific malicious needs. The majority of these target the Windows platform and can reach sizes as large as 500kbytes - and all of them share these commonalities:

- Remote bot updates and removal x - IRC client control password protected interface x - Ability to cause DDOS attacks x - Port scanners to search for and infect other hosts ...

Tiniresu Tiniresu is a virus that infects the Userinit.exe file and downloads and executes a file from a remote location.

Ruskill/BlackEnergy Ruskill/BlackEnergy variant.

P2P Generic P2P interface.

Cakl The Cakl family of malware are trojans that hide on and gather information about the infected machine. These viruses cannot transfer themselves, but instead must rely on being downloaded or e-mailed to new targets. Members of this family can start up or FTP servers, allowing for some backdoor and file transfer capabilities.

Most notably, Cakl malware can take screenshots and log keystrokes on the infected machine, then send the information to the malware distributor, along with system and network characteristics of the infected computer.

Insane The Insane family of viruses are backdoor programs that allow their distributor(s) to gain full access to the infected machine. Having access to the compromised machine, they can extract passwords, manage files, manipulate the display, and carry out other malicious theft and control.

HacDef HXDEF, or HacDef, is a family of backdoor trojans distributed in various ways to computers running certain versions of . This trojan is a user-mode and kernel-level . It creates, alters, and hides Windows system resources on a computer that it has infected, and can hide proxy services and backdoor functionality. It can also conceal use of TCP and UDP ports for connecting to and receiving commands from .

ProRat ProRat is a Windows-based trojan horse that is highly customizable. It has the ability to hide from or disable most types of security and antivirus software.

Once a system is infected with ProRat, it will attempt to communicate with its controller through different means.