Two Worm "Families" Make Up Most Botnets

JMoon writes "HNS has an article about the Sdbot and Gaobot families which are responsible for most botnets worldwide. These two families were responsible for 80 percent of detections related to bots during the first quarter of 2007. Other culprits, although on a much lesser scale, included Oscarbot, IRCbot or RXbot."

And that won't change soon

[Opportunist]

Recently, I had to put an SP1 WinXP online to demonstrate that it's (still) insecure to do that. I was expecting that the blaster menace has somewhat dwindled since its outbreak, simply 'cause it's been a while since its outbreak.

Boy, was I wrong!

It took 10 seconds for the FTP to go berserk, a minute later I was a happy member of the still strongly going family of wormspreaders.

People simply don't update their systems. It's amazing, that thing is afaik about 5 years old now, and still there are a LOT of machines existing that still blow the worm through the net.

We're not talking about an unfixable problem, or at least one where the user has to be dumb enough to open the can for the worm (ok, bad pun). It's as simple as updateing to SP2, something that works automatically.

You actually have to disable MS Messenger to at least cease to get those annoying popup messages, so why can people disable that but not update their systems? That's simply beyond my comprehension.

Re:And that won't change soon

[Junior+J.+Junior+III]

Probably so many XP users are on license keys that have been disabled by Microsoft Genuine Advantage so that they can't upgrade to SP2, so they're left compromised and unable to defend themselves by remaining patched by Automatic Updates.

Re:And that won't change soon

[toleraen]

Actually just running windows update will fix both of the named worms...so even if you do get infected with either of them, once you finally get your updates it should fix it.

Re:And that won't change soon

[Dan_Bercell]

I called the 1-800 number that Microsoft said to call, and went through all their steps to generate a new number, but it just told me that I was rejected and that my number was in fact really no good. I had no recourse, no appeal, no live body to talk to on the phone

Through that 1-800 number you can eventually make it to a person. You can then read off your 48 digit number and they will give you another 48-digit number. They will then ask you the same questions they ask everyone and you will be on your way. I often have to call this number for OEM workstations.

There's a reason for that.

[Spazntwich]

SDBot is incredibly popular because it's open source and easily modified to sneak past most AV software with minor changes. It also has an extremely wide array of features, and tends to be very reliable.

People without the knowledge to code their own trojan/bot from scratch will naturally gravitate towards tools which allow them to make their money more easily, and it's a real time saver.

Or so I hear.

Ask Robert Morris

[www.sorehands.com]

Though he did not get jail time, he still was convicted. http://www-swiss.ai.mit.edu/6805/articles/morris-w orm.html

The Same Old Bots

[madsheep]

I have a few comments and one will answer some of the previous questions to some degree.
First, the majority of these trojans, specifically these are all IRC based. They are very easy to spot, especially in corporate environments. Why? Well because most people do not use IRC while they are at work. Not to mention many companies will have policies against it. This makes intrusion detection for these kinds of bots very easily. Since most of these servers housing the bots are just standard Unreal IRCD (generally hacker-installed) or whatever IRCD undernet/efnet/etc. run on, they are not encrypted. This means when a machine connects, traffic with "NOTICE", "PRIVMSG", "JOIN #" etc is all sent in the clear. There have been snort/bleeding snort rules to look for this type of activity for years and they haven't had to change much. Sure the ports might not always be 6667-6669/7000, but looking for activity like this on a certain port is dumb to do anyway.

A simple analysis of most IRC traffic should you have real-time peaks or capture logs will tell you pretty quick if it's malicious. If you see a nick change to XP|24249429 or USA|2942949 and it joins a channel called #owned with a topic of .scan 10.0.0.0/8 then there's a pretty good chance the machine in question is an infected bot and most likely with one of the aforementioned variants. Now most home users won't have insight into this type of activity. And funny enough there's not much "big brother" by way of ISPs caring much for this. Unless reported to them they most likely won't do anything. Even then they still might not do anything. http://www.shadowserver.org/ keeps a list of good/responsive ISPs. This might be more in the case of a malicious host housing an IRCD, but that's beside the point.

Now finally these two are quite popular. Why? Well it has been said already. The source for them is our there and they are readily available. People frequently update and modify them to avoid AV detection. Hell, many people don't update and modify them. So many people are running without [updated] AV that it doesn't seem to matter much. If you notice how most people get infected, it's the same old thing. IM worm, e-mail worm, malicious website, or a scan for the 2 year old dcom exploit. Every time some new IE/Firefox/etc vulnerability is released, someone quickly makes it download their trojan.

These variants have been around for years. Luckily the people using them are pretty dumb. It's just a matter of time before worms/viruses/etc turn to web-based (not IRC) and encryption as the norm.

Re:Reduced diversity.

[houghi]

It does not mean anything. The only thing it means is that those two families are more successfull then the others.
If the remaining 20% is less then the remaining 26% in numbers, that could mean that some other families are faded out and/or that it is harder to remove those two families.
If the 26% and 20% are the same, it just means that those two families are spreading faster then the rest.
If the 20% is more then the 26%, then it would mean that in general we are winning the battle slowly.

By itself it means absolutely nothing. Also you would need to know how they are being put out there. If there are just a few that are realy pushing those two families, then it is no wonder that there are more of them.

Redone bot runs on Linux

[flyingfsck]

Those SSH password attacks spread Linux based Spambots. I have repaired a handful of servers in the USA and Singapore that suffered infections. The Redone spambot targets the tens of thousands of indentical systems on server farms, of which some are sure to have bad passwords. Once it has set up shop it spewes out enormous amounts of spam. It is managed through IRC.

Re:Non Windows Bots

[Anon-Admin]

For you or anyone who wants to know more about the software and setup. Go to my website, http://www.xganon.com/ and send me an e-mail. Just select the "Contact Us" button and fill out the info. Ill e-mail you back and we can go over the software (open source) and how to set it up.

I am always willing to help people secure a system. :)

Re:White hat "mal'-ware?

[TheBig1]

I think you are referring to this

Re:Automated Trolling System

[EugeneK]

do not click above link unless you want your browser hijacked - very nasty!