Agobot (computer worm)
Encyclopedia
Agobot, also frequently known as Gaobot, is a family of computer worm
s. Axel "Ago" Gembe, a German programmer, was responsible for writing the first version.
The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the GNU General Public License
. Agobot is a multi-threaded and mostly object oriented program written in C++
as well as a small amount of assembly
. Agobot is an example of a Botnet
that requires little or no programming knowledge to use.
Windows
platform; as a result the vast majority of the variants are not Linux
compatible. In fact the majority of modern Agobot strains must be built with Visual Studio due to its reliance on Visual Studio's SDK and Processor Pack. An infectious Agobot can vary in size from ~500kbyte to ~12kbyte depending on features, compiler optimizations and binary modifications.
A module written for one member in the Agobot family can usually be ported with ease to another bot. This mix-matching of modules to suit the owner's needs has inspired many of the worm's variants.
Most Agobots have the following features:
The Agobot may contain other features such as:
Generally, it has been observed that every custom modified variant of Agobot features a selection of the above methods as well as some "homebrew" modules, which essentially are released exploits ported to its code.
Names and such can be added via the xml files the produce variable shuffle imports.
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
s. Axel "Ago" Gembe, a German programmer, was responsible for writing the first version.
The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the GNU General Public License
GNU General Public License
The GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....
. Agobot is a multi-threaded and mostly object oriented program written in C++
C++
C++ is a statically typed, free-form, multi-paradigm, compiled, general-purpose programming language. It is regarded as an intermediate-level language, as it comprises a combination of both high-level and low-level language features. It was developed by Bjarne Stroustrup starting in 1979 at Bell...
as well as a small amount of assembly
Assembly language
An assembly language is a low-level programming language for computers, microprocessors, microcontrollers, and other programmable devices. It implements a symbolic representation of the machine codes and other constants needed to program a given CPU architecture...
. Agobot is an example of a Botnet
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
that requires little or no programming knowledge to use.
Technical details
New versions, or variants, of the worm appeared so rapidly that the Agobot family quickly grew larger than other bot families. Other bots in the Agobot family are Phatbot and Forbot. Agobot now has several thousand variants. The majority of the development force behind Agobot is targeting the MicrosoftMicrosoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
platform; as a result the vast majority of the variants are not Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
compatible. In fact the majority of modern Agobot strains must be built with Visual Studio due to its reliance on Visual Studio's SDK and Processor Pack. An infectious Agobot can vary in size from ~500kbyte to ~12kbyte depending on features, compiler optimizations and binary modifications.
A module written for one member in the Agobot family can usually be ported with ease to another bot. This mix-matching of modules to suit the owner's needs has inspired many of the worm's variants.
Most Agobots have the following features:
- Password Protected IRC Client control interface
- Remotely update and remove the installed bot
- Execute programs and commands
- Port scannerPort scannerA port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it.A port scan or portscan is "An attack...
used to find and infect other hosts - DDoS attacks used to takedown networks
The Agobot may contain other features such as:
- Packet snifferPacket snifferA packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network...
- Keylogger
- Polymorphic codePolymorphic codeIn computer terminology, polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact. That is, the code changes itself each time it runs, but the function of the code will not change at all...
- RootkitRootkitA rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
installer - Information harvest
- Email Addresses
- Software Product Keys
- Passwords
- SMTP Client
- Spam
- Spreading copies of itself
- HTTP client
- Click Fraud
- DDoS Attacks
Spreading
The following propagation methods are sub-modules to the port scanning engine:- MS03-026 RPCRemote procedure callIn computer science, a remote procedure call is an inter-process communication that allows a computer program to cause a subroutine or procedure to execute in another address space without the programmer explicitly coding the details for this remote interaction...
DCOMDistributed component object modelDistributed Component Object Model is a proprietary Microsoft technology for communication among software components distributed across networked computers. DCOM, which originally was called "Network OLE", extends Microsoft's COM, and provides the communication substrate under Microsoft's COM+...
Remote Buffer Overflow - MS03-026 LSASSLocal Security Authority Subsystem ServiceLocal Security Authority Subsystem Service , is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens...
Remote Buffer Overflow - MS05-039 Plug and Play Remote Buffer Overflow
- Attempts to hijack common Trojan horsesTrojan horse (computing)A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
that accept incoming connections via an open port. - The ability to spread to systems by brute forcing a login. A good example is Telnet or Microsoft's Server Message BlockServer Message BlockIn computer networking, Server Message Block , also known as Common Internet File System operates as an application-layer network protocol mainly used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It also provides an...
Generally, it has been observed that every custom modified variant of Agobot features a selection of the above methods as well as some "homebrew" modules, which essentially are released exploits ported to its code.
Names and such can be added via the xml files the produce variable shuffle imports.