Print | Send on Yahoo! | PDF version | RSS | Filed Under: BOTNETS

Types Of Bots

Although most bots come with identical feature sets, and usually inflict severe damage to the host computer, there are multiple types of bots that differ in both complexity and operation.

XtremBot, Agobot, Forbot, Phatbot

These types of bots are extremely widespread, and the latest estimations claim that there are more than 500 versions in the wild. Such bots are entirely written in the C++ programming language, which allows them to run on multiple platforms. Their source code is released under the (General Public License), which means that anybody can have a copy of their source code in order to modify it at will. These bots can be either minimal or extremely complex, using abstract module-based designs (the latter have the ability to extend their functionality by simply downloading additional “plugins”). Most of them use the libpcap library in order to sniff network traffic and intercept sensitive data, such as passwords or banking credentials.

Agobot is extremely advanced, as it can go beyond the IRC protocol in order to communicate with its master - Agobot was written by German programmer Ago (also known as Wonk). He was arrested in May 2004 for computer crime.

Moreover, Agobot is able to use the NTFS Alternate Data Stream and comes with rootkit capabilities: it can hide itself from the operating system. As if it were not enough, the bot is a challenge to the antivirus industry, since reverse engineering its object code is extremely painstaking. The bot detects debuggers and refuses to run in virtualized environments. The Linux version of the bot can detect the OS distribution and set an appropriate init script.

UrXBot, SDBot, UrBot and RBot

This family of bots is extremely active at the moment. Unlike its above-mentioned siblings, these bots are poorly written, with untidy, rudimentary code and some programming flaws. One of the most dangerous bots in the family is the SDBot, a piece of malware released under GPL that was used as a starting point for a new family of bots such as RBot, RxBot, UrBot, UrXBot, and JrBot. There are probably a lot of other forks that remained undiscovered due to their reduced activity in the wild. SDBot has gained extra popularity among botmasters because it provides about the same interesting features as the Agobot, except for the fact that its command set is quite limited.

GT-Bots and mIRC-Based Bots

mIRC is probably the most frequently used IRC application running on Windows systems, and this is why GT- and mIRC-based bots are the most frequently encountered pieces of botnet malware. In fact, GT-Bots have served as the cornerstone for a wide range of forks. GT stands for Global Threat, and this family is comprised of all the existing mIRC-based bots.

GT bots make heavy use of the mIRC application: they launch an instance of the application using a set of scripts and a couple of binary files (mostly DLLs). Malware authors use the HideWindow executable in order to hide the mIRC window from the user; this way, the program is running in background without the user even noticing it. DLL libraries are also important for the bot, as they hold miscellaneous additional functions, such as scanners.GT-bots usually spread between computers by using specific system vulnerabilities that allow them to upload themselves onto the target machine in a manner similar to computer worms. The bot is controlled by mIRC scripts, which often come with the .mrc file extension.

The above-mentioned families of bots are the most common occurrences on the infected systems. However, there are multiple other families of bots that clog computer networks. Despite the fact that they are less encountered in the wild, they come with extremely interesting features.

DSNX Bots

Also known as Dataspy Network X bots, these pieces of malware are written in the C++ programming language. This family of bots is designed with modularity in mind; their functionality can be extended by adding plugins via a visual interface. They are less popular because the initial versions of the bot come without spreaders, so they cannot infect systems by themselves. Malware authors have overcome this obstacle by writing independent plugins that allow bots to spread by themselves, as well as to perform malicious tasks, such as DDoS attacks, port-scans and setting up concealed HTTP servers.

Q8 Bots

Q8 bots are the “slimmest” pieces of malware of their kind. They have an extremely small footprint, thanks to the 926 lines of C++ code, which allows them to quickly install on the host computer. Unlike mIRC bots, the Q8 family is especially designed to infect Linux and Unix-based systems. Once installed, the remote attacker can perform a wide range of actions, including various DDoS-attacks (SYN-flood and UDP-flood), as well as execution of arbitrary commands. More than that, the bot is able to automatically update itself to the newest version via stealthy HTTP downloads.

Kaiten

This bot is also designed for Linux and Unix systems. However, it is rarely used by professional botmasters because it has some significant limitations, such as lack of spreaders and weak user authentication routines (which means that the entire botnet can be easily hijacked by a third party).

Perl Bots

While the vast majority of bots are written in the C++ programming language, there are also bots written in Perl. Such bots are extremely light and only offer a limited set of commands to be performed on a system or network. However, Perl bots are mostly used to perform DDoS attacks on Unix systems.