Agobot (computer worm)
From Free net encyclopedia
| Revision as of 23:43, 10 February 2006 Rossumcapek (Talk | contribs) bolded for style ← Previous diff |
Current revision Rossumcapek (Talk | contribs) bolded for style |
Current revision
Agobot, also frequently known as Gaobot, is a family of computer worms that infects the Microsoft Windows operating system, though there also exists a Linux port of the bot. Because development was a team based effort and because the bot was to be modified by the community through its modular design, the authors of this family chose to make Agobot open source. New versions, or variants, of the worm appeared so rapidly that the Agobot family quickly grew larger than other bot families. It is now known that Agobot numbers several thousand detected variants in size.
Although Agobot variants vary widely in behavior, earlier variants had a few base similarities:
- The ability to spread via the popular P2P programs KaZaA, Grokster, and BearShare.
- The ability to spread via at least vulnerability in the Microsoft Windows operating system. Earlier versions mostly used the RPC DCOM buffer overflow, although now some use the LSASS buffer overflow, for which Agobot was the first bot known to use the vulnerability (which raised the ISC infocon for a few days).
- The ability to spread via various common backdoor Trojan horses.
- The ability to spread to systems with weak administrative passwords.
- Use of a hidden IRC server or the Waste P2P network for backdoor access.
- Use of a polymorphing engine with 6 different en-/decoding methods which is also used for shellcodes
- The ability to shut down major antivirus programs (via code injection) and block their updates
Because there is no standard of detection nor classification for the Agobot family, there is also no standard naming convention. Most antivirus programs detect variants generically (e.g. W32/Agobot.worm), and identifying what specific Agobot variant is indicated is next to impossible except with the earliest or most common versions.