Method of Infection
When first run, Rbot.H copies itself into the %System% directory as msconfg.exe.
It then adds entries to the following registry keys so that it is automatically run each time Windows starts:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "msconfg.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "msconfg.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Update = "msconfg.exe"
Rbot.H creates a mutex, 'rx01' to ensure only one copy runs at a time.
Back to top
Method of Distribution
Win32.Rbot variants are able to spread in a number of different ways. Propagation is launched manually through backdoor control, rather than happening automatically.
Each spreading method begins with scanning for target machines. The worm can generate random values for all or part of each IP address it targets. Each attack vector is associated with a particular TCP port.
Via Network Shares (TCP ports 139 and 445)
Rbot can infect remote machines through Windows file sharing. It scans for target machines by probing TCP ports 139 and 445. If it can connect to either of these ports, it then tries to connect to the Windows share:
\\<target>\ipc$
Where <target> is the name of the machine it is trying to infect.
If this connection is not successful, it gives up on this machine. If the connection succeeds, it then attempts to retrieve a list of user names on the target, then use these user names to gain access to the system. If it cannot retrieve the list of user names, it falls back on a default list that it carries within itself, for example:
administrator
administrador
administrateur
admin
staff
root
Note: Rbot may also try to access a remote machine using the credentials of the local account from which it is executed.
For each user name, it attempts to authenticate using several passwords stored within the worm. The password list carried by Rbot.H can be seen below:
007
1
12
121
123
1234
12346
123467
1234678
12346789
123467890
access
accounting
accounts
adm
afro
asd
backup
barbara
bill
blank
bob
brian
bruce
capitol
changeme
chris
cisco
compaq
control
ctx
data
database
databasepass
databasepassword
db1
db1234
dbpass
dbpassword
default
dell
domain
domainpass
domainpassword
eric
exchange
exchnge
fish
frank
fred
freddy
fuck
george
glen
god
guest
headoffice
heaven
hell
home
homeuser
hq
ian
internet
intranet
jen
joan
joe |
john
kate
katie
lan
lee
login
loginpass
luke
mail
main
mary
mass
mike
neil
nokia
none
null
oem
oeminstall
oemuser
office
orange
outlook
owa
pass
pass1234
passwd
password
password1
peter
pink
pwd
qaz
qwe
qwerty
ron
sage
sam
server
sex
siemens
spencer
sql
sqlpass
student
student1
sue
susan
system
teacher
technical
test
turnip
user
user1
userpassword
web
win2000
win2k
win98
windows
winnt
winpass
winxp
www
xp
yellow
zxc |
The list usually includes an empty password.
Assuming the worm can authenticate with the target machine, it then tries to copy itself to these locations:
\\<target>\Admin$\system32
\\<target>\c$\winnt\system32
\\<target>\c$\windows\system32
\\<target>\c
\\<target>\d
It then schedules a remote job to run the worm copy on the target machine.
Via Exploits
Win32.Rbot.H can spread by exploiting vulnerabilities in Windows operating systems and third party applications. If it successfully exploits one of these, it executes a small amount of code on the target machine, which instructs it to connect back to the source in order to retrieve the complete worm executable. These connections back to the source use either the TFTP or HTTP protocol; the worm acts as a TFTP or HTTP server to deliver itself. The ports used for these servers are also configurable, but are often 81 for HTTP and 69 for TFTP.
This is a list of known vulnerabilities that Rbot.H may exploit:
Microsoft Windows ntdll.dll buffer overflow vulnerability (WebDav vulnerability) (TCP port 80)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=7287
http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx
Microsoft Windows RPC malformed message buffer overflow vulnerability (TCP ports 135, 445, 1025)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=25454
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx (supersedes original bulletin MS03-026)
Microsoft Windows RPCSS malformed DCOM message buffer overflow vulnerabilities (TCP port 135)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=25975
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
Exploiting weak passwords on MS SQL servers, including the Microsoft SQL Server Desktop Engine blank 'sa' password vulnerability (TCP port 1433)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=5705
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q321081
Note: The worm tries the same password list as that used for spreading through shares, including a blank password. The SQL server accounts it attempts to log in to are "sa", "root" and "admin".
Via Other Malware
Rbot.H can also infect remote systems through backdoors created by other malware:
Back to top
Payload
Backdoor Functionality
Rbot's main function is to act as an IRC controlled backdoor. It attempts to connect to a predefined IRC server and join a specific channel so that the victim's computer can be controlled.
Rbot also listens on TCP port 113 to provide ident services, which are required by some IRC servers.
Once the victim's computer is under control, the overseer is able to instruct Win32.Rbot.H to attempt to perform malicious operations such as spreading via administrative shares with weak passwords or the DCOM RPC exploit. The backdoor can also be instructed to:
- download and execute files from the Internet
- retrieve system information such as Operating System details
- retrieve CD keys for certain computer games, if present
- start a SOCKS proxy
- perform denial of service (DoS) attacks
- start several other servers: rlogin, http, tftp. The ports used for these are configurable.
- log keystrokes
- capture video from a webcam, if present
- send e-mail
Analysis by Matthew McCormack
Back to top