Backdoor:Win32/Rbot is a family of backdoor TrojansĀ thatĀ allows attackersĀ toĀ control infectedĀ computers. After a computer is infected, the Trojan connects to a specificĀ IRC server and joins a specific channel to receive commands from attackers. Commands can instructĀ the TrojanĀ toĀ spread to other computers by scanning for network shares with weak passwords, exploitingĀ Windows vulnerabilities, and spreading throughĀ backdoor ports opened by otherĀ families of malicious software. The Trojan can also allow attackers to performĀ other backdoor functions, such as launching denial of service (DoS) attacks andĀ retrieving system information from infected computers.
Ā
When Backdoor:Win32/Rbot runs, it copies itself to %windir% or <system folder>. In many cases, it adds a value to one or more of the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Ā
This change causes theĀ Trojan to run whenever Windows starts. Some variants also add a Windows system service to attain similar results.
Ā
Backdoor:Win32/Rbot connects to an IRC server and joins a specific channel to receive commands. Commands can include actions such as:
- Scanning for unpatched computers on the network.
- Scanning portsĀ on the network.
- Downloading and executing remote files.
- Monitoring network traffic.
- LaunchingĀ HTTP/HTTPD, SOCKS4, and TFTP/FTP servers.
- Enabling orĀ disabling DCOM protocol.
- RetrievingĀ computer configuration information,Ā includingĀ Windows logon information, user account information, open shares, file system information, andĀ network connection information.
- Logging keystrokes.
- Retrieving CD keys of games.
- Capturing screens and Webcam shots.
- Redirecting TCP traffic.
- Uploading files through FTP.
- Sending e-mail.
- Manipulating processes and services.
- Conducting denial of service (DoS) attacks.
Ā
Upon receiving IRC commands, theĀ Trojan can spread to remote computers by exploiting one or more Windows vulnerabilities. Win32/RbotĀ can spread to remote computers by trying weak passwords that it draws from a list. TheĀ Trojan may exploit the MS03-026 vulnerability to create a remote shell on the target computer. The Trojan uses the remote shell to copy and run itself on a remote computer.Ā The TrojanĀ can also be instructed through IRC commands toĀ spread through backdoor ports opened by Mydoom, Bagle, Optix, Netdevil,Ā and otherĀ malicious software families.
Ā
Some variants of the Trojan terminate security-related products. Later variants of the Trojan may activate Web cams, orĀ installĀ a kernel-mode rootkit driver, which hides the Trojan process from Task Manager and other process-viewer applications.
