Backdoor:Win32/Rbot.KN is an IRC controlled backdoor which allows a remote attacker to request that it perform a wide range of activities on the affected system, including downloading and executing arbitrary files, stealing information, deleting files, terminating processes, running servers, and sending e-mail messages. It may spread via network shares with weak passwords, or by exploiting security vulnerabilities on a targeted system. It has been observed to be installed by
Worm:Win32/Pobtiz variants.
Installation
Backdoor:Win32/Rbot.KN has been observed to be installed by
Worm:Win32/Pobtiz.gen. In this case it is written to %userProfile%\LocalDir\svohost.exe before being launched.
When first run, it creates the following registry entry to ensure that it is run upon system startup:
Under key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds Value: Microsoft Update Machine
With data: <location of Malware> (for example, “%userProfile%\LocalDir\svohost.exe)
Spreads Via…
Vulnerability Exploits
The worm scans the network, and attempts to install itself on targeted systems by exploiting certain security vulnerabilities. It sends specially crafted malformed packets which allow code of the attacker’s choice to be executed on the targeted system. This code downloads a copy of the worm from an HTTP server running on the original affected system, and then executes this copy to install the malware.
Backdoor:Win32/Rbot.KN may attempt to exploit the following vulnerabilities:
Via Weak Passwords
The worm scans the network for systems with weak username/password combinations. Should it find one, the targeted system uses TFTP to transfer a copy of the worm from the original affected system.
It may try the following usernames:
administrator
administrador
administrateur
administrat
admins
admin
staff
root
computer
owner
student
teacher
wwwadmin
guest
default
database
dba
oracle
db2
and the following passwords:
administrator
administrador
administrateur
administrat
admins
admin
adm
password1
password
passwd
pass1234
pwd
007
1
12
123
1234
12345
123456
1234567
12345678
123456789
1234567890
2000
2001
2002
2003
2004
test
guest
none
demo
unix
linux
changeme
default
system
server
root
null
qwerty
mail
outlook
web
www
internet
accounts
accounting
home
homeuser
user
oem
oemuser
oeminstall
windows
win98
win2k
winxp
winnt
win2000
qaz
asd
zxc
qwe
bob
jen
joe
fred
bill
mike
john
peter
luke
sam
sue
susan
peter
brian
lee
neil
chris
eric
George
Kate
bob
Katie
mary
login
loginpass
technical
backup
exchange
fuck
bitch
slut
sex
god
hell
hello
domain
domainpass
domainpassword
database
access
dbpass
dbpassword
databasepass
databasepassword
db1
db2
db1234
sa
sql
sqlpassoainstall
orainstall
oracle
ibm
cisco
dell
compaq
siemens
hp
nokia
control
office
blank
winpass
main
lan
internet
intranet
student
teacher
staff
Payload
Backdoor Functionality
Once installed, the trojan connects on port 8080 to an IRC Server at ns2.thebuisness.com. An alternative server of ns2.thatsyou.biz may also be used. The backdoor’s controller may then issue it with a number of commands to execute. These commands may include:
- Download arbitrary files, or visit web sites without downloading (i.e. “click” on the specified website)
- Execute files, either downloaded by the malware or already present on the system
- Update itself
- Spread by scanning the network for systems with security vulnerabilities or weak passwords
- Return system information and statistics, including lists of drivers, or running processes
- Terminate processes or delete files
- Search for files with particular filenames
- Transfer files between users connected to the IRC channel, or upload files to a specified FTP server
- Start a SOCKS proxy, TFTP server or HTTP server on the affected system. The TFTP and HTTP servers may be used to serve copies of the malware to newly targeted systems.
- Create a remote command line shell on the affected system
- Return the contents of the clipboard
- Attempt to obtain license keys of commercial software installed on the system
- Attempt to secure the system from attack by competing malware (or undo these changes)
- Participate in Distributed Denial of Service attacks
- Perform key logging
- Perform a screen capture, or webcam capture (still or video)
- Send e-mail messages
- Restart the system
- Flush the DNS cache
- Execute arbitrary IRC commands
Some of these activities are discussed further below.
Steals License Keys
If commanded to do so by the backdoor’s controller, the malware checks the registry for stored license keys for a number of different commercial software products. If any keys are found, they are returned to the server. Some of the products targeted include the following:
Counter-Strike (Retail)
The Gladiators
Gunman Chronicles
Half-Life
Industry Giant 2
Legends of Might and Magic
Soldiers Of Anarchy
Microsoft Windows
Unreal Tournament 2003
Unreal Tournament 2004
IGI 2: Covert Strike
Freedom Force
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Command and Conquer: Generals (Zero Hour)
James Bond 007: Nightfire
Command and Conquer: Generals
Global Operations
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Need For Speed Hot Pursuit 2
Need For Speed: Underground
Shogun: Total War: Warlord Edition
EA Sports FIFA 2002
EA Sports FIFA 2003
EA Sports NHL 2002
EA Sports NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Rainbow Six III RavenShield
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
Hidden & Dangerous 2
Soldier of Fortune II - Double Helix
Neverwinter Nights
Neverwinter Nights (Shadows of Undrentide)
Neverwinter Nights (Hordes of the Underdark)
Modifies System Security
Backdoor:Win32/Rbot.KN may be commanded to attempt to increase system security, most likely in order to protect it from attack by competing malware. It may also be commanded to reverse these changes. These changes may include:
- Disable DCOM
- Restrict anonymous access to the system
- Remove network shares
Analysis by David Wood
