Agobot

Agobot, also frequently known as Gaobot, is a family of computer worms. Axel "Ago" Gembe, a German programmer, was responsible for writing the first version. ^[1][2][3] The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the GNU General Public License. Agobot is a multi-threaded and mostly object oriented program written in C++ as well as a small amount of assembly. Agobot is an example of a Botnet that requires little or no programming knowledge to use.

Technical details

New versions, or variants, of the worm appeared so rapidly that the Agobot family quickly grew larger than other bot families. Other bots in the Agobot family are Phatbot and Forbot. Agobot now has several thousand variants. The majority of the development force behind Agobot is targeting the Microsoft Windows platform; as a result the vast majority of the variants are not Linux compatible. In fact the majority of modern Agobot strains must be built with Visual Studio due to its reliance on Visual Studio's SDK and Processor Pack. An infectious Agobot can vary in size from ~500kbyte to ~12kbyte depending on features, compiler optimizations and binary modifications.

A module written for one member in the Agobot family can usually be ported with ease to another bot. This mix-matching of modules to suit the owner's needs has inspired many of the worm's variants.

Most Agobots have the following features:

• Password Protected IRC Client control interface
• Remotely update and remove the installed bot
• Execute programs and commands
• Port scanner used to find and infect other hosts
• DDoS attacks used to takedown networks

The Agobot may contain other features such as:

• Packet sniffer
• Keylogger
• Polymorphic code
• Rootkit installer
• Information harvest
  • Email Addresses
  • Software Product Keys
  • Passwords
• SMTP Client
  • Spam
  • Spreading copies of itself
• HTTP client
  • Click Fraud
  • DDoS Attacks

Spreading

The following propagation methods are sub-modules to the port scanning engine:

• MS03-026 RPC DCOM Remote Buffer Overflow
• MS03-026 LSASS Remote Buffer Overflow
• MS05-039 Plug and Play Remote Buffer Overflow
• Attempts to hijack common Trojan horses that accept incoming connections via an open port.
• The ability to spread to systems by brute forcing a login. A good example is Telnet or Microsoft's Server Message Block

Generally, it has been observed that every custom modified variant of Agobot features a selection of the above methods as well as some "homebrew" modules, which essentially are released exploits ported to its code.

Names and such can be added via the xml files the produce variable shuffle imports.

External links

• Agobot and the “Kit”-chen Sink
• Phatbot Command Reference

See also

• Ares.exe
• Gaobot.ee

References

1. Infosecurity 2008 Threat Analysis, page 16, ISBN 1-59749-224-8 ISBN 978-1-59749-224-9
2. http://online.wsj.com/public/article_print/SB116900488955878543-yrMHYlacFyxijV14BxFZfXeU1_8_20070216.html How Legal Codes Can Hinder Hacker Cases
3. http://wsjclassroom.com/archive/05feb/onln_hacker.htm Hacker Hitmen - Cyber Attacks Used to Be for Thrill Seekers. Now They're About Money.

• W32.Gaobot.DX Symantec Retrieved 20070618
• W32.Gaobot.CEZ Symantec Retrieved 20070618