Agobot, also frequently known as Gaobot, is a family of computer worms. Axel "Ago" Gembe, a German programmer, was responsible for writing the first version.  The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the GNU General Public License. Agobot is a multi-threaded and mostly object oriented program written in C++ as well as a small amount of assembly. Agobot is an example of a Botnet that requires little or no programming knowledge to use.
New versions, or variants, of the worm appeared so rapidly that the Agobot family quickly grew larger than other bot families. Other bots in the Agobot family are Phatbot and Forbot. Agobot now has several thousand variants. The majority of the development force behind Agobot is targeting the Microsoft Windows platform; as a result the vast majority of the variants are not Linux compatible. In fact the majority of modern Agobot strains must be built with Visual Studio due to its reliance on Visual Studio's SDK and Processor Pack. An infectious Agobot can vary in size from ~12kbyte to ~500kbyte depending on features, compiler optimizations and binary modifications.
A module written for one member in the Agobot family can usually be ported with ease to another bot. This mix-matching of modules to suit the owner's needs has inspired many of the worm's variants.
Most Agobots have the following features:
- Password Protected IRC Client control interface
- Remotely update and remove the installed bot
- Execute programs and commands
- Port scanner used to find and infect other hosts
- DDoS attacks used to takedown networks
The Agobot may contain other features such as:
- Packet sniffer
- Polymorphic code
- Rootkit installer
- Information harvest
- Email Addresses
- Software Product Keys
- SMTP Client
- Spreading copies of itself
- HTTP client
- Click Fraud
- DDoS Attacks
The following propagation methods are sub-modules to the port scanning engine:
- MS03-026 RPC DCOM Remote Buffer Overflow
- MS04-011 LSASS Remote Buffer Overflow
- MS05-039 Plug and Play Remote Buffer Overflow
- Attempts to hijack common Trojan horses that accept incoming connections via an open port.
- The ability to spread to systems by brute forcing a login. A good example is Telnet or Microsoft's Server Message Block
Generally, it has been observed that every custom modified variant of Agobot features a selection of the above methods as well as some "homebrew" modules, which essentially are released exploits ported to its code.
Names and such can be added via the XML files to produce variable shuffle imports.
Gaobot.ee is a variant of Agobot. It is also known as the W32.HLLW.Gaobot.EE. It is a malicious computer worm that tends to come from the P2P network Ares, installing from its virus form, Ares.exe. It has rather odd characteristics for a virus, with the unique ability to download and install random files (perhaps to create more sharers) from its members, such as music, pornography, and even full games. Gaobot.ee is a worm that sends large numbers of unsolicited e-mails using its own SMTP engine. This worm also opens a backdoor on a random TCP port, notifies attackers through a predetermined IRC channel, and attempts to terminate various security products and system monitoring tools.
Its security level is low, hardly doing any damage to a computer. However, it has been reported to download and install spyware, more viruses, trojans, and worms, although this is not as yet officially been proven.
- Infosecurity 2008 Threat Analysis, page 16, ISBN 1-59749-224-8 ISBN 978-1-59749-224-9
- http://online.wsj.com/public/article_print/SB116900488955878543-yrMHYlacFyxijV14BxFZfXeU1_8_20070216.html How Legal Codes Can Hinder Hacker Cases
- http://wsjclassroom.com/archive/05feb/onln_hacker.htm Hacker Hitmen - Cyber Attacks Used to Be for Thrill Seekers. Now They're About Money.
- "W32.HLLW.Gaobot.EE". Symantec Security Response/ W32.HLLW.Gaobot.EE. Symantec.