Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


SdBot.MD


Aliases:


SdBot.MD
Backdoor.SdBot.md, SDBot

Malware

W32

Summary

SdBot represents the large family of backdoors - hacker's remote access tools.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

These tools allow to contol victims' computers remotely by sending specific commands via IRC channels. Also these backdoors can steal data, spread to local network and to computers vulnerable to exploits.

This SDBot variant was first found on May 13th, 2004 in Finland. It uses different exploits including the MSSQL and LSASS exploits to spread to vulnerable computers. The backdoor also can install security patches on an operating system and scan for active ftp servers. Additionally the backdoor removes startup Registry keys for 3 Sasser worm variants.

The backdoor's file is a PE executable about 32 kilobytes long, packed with a modified UPX file compressor.

When the backdoor's file is started, it copies itself as DESKTOP.EXE to Windows System folder and then creates the startup key in the Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "desktop"="%WinSysDir%\desktop.exe"

where %WinSysDir% represents the Windows System folder name. The backdoor also creates the following Registry keys:

[HKLM\SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo]
 "DSQUERY"
 "DBMSSOCN"
 [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
 "AutoShareServer" = DWORD:0
 "AutoShareWks" = DWORD:0
 [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
 "restrictanonymous" = DWORD:1
 [HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters]
 "DisableWebDAV" = DWORD:1
 "MaxClientRequestBuffer" = DWORD:4000

Then the backdoor installs the ecurity patch KB835732 on Windows 2000 and XP computers by downloading a language-specific version from a Microsoft site and activating it. More information about the security patch can be found here: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

The backdoor connects to one of the following IRC servers and creates a bot there:

knix-irc.hopto.org
 irc.knix.25u.com
 knix-irc2.hopto.org
 knix.afraid.org

The following IRC channels are used:

#virtualz
 #scanlog

The backdoor can be controled via a bot that it creates. A remote hacker can perform the following actions:

* initialize for spreading cycle
 * select spreading technique (see below)
 * remove spreading technique
 * select IP address range for scan
 * remove IP address range for scan
 * start spreading cycle
 * stop spreading cycle
 * get spreading cycle status
 * create a remote shell
 * autoupdate itself
 * uninstall itself
 * download files
 * start files
 * execute a command
 * get bot information
 * switch to idle mode
 * delete Registry keys for 3 Sasser worm variants
 * show log file

The backdoor can spread using the following exploits and applications:

ipc (remote shares)
 mssql (SQL servers)
 mssql_udp
 dcom1 (DCOM RPC)
 real_serv
 dame_ware (remote administration software)
 ms04011 (LSASS)
 ftp_scan (remote ftp sites)

This variant of SDBot performs a dictionary attack to get access to remote hosts. It uses the following list of logins and passwords:

sa
 sql
 admin
 Administrator
 test
 demo
 database
 Administrator
 Administrador
 Amministratore
 Administrateur
 Administrat
 Beheerder
 guest
 Gast
 G?st
 Invitado
 Visitatore
 admin
 webmaster
 web
 www
 server
 data
 account
 backup
 demo
 test
 access
 operator
 oper
 local
 user
 master
 student
 pwrchute
 root
 admin
 demo
 test
 guest
 webmaster
 web
 www
 server
 data
 account
 backup
 access
 sysadm
 sysadmin
 manager
 Administrator
 Administrador
 Amministratore
 Administrateur
 Administrat
 Beheerder
 sysop
 supervisor
 operator
 oper
 local
 user
 master
 adm
 devadmin
 sysmgr
 sysman
 testuser
 systest
 %UserName%
 %UserName%1
 %UserName%12
 %UserName%123
 %UserName%1234
 %UserName%12345
 %UserName%pass
 %UserName%qwerty
 %UserName%qwert
 %UserName%qwer
 %UserName%abcd
 %UserName%abc
 %UserName%asdf
 %UserName%asd
 1%UserName%
 12%UserName%
 123%UserName%
 1234%UserName%
 12345%UserName%
 abc%UserName%
 abcd%UserName%
 qwerty%UserName%
 asdf%UserName%
 !@#$%UserName%
 !@#%UserName%
 !@%UserName%
 !%UserName%
 %UserName%!@#$
 %UserName%!@#
 %UserName%!@
 %UserName%!
 1
 11
 111
 1111
 11111
 111111
 1111111
 11111111
 12
 123
 1234
 12345
 123456
 1234567
 12345678
 654321
 54321
 4321
 321
 123123
 12341234
 31337
 1337
 00000000
 88888888
 5201314
 1234qwer
 123qwe
 123abc
 123asd
 abc123
 abcd
 asdf
 asdfgh
 Administrator
 admin
 root
 pass
 passwd
 password
 super
 master
 backup
 pass
 test
 user
 temp
 secret
 computer
 demo
 windows
 monitor
 manager
 operator
 oper
 local
 server
 share
 full
 digital
 einstein
 guess
 system
 sql
 database
 sybase
 internet
 locked
 access
 qwerty
 newpass
 pasword
 guest
 access
 keyboard
 windows
 mouse
 rules
 linux

This is quite an unusual backdoor indeed. It spreads around, kills Sasser worm and installs security patches. But it still remains a backdoor.







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.