Threat Description

SdBot.MD

Details

Aliases: SdBot.MD, Backdoor.SdBot.md, SDBot
Category: Malware
Type:
Platform: W32

Summary


SdBot represents the large family of backdoors - hacker's remote access tools.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.



Technical Details


These tools allow to contol victims' computers remotely by sending specific commands via IRC channels. Also these backdoors can steal data, spread to local network and to computers vulnerable to exploits.

This SDBot variant was first found on May 13th, 2004 in Finland. It uses different exploits including the MSSQL and LSASS exploits to spread to vulnerable computers. The backdoor also can install security patches on an operating system and scan for active ftp servers. Additionally the backdoor removes startup Registry keys for 3 Sasser worm variants.

The backdoor's file is a PE executable about 32 kilobytes long, packed with a modified UPX file compressor.

When the backdoor's file is started, it copies itself as DESKTOP.EXE to Windows System folder and then creates the startup key in the Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  "desktop"="%WinSysDir%\desktop.exe"  

where %WinSysDir% represents the Windows System folder name. The backdoor also creates the following Registry keys:

[HKLM\SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo]  "DSQUERY"  "DBMSSOCN"  [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]  "AutoShareServer" = DWORD:0  "AutoShareWks" = DWORD:0  [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]  "restrictanonymous" = DWORD:1  [HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters]  "DisableWebDAV" = DWORD:1  "MaxClientRequestBuffer" = DWORD:4000  

Then the backdoor installs the ecurity patch KB835732 on Windows 2000 and XP computers by downloading a language-specific version from a Microsoft site and activating it. More information about the security patch can be found here: https://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

The backdoor connects to one of the following IRC servers and creates a bot there:

knix-irc.hopto.org  irc.knix.25u.com  knix-irc2.hopto.org  knix.afraid.org  

The following IRC channels are used:

#virtualz  #scanlog  

The backdoor can be controled via a bot that it creates. A remote hacker can perform the following actions:

* initialize for spreading cycle  * select spreading technique (see below)  * remove spreading technique  * select IP address range for scan  * remove IP address range for scan  * start spreading cycle  * stop spreading cycle  * get spreading cycle status  * create a remote shell  * autoupdate itself  * uninstall itself  * download files  * start files  * execute a command  * get bot information  * switch to idle mode  * delete Registry keys for 3 Sasser worm variants  * show log file  

The backdoor can spread using the following exploits and applications:

ipc (remote shares)  mssql (SQL servers)  mssql_udp  dcom1 (DCOM RPC)  real_serv  dame_ware (remote administration software)  ms04011 (LSASS)  ftp_scan (remote ftp sites)  

This variant of SDBot performs a dictionary attack to get access to remote hosts. It uses the following list of logins and passwords:

sa  sql  admin  Administrator  test  demo  database  Administrator  Administrador  Amministratore  Administrateur  Administrat  Beheerder  guest  Gast  G?st  Invitado  Visitatore  admin  webmaster  web  www  server  data  account  backup  demo  test  access  operator  oper  local  user  master  student  pwrchute  root  admin  demo  test  guest  webmaster  web  www  server  data  account  backup  access  sysadm  sysadmin  manager  Administrator  Administrador  Amministratore  Administrateur  Administrat  Beheerder  sysop  supervisor  operator  oper  local  user  master  adm  devadmin  sysmgr  sysman  testuser  systest  %UserName%  %UserName%1  %UserName%12  %UserName%123  %UserName%1234  %UserName%12345  %UserName%pass  %UserName%qwerty  %UserName%qwert  %UserName%qwer  %UserName%abcd  %UserName%abc  %UserName%asdf  %UserName%asd  1%UserName%  12%UserName%  123%UserName%  1234%UserName%  12345%UserName%  abc%UserName%  abcd%UserName%  qwerty%UserName%  asdf%UserName%  !@#$%UserName%  !@#%UserName%  !@%UserName%  !%UserName%  %UserName%!@#$  %UserName%!@#  %UserName%!@  %UserName%!  1  11  111  1111  11111  111111  1111111  11111111  12  123  1234  12345  123456  1234567  12345678  654321  54321  4321  321  123123  12341234  31337  1337  00000000  88888888  5201314  1234qwer  123qwe  123abc  123asd  abc123  abcd  asdf  asdfgh  Administrator  admin  root  pass  passwd  password  super  master  backup  pass  test  user  temp  secret  computer  demo  windows  monitor  manager  operator  oper  local  server  share  full  digital  einstein  guess  system  sql  database  sybase  internet  locked  access  qwerty  newpass  pasword  guest  access  keyboard  windows  mouse  rules  linux  

This is quite an unusual backdoor indeed. It spreads around, kills Sasser worm and installs security patches. But it still remains a backdoor.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More