SdBot represents the large family of backdoors - hacker's remote access tools.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.
These tools allow to contol victims' computers remotely by sending specific commands via IRC channels. Also these backdoors can steal data, spread to local network and to computers vulnerable to exploits.
This SDBot variant was first found on May 13th, 2004 in Finland. It uses different exploits including the MSSQL and LSASS exploits to spread to vulnerable computers. The backdoor also can install security patches on an operating system and scan for active ftp servers. Additionally the backdoor removes startup Registry keys for 3 Sasser worm variants.
The backdoor's file is a PE executable about 32 kilobytes long, packed with a modified UPX file compressor.
When the backdoor's file is started, it copies itself as DESKTOP.EXE to Windows System folder and then creates the startup key in the Registry:
where %WinSysDir% represents the Windows System folder name. The backdoor also creates the following Registry keys:
[HKLM\SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo] "DSQUERY" "DBMSSOCN" [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters] "AutoShareServer" = DWORD:0 "AutoShareWks" = DWORD:0 [HKLM\SYSTEM\CurrentControlSet\Control\Lsa] "restrictanonymous" = DWORD:1 [HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters] "DisableWebDAV" = DWORD:1 "MaxClientRequestBuffer" = DWORD:4000
Then the backdoor installs the ecurity patch KB835732 on Windows 2000 and XP computers by downloading a language-specific version from a Microsoft site and activating it. More information about the security patch can be found here: https://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
The backdoor connects to one of the following IRC servers and creates a bot there:
knix-irc.hopto.org irc.knix.25u.com knix-irc2.hopto.org knix.afraid.org
The following IRC channels are used:
The backdoor can be controled via a bot that it creates. A remote hacker can perform the following actions:
* initialize for spreading cycle * select spreading technique (see below) * remove spreading technique * select IP address range for scan * remove IP address range for scan * start spreading cycle * stop spreading cycle * get spreading cycle status * create a remote shell * autoupdate itself * uninstall itself * download files * start files * execute a command * get bot information * switch to idle mode * delete Registry keys for 3 Sasser worm variants * show log file
The backdoor can spread using the following exploits and applications:
ipc (remote shares) mssql (SQL servers) mssql_udp dcom1 (DCOM RPC) real_serv dame_ware (remote administration software) ms04011 (LSASS) ftp_scan (remote ftp sites)
This variant of SDBot performs a dictionary attack to get access to remote hosts. It uses the following list of logins and passwords:
sa sql admin Administrator test demo database Administrator Administrador Amministratore Administrateur Administrat Beheerder guest Gast G?st Invitado Visitatore admin webmaster web www server data account backup demo test access operator oper local user master student pwrchute root admin demo test guest webmaster web www server data account backup access sysadm sysadmin manager Administrator Administrador Amministratore Administrateur Administrat Beheerder sysop supervisor operator oper local user master adm devadmin sysmgr sysman testuser systest %UserName% %UserName%1 %UserName%12 %UserName%123 %UserName%1234 %UserName%12345 %UserName%pass %UserName%qwerty %UserName%qwert %UserName%qwer %UserName%abcd %UserName%abc %UserName%asdf %UserName%asd 1%UserName% 12%UserName% 123%UserName% 1234%UserName% 12345%UserName% abc%UserName% abcd%UserName% qwerty%UserName% asdf%UserName% !@#$%UserName% !@#%UserName% !@%UserName% !%UserName% %UserName%!@#$ %UserName%!@# %UserName%!@ %UserName%! 1 11 111 1111 11111 111111 1111111 11111111 12 123 1234 12345 123456 1234567 12345678 654321 54321 4321 321 123123 12341234 31337 1337 00000000 88888888 5201314 1234qwer 123qwe 123abc 123asd abc123 abcd asdf asdfgh Administrator admin root pass passwd password super master backup pass test user temp secret computer demo windows monitor manager operator oper local server share full digital einstein guess system sql database sybase internet locked access qwerty newpass pasword guest access keyboard windows mouse rules linux
This is quite an unusual backdoor indeed. It spreads around, kills Sasser worm and installs security patches. But it still remains a backdoor.