[Intrusions] Interesting little piece of malware...

Matthew Sowers msowers77 at msn.com
Tue Sep 21 21:51:22 GMT 2004 

Actually r-bot does not spread like a virus or worm. So it would not have been from an infected laptop and it would not have come across in an email. R-bot is mostly transferred by tftp when the person running the scanning portion of R-bot find an exploit they can use. From lsass to dcom. They have it all. Yes it may have come from someone inside the college but all that takes is someone getting on a machine there and running the exe that has to be executed for r-bot to run. You can find the information in the r-bot exe or the suspected file and it will tell you what channels and what irc network the bot connects to. As to what to tell management that's a hard one as more exploits come out  they will be added to the bots. Removing them can be difficult too as you can make them install to whatever directory you want. Most AV will pick up r-bot and rx-bot unless they have changed the header and that's not hard to do with compression. Some of these script kiddies actually leave it named r-bot. How pathetic is that. 

Regards, 
Matt Sowers
UAT Student Software Engineering Network Security 
  ----- Original Message ----- 
  From: Chris Norton<mailto:kicktd_list at hotmail.com> 
  To: Intrusions List (GCIA Practicals)<mailto:intrusions at lists.sans.org> 
  Sent: Tuesday, September 21, 2004 7:49 AM
  Subject: Re: [Intrusions] Interesting little piece of malware...


  >Further, what do I tel management ... when
  > they want to know how it got on here in the first place ?

  Really it would be hard to tell how it got on your computers there without
  knowing the setup of your network, is everything behind a central firewall
  etc. It's possible a student with an infected laptop connected to the
  network and it spread that way, or maybe someone checked their email and got
  it etc. There are several ways for worms/viruses etc. to sneak past
  firewalls, all it takes is a human "host" to carry them past.

  As for how to clean it out follow the instructions here for R-BOT:
  http://www.sophos.com/virusinfo/analyses/w32rbotei.html<http://www.sophoscom/virusinfo/analyses/w32rbotei.html>

  --
  Chris Norton
  UAT Student Software Engineering Network Defense
  _______________________________________________
  Intrusions mailing list
  Intrusions at lists.sans.org<mailto:Intrusions at lists.sans.org>
  http://www.dshield.org/mailman/listinfo/intrusions<http://www.dshield.org/mailman/listinfo/intrusions>

More information about the Intrusions mailing list