worm blog

« CARDS: A distributed system for detecting coordinated attacks | Main | SMB Shares and Worms - A Parasitic Relationship? »

W32 Deloder Worm: The Building of an Army

Deloder is one of the variants of a popular bot these days, very much like Rbot and SDBot.

The recent rash of Internet worms has produced an army of hundreds of thousands of compromised machines that could ultimately be used to launch a massive distributed-denial-of-service attack at any time. These worms allow intruders to remotely control infected computers from one central computer. Officials at the CERT® Coordination Center said the organization is monitoring at least five large networks of compromised machines installed with so-called bots.

The bots connect compromised PCs or servers to Internet Relay Chat servers, which attackers commonly use to execute commands on the remote systems. At least one of these networks is an army of more than 100,000 machines and there are indications that these networks are being used for attacks. Whether the army is used today or held in reserve to be used at some future date for an attack doesn.t really matter. The potential is there for them to cause serious longterm damage.

In addition to the IRC Trojan, computers compromised by the Deloder worm have an additional backdoor which is typically used for network administration. This tool allows the attacker to remotely control the compromised system or spy on every single keystroke. Deloder installs the administration tool with the same password for all systems so that amateur attackers can utilize these compromised systems.

Contributing to the overall problem is the poor security posture of many computer owners with shared resources and broadband Internet access. Deloder and many other recent worms spread by exploiting weak or null passwords used to protect shared network drives and folders.

This paper is a review of the Deloder worm and discusses the vulnerabilities associated with port 445/tcp (Microsoft-ds). The paper has suggestions on how to prevent being a victim of this attack and discusses some techniques for detecting attacks associated with port 445/tcp.

Source: W32 Deloder Worm: The Building of an Army, by Vance Stone.

July 22, 2005 in new worms, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

The comments to this entry are closed.