Profile: The Agobot

It’s not entirely clear which virus or worm corrupted the machines used in a large-scale distributed denial-of-service attack against Akamai last June. But the attackers did follow a pattern consistent with the Agobot/Phatbot family, which consists of dozens of variants on a worm called Agobot that was created in northern Europe in the late 1990s.

Here’s how it works:

Name: Agobot

Description: When launched on a victim’s computer, Agobot becomes a back door that allows the attacker to control the computer by issuing commands through Internet Relay Chat (IRC). The Agobot code includes functions that let it check for instructions in specific chat areas.

Variants: Win32/Agobot, Backdoor.Agobot.3.gen, W32.agobot.VQ, W32.gaobot.gen!poly, and dozens of others. The source code is widely available on illegal software servers known as Warez sites; new variants are popping up all the time.

Method of promulgation: Agobot can arrive as an attachment in e-mail, through a file transfer in instant messaging, or directly across the network using remote procedure calls, Universal Plug and Play directives, buffer overflows and other security vulnerabilities in Windows systems. When it’s launched, it copies itself into the system directory and writes into the Registry keys that allow it to function unmolested. Once it’s established, it tries to copy itself to any machine connected to the original victim. Some variants try to guess user names and passwords on remote systems to let them spread to secured machines on the network.

Payload: Once established, some versions try to terminate antivirus software processes and keep them from running in the future. Using Agobot, the attacker can load new files or programs on the corrupted computer, delete files, perform DNS lookups to note its location in the network, and other functions. Attackers can remotely control any applications they install using Agobot, including applications designed to produce thousands of bogus page requests to a targeted server.

Cooperation: Using commands transmitted via IRC, the attacker can control a virtually unlimited number of corrupted machines.

How to Stop It: Identify sources of the attack. Turn off access to addresses of those sources. Constantly update and run virus protection software. Keep firewall software up to date and properly configured.

Source: Computer Associates Virus Information Center (http://www3.ca.com/securityadvisor/virusinfo)