ALIASES:

Agobot

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

GAOBOT, also known as AGOBOT, is a family of Internet Relay Chat (IRC)-controlled backdoors. It has been around since 2008.

Primarily used for compromising systems, GAOBOT malware is also able to perform the following routines:

  • Download and execute programs

  • Launch DDoS attacks

  • Port scanning

GAOBOT has two routines that are used to avoid detection and removal:

  • HOSTS file modification - GAOBOT adds security sites to HOSTS file to redirect users to the other sites or the localhost

  • Security processes termination - GAOBOT terminates security-related processes that are found to be running on affected systems

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Connects to URLs/IPs, Terminates processes, Modifies HOSTS file

Installation

This backdoor drops the following copies of itself into the affected system:

  • %System%\msnmsngr.exe
  • %System%\lfxss.exe
  • %System%\msnms.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
WINDOWS SYSTEM = "msnmsngr.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
WINDOWS SYSTEM = "msnmsngr.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
BnCtest2 = "lfxss.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
BnCtest2 = "lfxss.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
Update = "msnms.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Update = "msnms.exe"

Other System Modifications

This backdoor adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
OLE
BnCtest2 = "lfxss.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\lfxss.exe = "%System%\lfxss.exe:*:Enabled:lfxss"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\msnms.exe = "%System%\msnms.exe:*:Enabled:msnms

Other Details

This backdoor connects to the following possibly malicious URL:

  • bilal2.{BLOCKED}s.net
  • st0ned.{BLOCKED}on.com
  • n1gg4.{BLOCKED}u.net