A chat with NGR Bot
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
(Publication) Google search: [1]
| A chat with NGR Bot | |
|---|---|
| |
| Botnet | Dorkbot |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / 2012-06-13 |
| Editor/Conference | InfoSec Institude |
| Link | http://resources.infosecinstitute.com/ngr-rootkit/ (Archive copy) |
| Author | Chong Rong Hwa |
| Type | |
Abstract
“ NGR Bot (also known as Dorkbot) was examined to be a user-mode rootkit that could be remotely controlled via Internet-Relay-Chat (IRC) protocol. It was designed with the intention to steal digital identity, perform denial of service, and manipulate the domain name resolution (see image below for the impact analysis). This article aims to provide some technical insights of this NGR Bot V1.0.3 sample (MD5 “1CA4E2F3C8C327F8D823EB0E94896538″) on the following topics: (1) Encryption & tampering detection mechanism, (2) Functionalities, (3) Hooking technique, and the (4) Architecture Set-up for communicating with this malware.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1039,
editor = {InfoSec Institude},
author = {Chong Rong Hwa},
title = {A chat with NGR Bot},
date = {13},
month = Jun,
year = {2012},
howpublished = {\url{http://resources.infosecinstitute.com/ngr-rootkit/}},
}