Analysis of ngrBot
(Publication) Google search: [1]
Analysis of ngrBot | |
---|---|
Botnet | Ngrbot, Dorkbot |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2011 / 4 aug2011 |
Editor/Conference | StopMalvertising |
Link | http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html (Archive copy) |
Author | Kimberly |
Type |
Abstract
“ Today we will have a closer look at ngrBot, an IRC bot with rootkit capabilities. The core of ngrBot is an advanced ring3 (usermode) system-wide injection and hooking engine similar to ZeuS and SpyEye.
NgrBot will inject code into almost every running process on the computer and is able to terminate processes. It will install to the user’s Application Data folder under a randomly generated filename using the HDD serial number as the initial key.
The bot is also able to block access to certain domains and redirect domains / IP’s to others.
It’s able to spread via USB devices and Windows Live Messenger. More recently ngrBot has been spotted on Facebook but also on Twitter, using the micro blogging service to spread itself.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR913, editor = {StopMalvertising}, author = {Kimberly}, title = {Analysis of ngrBot}, date = {04}, month = Aug, year = {2011}, howpublished = {\url{http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html}}, }