Analysis of ngrBot

From Botnets.fr
Jump to: navigation, search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Analysis of ngrBot
Botnet Ngrbot, Dorkbot
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2011 /
The date "4 aug2011" was not understood.
The date "4 aug2011" was not understood.
Editor/Conference StopMalvertising
Link http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html (Archive copy)
Author Kimberly
Type

Abstract

Today we will have a closer look at ngrBot, an IRC bot with rootkit capabilities. The core of ngrBot is an advanced ring3 (usermode) system-wide injection and hooking engine similar to ZeuS and SpyEye.

NgrBot will inject code into almost every running process on the computer and is able to terminate processes. It will install to the user’s Application Data folder under a randomly generated filename using the HDD serial number as the initial key.</br> The bot is also able to block access to certain domains and redirect domains / IP’s to others.</br> It’s able to spread via USB devices and Windows Live Messenger. More recently ngrBot has been spotted on Facebook but also on Twitter, using the micro blogging service to spread itself.</br>

Bibtex

 @misc{Kimberly2011BFR913,
   editor = {StopMalvertising},
   author = {Kimberly},
   title = {Analysis of ngrBot},
   date = {04},
   month = Aug,
   year = {2011},
   howpublished = {\url{http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html}},
 }