Worms versus Bots

Rob Thomas robt at cymru.com
Mon May 3 20:09:33 UTC 2004

Hi, NANOGers.

] Just because a machine has a bot/worm/virus that didn't come with a
] rootkit, doesn't mean that someone else hasn't had their way with it.


A growing trend in the "0wnage" category is the installation of
multiple bots on a single host.  This isn't intentional, but a
result of the multiple infection vectors bots employ.  Bot01
goes after open Win2K shares (TCP 445), and Bot02 comes along
and enters through Kuang2 (TCP 17300).

One of the more popular bots has at least 13 distinct scan and
sploit methods.  WebDav, NetBios, MSSQL, Beagle, Kuang2, and
the list goes on.

The record I've seen thus far was a host with 14 distinct and
active bots on it.  I'm guessing the LEDs on that cable modem
never blinked.

One bot, Coldlife, actually took advantage of this trend.  It
would hunt for certain bot configuration files on the host it
infected, and report the contents to the Coldlife botherd.
Ka-ching, another botnet stolen.  Things have evolved in a
distributed manner from this feature.

Rob Thomas
ASSERT(coffee != empty);

More information about the NANOG mailing list