W32/SDBot.IK!worm
Analysis
Specifics
The SDBot family of viruses have similar technical similarities,
such as the ability to copy themselves to systems across
a network, communicate with hard-coded IRC servers and
receive command instructions. Some variants carry a
service/application termination payload and most if
not all load at Windows startup via a registry key entry.
This variant may exist as these file names on a compromised
system -
cool.exe
cool2.exe
syslog32.exe
wnetmgr.exe
This variant contains code to function as an FTP server
- this functionality allows the virus to be retrieved
from a targeted system by way of FTP file transfer.
The virus will bind with TCP port 10051.
This variant, as with others, attempts to locate available
systems across a network LAN/WAN. For all systems found,
the virus uses a dictionary attack to log on to the
system. If access is available, the virus will copy
itself to that system. In addition, it may create an
FTP script then attempt to connect with an ftp server
named
maniacu2.homeftp.net
After connecting using hard-coded login name and password,
the virus attemtps to download a file "cool2.exe"
and then run it. In this way, the virus can potentially
update itself, or run any arbitrary program, once it
has installed itself to a host.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, create a service named
"SDBot" as TCP port 10051, then deny access
to this service for Internal => External and External
=> Internal
- Using the FortiGate manager, add this server name
to the list of URLs to block -
maniacu2.homeftp.net
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |