W32/SDBot.IK!worm

description-logoAnalysis


Specifics
The SDBot family of viruses have similar technical similarities, such as the ability to copy themselves to systems across a network, communicate with hard-coded IRC servers and receive command instructions. Some variants carry a service/application termination payload and most if not all load at Windows startup via a registry key entry.
This variant may exist as these file names on a compromised system -
cool.exe
cool2.exe
syslog32.exe
wnetmgr.exe
This variant contains code to function as an FTP server - this functionality allows the virus to be retrieved from a targeted system by way of FTP file transfer. The virus will bind with TCP port 10051.
This variant, as with others, attempts to locate available systems across a network LAN/WAN. For all systems found, the virus uses a dictionary attack to log on to the system. If access is available, the virus will copy itself to that system. In addition, it may create an FTP script then attempt to connect with an ftp server named
maniacu2.homeftp.net
After connecting using hard-coded login name and password, the virus attemtps to download a file "cool2.exe" and then run it. In this way, the virus can potentially update itself, or run any arbitrary program, once it has installed itself to a host.

recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, create a service named "SDBot" as TCP port 10051, then deny access to this service for Internal => External and External => Internal
  • Using the FortiGate manager, add this server name to the list of URLs to block -
    maniacu2.homeftp.net

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR