Name
Rbot variants are able to spread in a number of different ways. Propagation is launched manually through backdoor control, rather than happening automatically. Not all variants support all propagation mechanisms.
Each spreading method begins with scanning for target machines. The worm can generate random values for all or part of each IP address it targets. Each attack vector is associated with a particular TCP port.
Via Network Shares (TCP ports 139 and 445)
Via LSASS buffer overflow vuln. (TCP port 445)
Via WebDav vuln. (TCP port 80)
Via RPC msgbuffer overflow vuln. (TCP ports 135, 445, 1025)
Via RPCSS DCOM msg buffer overflow vuln. (TCP port 135)
Via Exploiting weak passwords on MS SQL servers
Via UPnP NOTIFY buffer overflow (TCP port 5000)
…
Rbot’s main function is to act as an IRC controlled backdoor. It attempts to connect to a predefined IRC server and join a specific channel so that the victim’s computer can be controlled. The IRC server, port number, channel and password differ with each variant.
Rbot also listens on TCP port 113 to provide ident services, which are required by some IRC servers.
Once the victim’s computer is under control, the overseer is able to instruct Win32.Rbot to attempt to perform malicious operations such as spreading via administrative shares with weak passwords or the DCOM RPC exploit.