Misplaced Pages

Spybot worm

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Large computer worm family For the antispyware program, see Spybot Search & Destroy.

The Spybot worm is a large family of computer worms of varying characteristics. Although the actual number of versions is unknown, it is estimated to be well into the thousands. This briefly held the record for most variants, but has subsequently been surpassed by the Agobot family.

Common features

Spybot variants generally have several things in common:

  • The ability to spread via the P2P program KaZaA, often in addition to other such programs.
  • The ability to spread via at least vulnerability in the Windows operating system. Earlier versions mostly used the RPC DCOM buffer overflow, although now some use the LSASS buffer overflow.
  • The ability to spread via various common backdoor Trojan horses.
  • The ability to spread to systems with weak administrative passwords.

Recognition

Because there is no standard of detection nor classification for the Spybot family, there is also no standard naming convention. Because of this lack of standard naming conventions and because of common features, variants of the Spybot worm can often be confused with the Agobot and IRCBot family of worms. Most antivirus programs detect variants generically (e.g. W32/Spybot.worm), and identifying what specific Spybot variant is indicated is next to impossible except with the earliest or most common versions.

As a result of having so many variants, one antivirus company is often not able to recognize and remove all versions of the worm. The same applies to most antispyware software.

Denial of service attack

Early detection of the Spybot worm usually comes from network engineers detecting the Denial of Service attack generated when the worm tried to communicate back to various IRC channels.

Underground Uses

Hackers will occasionally use the worm to make easy-access programs for FTP & IRC channels

References

  1. Infosecurity 2008 Threat Analysis, page 16, ISBN 1-59749-224-8 ISBN 978-1-59749-224-9
  2. https://www.wsj.com/public/article_print/SB116900488955878543-yrMHYlacFyxijV14BxFZfXeU1_8_20070216.html How Legal Codes Can Hinder Hacker Cases
Category: