[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] A Chat With The NGR Bot

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] A Chat With The NGR Bot
From: "Adam Behnke" <adam@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 13 Jun 2012 15:28:07 -0500

NGR Bot (also known as Dorkbot) was examined to be a user-mode rootkit that
could be remotely controlled via Internet-Relay-Chat (IRC) protocol. It was
designed with the intention to steal digital identity, perform denial of
service, and manipulate the domain name resolution.

It spreads via Recycler bin social engineering as well as by hooking into
via social networking sites.

This article aims to provide some technical insights of this NGR Bot V1.0.3
sample (MD5 “1CA4E2F3C8C327F8D823EB0E94896538″) on the following topics:

(1) Encryption & tampering detection mechanism
(2) Functionalities
(3) Hooking technique
(4) Architecture Set-up for communicating with this malware

To view the entire article, go here:
http://resources.infosecinstitute.com/ngr-rootkit/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] A Chat With The NGR Bot
  - From: Alex Buie

Prev by Date: [Full-disclosure] CVE-2012-1661 - ESRI ArcMap arbitrary code execution via crafted map file.
Next by Date: Re: [Full-disclosure] A Chat With The NGR Bot
Previous by thread: [Full-disclosure] CVE-2012-1661 - ESRI ArcMap arbitrary code execution via crafted map file.
Next by thread: Re: [Full-disclosure] A Chat With The NGR Bot
Index(es):
- Date
- Thread