Editing Agobot

{{Short description|Family of botnet computer worms}}
'''Agobot''', also frequently known as '''Gaobot''', is a family of [[computer worm]]s. Axel "Ago" Gembe, a German programmer also known for leaking [[Half-Life 2]] a year before release, was responsible for writing the first version.<ref>Infosecurity 2008 Threat Analysis, page 16, {{ISBN|1-59749-224-8}} {{ISBN|978-1-59749-224-9}}</ref><ref>https://www.wsj.com/public/article_print/SB116900488955878543-yrMHYlacFyxijV14BxFZfXeU1_8_20070216.html How Legal Codes Can Hinder Hacker Cases</ref><ref>{{Cite web |title=Home |url=https://education.wsj.com/ |access-date=2023-03-10 |website=The Face of Real News - WSJ Education |language=en}}</ref>
The Agobot source code describes it as: “a modular IRC bot for Win32 / Linux”. Agobot was released under version 2 of the [[GNU General Public License]]. Agobot is a multi-threaded and mostly object oriented program written in [[C++]] as well as a small amount of [[Assembly language|assembly]]. Agobot is an example of a [[Botnet]] that requires little or no programming knowledge to use.

==Technical details==
New versions, or variants, of the worm appeared so rapidly that the Agobot family quickly grew larger than other bot families.  Other bots in the Agobot family include Phatbot and Forbot.  Agobot now has several thousand known variants.  The majority of these target the [[Microsoft Windows]] platform; as a result the vast majority of the variants are not [[Linux]] compatible. Modern Agobot strains were most likely built with [[Visual Studio]] due to their reliance on Visual Studio's SDK and Processor Pack. An infectious Agobot can vary in size but is typically around 12 to 500 [[kilobytes]] depending on features, compiler optimizations, and binary modifications. 

A module written for one member in the Agobot family can usually be ported with ease to another bot. This mix-matching of modules to suit the owner's needs has inspired many of the worm's variants. 

Most Agobots have the following features:
* Password Protected IRC Client control interface 
* Remotely update and remove the installed bot 
* Execute programs and commands
* [[Port scanner]] used to find and infect other hosts
* [[DDoS]] attacks used to takedown networks

The Agobot may contain other features such as:
* [[Packet sniffer]]
* [[Keylogger]]
* [[Polymorphic code]]
* [[Rootkit]] installer
* Information harvest
** Email Addresses
** Software Product Keys
** Passwords
* [[SMTP]] Client
** Spam
** Spreading copies of itself
* [[HTTP]] client 
** Click Fraud
**DDoS Attacks

==Spreading==
The following propagation methods are sub-modules to the port scanning engine:
* [https://web.archive.org/web/20050225010955/http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx MS03-026] [[Remote procedure call|RPC]] [[Distributed Component Object Model|DCOM]] Remote Buffer Overflow (CVE-2003-0352)
* [http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx MS04-011] [[Local Security Authority Subsystem Service|LSASS]] Remote Buffer Overflow (CVE-2003-0533)
* [http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx MS05-039] [[Plug and Play]] Remote Buffer Overflow (CVE-2005-1983)
* Attempts to hijack common [[Trojan horse (computing)|Trojan horses]] that accept incoming connections via an open port. 
* The ability to spread to systems by brute forcing a login.  A good example is Telnet or Microsoft's [[Server Message Block]]

Generally, it has been observed that every custom modified variant of Agobot features a selection of the above methods as well as some "homebrew" modules, which essentially are released exploits ported to its code.

Names and such can be added via the XML files to produce variable shuffle imports.

== Variants ==

===Gaobot.ee===
Gaobot.ee is a variant of Agobot. It is also known as the W32.HLLW.Gaobot.EE. It is a malicious [[computer worm]] that tends to come from the [[Peer-to-peer|P2P]] network Ares, installing from its virus form, ''Ares.exe''. It has rather odd characteristics for a virus, with the unique ability to [[download]] and install random files (perhaps to create more sharers) from its members, such as [[music]], [[pornography]], and even full [[game]]s. Gaobot.ee is a worm that sends large numbers of [[E-mail spam|unsolicited e-mails]] using its own [[Simple Mail Transfer Protocol|SMTP]] engine. This worm also opens a backdoor on a random [[Transmission Control Protocol|TCP]] port, notifies attackers through a predetermined [[Internet Relay Chat|IRC]] channel, and attempts to terminate various security products and system monitoring tools.

Its security level is low, hardly doing any damage to a computer. However,  it has been reported to download and install spyware, more viruses, trojans, and worms, although this is not as yet officially been proven.<ref>{{Cite web|url = http://www.symantec.com/security_response/writeup.jsp?docid=2003-121116-2134-99|archive-url = https://web.archive.org/web/20070105071309/http://www.symantec.com/security_response/writeup.jsp?docid=2003-121116-2134-99|url-status = dead|archive-date = January 5, 2007|title = W32.HLLW.Gaobot.EE|date = |accessdate = |website = Symantec Security Response/ W32.HLLW.Gaobot.EE|publisher = Symantec|last = |first = }}</ref>

== References ==
{{reflist}}

== External links ==
* [https://web.archive.org/web/20070510211558/http://www.symantec.com/security_response/writeup.jsp?docid=2004-051816-5418-99 W32.Gaobot.DX Symantec] Retrieved 20070618
* [https://web.archive.org/web/20090517064918/http://www.symantec.com/security_response/writeup.jsp?docid=2005-012609-1021-99&tabid=2 W32.Gaobot.CEZ Symantec] Retrieved 20070618

[[Category:Computer worms]]
[[Category:Hacking in the 2000s]]