From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):
… some of the more widespread and well-known bots.
- Agobot/Phatbot/Forbot/XtremBot
… best known bot. … more than 500 known different versions of Agobot … written in C++ with cross-platform capabilities and the source code is put under the GPL. … structured in a very modular way, and it is very easy to add commands or scanners for other vulnerabilities … uses libpcap (a packet sniffing library) and Perl Compatible Regular Expressions (PCRE) to sniff and sort traffic. … can use NTFS Alternate Data Stream (ADS) and offers Rootkit capabilities like file and process hiding to hide it’s own presence … reverse engineering this malware is harder since it includes functions to detect debuggers (e.g. SoftICE and OllyDbg) and virtual machines (e.g. VMWare and Virtual PC). … the only bot that utilized a control protocol other than IRC. A fork using the distributed organized WASTE chat network is available.
- SDBot/RBot/UrBot/UrXBot/…
This family of malware is at the moment the most active one … seven derivatives … written in very poor C and also published under the GPL.
- mIRC-based Bots – GT-Bots
We subsume all mIRC-based bots as GT-bots … GT is an abbreviation for Global Threat and this is the common name used for all mIRC-scripted bots. … mIRC-scripts, often having the extension “.mrc”, are used to control the bot.
- DSNX Bots
Dataspy Network X (DSNX) bot is written in C++ and has a convenient plugin interface. … code is published under the GPL. … one major disadvantage: the default version does not come with any spreaders.
- Q8 Bots
only 926 lines of C-code. … written for Unix/Linux systems.
- kaiten
… lacks a spreader too, and is also written for Unix/Linux systems. The weak user authentication makes it very easy to hijack a botnet running with kaiten. The bot itself consists of just one file.
- Perl-based bots
… very small and contain in most cases only a few hundred lines of code. They offer only a rudimentary set of commands (most often DDoS-attacks) … used on Unix-based systems.