Different types of Bots

From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):

… some of the more widespread and well-known bots.

  • Agobot/Phatbot/Forbot/XtremBot

    … best known bot. … more than 500 known different versions of Agobot … written in C++ with cross-platform capabilities and the source code is put under the GPL. … structured in a very modular way, and it is very easy to add commands or scanners for other vulnerabilities … uses libpcap (a packet sniffing library) and Perl Compatible Regular Expressions (PCRE) to sniff and sort traffic. … can use NTFS Alternate Data Stream (ADS) and offers Rootkit capabilities like file and process hiding to hide it’s own presence … reverse engineering this malware is harder since it includes functions to detect debuggers (e.g. SoftICE and OllyDbg) and virtual machines (e.g. VMWare and Virtual PC). … the only bot that utilized a control protocol other than IRC. A fork using the distributed organized WASTE chat network is available.

  • SDBot/RBot/UrBot/UrXBot/…

    This family of malware is at the moment the most active one … seven derivatives … written in very poor C and also published under the GPL.

  • mIRC-based Bots – GT-Bots

    We subsume all mIRC-based bots as GT-bots … GT is an abbreviation for Global Threat and this is the common name used for all mIRC-scripted bots. … mIRC-scripts, often having the extension “.mrc”, are used to control the bot.

  • DSNX Bots

    Dataspy Network X (DSNX) bot is written in C++ and has a convenient plugin interface. … code is published under the GPL. … one major disadvantage: the default version does not come with any spreaders.

  • Q8 Bots

    only 926 lines of C-code. … written for Unix/Linux systems.

  • kaiten

    … lacks a spreader too, and is also written for Unix/Linux systems. The weak user authentication makes it very easy to hijack a botnet running with kaiten. The bot itself consists of just one file.

  • Perl-based bots

    … very small and contain in most cases only a few hundred lines of code. They offer only a rudimentary set of commands (most often DDoS-attacks) … used on Unix-based systems.