New Worms Sniff For Passwords

According to Symantec and Trend Micro, the newest Sdbot variants--Symantec actually calls them "Spybot"--exploit several vulnerabilities in Windows, including the RPC DCOM flaw that was used by last summer's MSBlast and the LSASS vulnerability exploited by 2004's Sasser. Like both Sasser and MSBlast, Sdbot doesn't require user intervention to spread, but propagates across networks by finding unpatched systems. When Sdbot locates a vulnerable PC, it adds backdoor components that let the attacker control the machine. The worms also creates a bot that uses NetBEUI (NetBios Extended User Interface) to capture passwords for such software as the instant messaging clients from Yahoo, AOL and Microsoft. More important, however, is the addition of a network "sniffer" that monitors traffic on the local area network, specifically for log-on usernames and passwords. "If [Sdbot] can successfully transmit the filters packet captures back to the owner they are going to cause problems well beyond typical bot infestation," said Patrick Nolan, a researcher with the Internet Storm Center, in online advisory. The Sdbots can also install more generalized keyboard loggers and steal keys from a number of popular games, including Unreal Tournament 2004, Battlefield 1942 and NASCAR Racing 2003.