Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Interpreting an Analysis Report > How Does the Bot Protect the Local Host and I... - Pg. 171

MalwareAnalysis·Chapter6 171 How Does the Bot Protect the Local Host and Itself? A lot of bots try to protect a new infected host against further exploitation by others. Of course, this is not being done for charitable reasons, rather for the selfish reason of trying to ensue that that no one else can take control of the host. This protection is accomplished by fixing known security leaks or by completely disabling Windows Services which can be exploited. Mostly this is done by removing existing Windows shares. In the following you can see how first all existing shares are enumerated ( enum_share ) and then deleted ( delete_share ): <network_section> <enum_share/> <delete_share networkressource="IPC$"/> <delete_share networkressource="ADMIN$"/> <delete_share networkressource="C$"/> </network_section> To hide and protect its own existence, most malware performs the following actions on a new infected system: it searches for known antivirus and security