Password Sniffing Worms
SDBot is known as the first computer worm with the ability eavesdrop on network traffic following infection. Its primary intent is to scan active traffic on interconnected network computers in search of passwords and financial data. SDBot is able to propagate by exploiting a number of vulnerabilities in the Windows operating system. From there, it attempts to compromise other machines on the network using a dictionary attack of obvious passwords such as "1234" or "administrator1."
How SDBot Works
When installed, SDBot executes a specially designed network sniffing program, the feature that allows it to thieve critical data. It then makes a connection to an IRC (Internet Chat Relay) network. This gives the malicious writer the opportunity to seize complete control of the infected computer or harvest data from it. Being that it mainly depends on older software bugs, SDBot can be easily contained. The best remedy is system patches, software updates and strong password schemes.
While SDBot doesn't inflict much physical damage, observers are concerned about its network snooping capability. Experts fear that if it can successfully capture packets from a filter and transmit them back to the creator, SDBot will cause problems that go far beyond conventional infection. The practice of network sniffing involves monitoring packets as they move through a network. This technique is often used on compromised networks by hackers in search of usernames and passwords.
SDBot operates by automatically filtering network traffic for patterns of data that typically come before the transmission of a passing username and password. If such a pattern is identified, the worm instantly records the data. SDBot has also been known to search for packets that include "PayPal," a popular service used to transfer money on the web.
Many security experts have stated that password sniffing is difficult to detect because of its passive nature. Most computer worms typically use infected computers to plague a web server or to distribute mass spam mailings, both of which are easy for an administrator to detect due to the additional traffic. Experts also warn that several more highly contagious worms may come equipped with similar sniffing capabilities. Once a malicious writer introduces a concept, the others to follow up with ways to improve on it.
Protecting your Passwords
Most worms use the email system to propagate. Anyone using Outlook or Outlook Express should install the latest patches from the Microsoft website. You can also protect yourself by keeping your programs and the operating system itself up to date. Here a few more tips:
- Avoid email attachments whenever possible, whether you're sending or receiving a message. If you open it, you can be infected; if you're infected, you can send it to someone else.
- Never open email attachments with compound file extensions: NAME.BMP.EXE, NAME.TXT.VBS
- Be cautious of file sharing networks and with whom you share files.
- Never accept attachments from strange sources in chat systems like ICQ, IRC or Yahoo and AOL Instant Messenger.
- Remain cautious when downloading files from public newsgroups, as they are commonly used to distribute malware.
With caution and awareness, you can keep your passwords safe from malicious sniffing worms.