Slenfbot

Last updated March 18, 2023

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Aliases

The majority of Antivirus (A/V) vendors use the following naming conventions when referring to this family of malware (the * at the end of the names is a wildcard for all the possible classifications and/or distinctions for this malware family):

Slenfbot
Stekct

Publicly Known Efforts

None publicly known.

Malware Profile

Summary

Slenfbot is a worm that spreads using links to websites containing malicious software (malware) via instant messaging programs, which may include MSN/Windows Live Messenger, AOL Instant Messenger (AIM), Yahoo Messenger, Google Chat, Facebook Chat, ICQ and Skype. The worm propagates automatically via removable drives and shares, or on the local network through the Windows file sharing service (i.e., Server or LanmanServer service). Slenfbot also contains backdoor capabilities that allow unauthorized access to an affected machine.^[1]^[2]^[3]^[4]^[5]^[6] The code appears to be closely controlled, which may provide attribution to one group and/or that the malware authors share a significant portion of the code. Slenfbot has been seen in the wild since 2007, obtained new features and capabilities over time, and subsequent variants have systematically gained similar, if not the same, feature sets. Because of this, Slenfbot continues to operate as an effective infector and dynamic downloader of additional malware; thus, making it a highly functional delivery mechanism for other spyware, information stealers, spam bots as well as other malware.^[4]

Installation

When executed, Slenfbot copies a duplicate of the malicious payload to the %SYSTEM% folder with a filename, which varies per the particular variant and sets the attributes for the copy to read only, hidden and system to hide the contents in Windows Explorer. The worm then makes changes to the registry to maintain persistence so that the malware executes a duplicate copy on each subsequent startup of the system (e.g. copying the malicious executable to the HKLM\Software\Microsoft\Windows\CurrentVersion\Run subkey). Several variants may modify the registry during installation to add the malware to the list of applications that are authorized to access the Internet; thus, allowing the malware to communicate without raising Windows security alerts and run unimpeded by the Windows Firewall.^[1]^[2]^[3]^[4]^[5]^[6]

In some cases, variants may instead modify the registry to install the malicious payload as a debugger for the benign system file ctfmon.exe so that ctfmon.exe executes on system startup, which leads to the execution of the malware.^[1]

In most cases, Slenfbot will attempt to delete the original copy of the worm. Some variants may make additional modifications to the registry in order to delete the originally executed copy of the worm when the system restarts.^[1]^[2]^[3]^[5]^[6]

Some Slenfbot variants may, on initial execution, test to see if MSN/Windows Live Messenger is currently running by looking for a window with the class name "MSBLWindowClass". If the worm finds the window, the malware may display a fake error message.^[1]

If Slenfbot is launched from a removable drive, some variants may open Windows Explorer and display the contents of the affected drive. Certain Slenfbot variants may inject a thread into explorer.exe, which periodically checks for the presence of the malware in the System folder. If the file is not found, the malware downloads a new copy from a specified server and launches the new copy.^[1]^[4]^[6]

Method of Propagation

Instant Messaging

Slenfbot uses instant messaging as an attack vector to spread the worm to other accounts and contacts. The remote attacker may use the worm’s backdoor capabilities to instruct Slenfbot to spread via MSN/Windows Live Messenger, AOL Instant Messenger (AIM), Yahoo Messenger, Google Chat, Facebook Chat, ICQ and Skype. The worm connects to a remote server and sends a copy of a URL, which contains a list of possible messages to send randomly; creates a ZIP archive, which contains a copy of the malware; and then sends the ZIP archive to other instant messaging client contacts.^[1]^[2]^[3]^[4]^[5]^[6] Following are some examples of the messages the worm may spread:

Are you serious...is this really you?
HAHA! this is funny! here, read this guys shirt.
Is this really a pic of you?
OMFG look at this!!!
This is my dream car right here! ^[5]

The ZIP file includes a file name for the Slenfbot executable, and may also contain a URL for a file to download in situations where the attacker instructs the worm to send arbitrary file(s).^[1]^[5]^[6]

Removable Drives

Slenfbot may spread to removable drives by creating a directory called “RECYCLER” in the root directory of the removable drive. The malware will then create a subdirectory in the “RECYCLER” folder (e.g. “S-1-6-21-1257894210-1075856346-012573477-2315”), and copy the malicious payload to the directory using a different name for the executable (e.g. “folderopen.exe”). Slenfbot may also create an autorun.inf file in the root directory of the drive so that the worm may execute if the drive is connected to another system.^[1]^[6]

Certain variants may download an updated copy of Slenfbot from a location specified in the worm, and write the file to a directory (e.g. using the name “~secure”). For all the locations the worm copies itself to, Slenfbot sets the hidden and system attributes on the respective directories and files.^[1]^[5]^[6] In some circumstances due to a programming issue, Slenfbot may only create one directory rather than two (e.g. “E:\RECYCLERS-1-6-21-1257894210-1075856346-012573477-2315\folderopen.exe”).^[1]

File and Print Shares

Slenfbot may spread to accessible shares upon successful compromise of a system. The worm may also spread to file and print shares by exploiting known vulnerabilities such as MS06-040 or MS10-061, which pertain to issues with the Server and Print Spooler services, respectively. The attacker would have to instruct the worm to spread to the remote system via exploit or instant messaging in order to continue the propagation of Slenfbot.^[1]^[5]^[6]^[7]^[8]

Payload

Slenfbot attempts to connect to an Internet Relay Chat (IRC) server via a particular TCP port (the IRC channel and port number may vary per the variant), joins a channel and then waits for commands; the attacker may then use the backdoor to perform additional actions on the compromised system such as delete the malware, join another IRC channel, download/execute arbitrary files and/or propagate to other instant messaging accounts ^[1]^[5]^[6]
Slenfbot makes modifications to the hosts file by replacing %SYSTEM%\drivers\etc.\hosts with a file of its own; the modified host file may contain several entries to point various anti-virus and security related domains to localhost (i.e. 127.0.0.1) or to a random IP address, which obstruct the user from visiting the list of domains; the file may also contain numerous blank lines to give the appearance that the hosts file has not been modified ^[1]^[5]
Slenfbot runs commands to delete files named *.zip and *.com in the current directory as well as the user's "Received Files" directory, which is the default location where Windows Messenger stores downloaded files; the latter may be to delete the original copy of the worm, which was received via Windows Messenger ^[1]
Some Slenfbot variants may create a file (e.g. "RemoveMexxxx.bat") in the %TEMP% directory, which is a batch file that tries to delete the copy after execution to prevent detection ^[5]
Slenfbot deletes various registry keys and any subkeys and values that they may contain in order to disable system restore, task manager, the use of the Windows Registry Editor and/or prevent the viewing of files with hidden attributes; the worm may also disable antivirus, firewall as well as attempt to disable Data Execution Prevention (DEP) by making other modifications to the system; some variants may periodically rewrite the changes in order to maintain persistence on the system ^[1]^[2]^[3]^[5]^[6]
Slenfbot may terminate security-related processes as well as stop, disable and delete services on the compromised system in order to remain undetected and maintain persistence ^[1]^[6]
Slenfbot may inject code into the Explorer process to "lock" the file in order to prevent the worm from being deleted and/or to reopen the payload upon process termination ^[4]
Slenfbot may also be capable of hiding the malicious process from task manager ^[4]^[5]
Slenfbot variants may create a mutex that differs according to variant ^[1]
Slenfbot may execute additional commands after receiving data from another remote system; commands may include additional instructions to further modify the compromised system ^[1]^[6]
Slenfbot may download and install additional malware to relay spam, steal information, install spyware toolbars as well as propagate other malicious campaigns; the initial Slenfbot payload serves as a first-stage downloader for the purpose of loading additional malware on the compromised host ^[1]^[3]^[4]^[5]^[6]

Prevention

The following steps may help prevent infection:

Get the latest computer updates for all your installed software
Use up-to-date antivirus software
Limit user privileges on the computer
Have the sender confirm that they sent the link before clicking on it
Use caution when clicking on links to webpages
Use caution when opening attachments and accepting file transfers
Use online services to analyze files and URLs (e.g. Malwr,^[9] VirusTotal,^[10] Anubis,^[11] Wepawet,^[12] etc.)
Only run software from publishers you trust
Protect yourself against social engineering attacks
Use strong passwords and change passwords periodically ^[1]^[2]^[3]^[13]^[14]

Recovery

Slenfbot uses stealth measures to maintain persistence on a system; thus, you may need to boot to a trusted environment in order to remove it. Slenfbot may also make changes to your computer such as changes to the Windows Registry, which makes it difficult to download, install and/or update your virus protection. Also, since many variants of Slenfbot attempt to propagate to available removable/remote drives and network shares, it is important to ensure the recovery process thoroughly detects and removes the malware from any and all known/possible locations.

One possible solution would be to use Microsoft’s Windows Defender Offline Beta to detect and remove Slenfbot from your system. For more information on Windows Defender Offline, go to: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline ^[1]^[2]^[3]

Related Research Articles

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Blaster was a computer worm that spread on computers running operating systems Windows XP and Windows 2000 during August 2003.

Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. It also writes to the Windows Security Log.

ILOVEYOU, sometimes referred to as Love Bug or Love Letter for you, is a computer worm that infected over ten million Windows personal computers on and after 5 May 2000. It started spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.TXT.vbs." At the time, Windows computers often hid the latter file extension by default because it is an extension for a file type that Windows knows, leading unwitting users to think it was a normal text file. Opening the attachment activates the Visual Basic script. First, the worm inflicts damage on the local machine, overwriting random files, then, it copies itself to all addresses in the Windows Address Book used by Microsoft Outlook, allowing it to spread much faster than any other previous email worm.

<span class="mw-page-title-main">Ransomware</span> Malicious software used in ransom demands

Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Upering is a mass-mailing computer worm. It was isolated in Tacoma, Washington, in the United States, from several submissions from America Online members. As of late 2005, it is listed on the WildList, and has been since 2003.

<span class="mw-page-title-main">WinFixer</span> Rogue security software

WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.

The Sober worm is a family of computer worms that was discovered on October 24, 2003. Like many worms, Sober sends itself as an e-mail attachment, fake webpages, fake pop-up ads, and fake advertisements.

Bifrost is a backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Windows 10. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

A computer virus hoax is a message warning the recipients of a non-existent computer virus threat. The message is usually a chain e-mail that tells the recipients to forward it to everyone they know, but it can also be in the form of a pop-up window.

W32.Navidad is a mass-mailing worm program or virus, discovered in December 2000 that ran on Windows 95, Windows 98, Windows NT, and Windows 2000 systems. It was designed to spread through email clients such as Microsoft Outlook while masquerading as an executable electronic Christmas card. Infected computers can be identified by blue eye icons which appear in the Windows system tray.

ExploreZip is a destructive computer worm that attacks machines running Microsoft Windows. It was first discovered in Israel on June 6, 1999. The worm contains a malicious payload, and utilizes Microsoft Outlook, Outlook Express, or Exchange to mail itself out by replying to unread messages in the user's inbox. The worm also searches mapped drives and networked computers for Windows installations. If found, it copies itself to the Windows folder of the remote computer and then modifies the Win.ini file of the infected computer. On January 8, 2003, Symantec discovered a packed variant of this threat which exhibits the same characteristics.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

<span class="mw-page-title-main">Conficker</span> Computer worm

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm.

Daprosy worm was a malicious computer program that spreads via local area network (LAN) connections, spammed e-mails and USB mass storage devices. Infection comes from a single read1st.exe file where several dozen clones are created at once bearing the names of compromised folders. The most obvious symptom of Daprosy infection is the presence of Classified.exe or Do not open - secrets!.exe files from infected folders.

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

Win32/Patched is a computer Trojan targeting the Microsoft Windows operating system that was first detected in October 2008. Files detected as "Trojan.Win32.Patched" are usually Windows components that are patched by a malicious application. The purpose of patching varies. For example, certain malware patches system components in order to disable security, such as the Windows Safe File Check feature. Other malware can add parts of its code to a system component and then patch certain functions of the original file to point to an appended code.

References

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Microsoft Malware Protection Center (2008-08-26). "Win32/Slenfbot". Microsoft. Retrieved 2012-06-17.
1 2 3 4 5 6 7 Microsoft Malware Protection Center (2012-02-15). "Worm:Win32/Stekct.A". Microsoft. Retrieved 2012-06-17.
1 2 3 4 5 6 7 8 Microsoft Malware Protection Center (2012-02-29). "Worm:Win32/Stekct.B". Microsoft. Retrieved 2012-06-17.
1 2 3 4 5 6 7 8 Microsoft Malware Protection Center (2008-09-17). "Win32/Slenfbot - Just Another IRC bot?". Hamish O'Dea. Retrieved 2012-06-17.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 Methusela Cebrian Ferrer (2008-10-01). "Win32/Slenfbot". CA Technologies. Retrieved 2012-06-17.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 ESET Threat Encyclopaedia (2011-01-17). "Win32/Slenfbot.AD". ESET. Retrieved 2012-06-17.
↑ Microsoft Security Tech Center (2006-08-08). "Microsoft Security Bulletin MS06-040". Microsoft. Retrieved 2012-06-17.
↑ Microsoft Security Tech Center (2010-09-14). "Microsoft Security Bulletin MS10-061". Microsoft. Retrieved 2012-06-17.
↑ "Malwr.com" . Retrieved 2012-06-17.
↑ "VirusTotal" . Retrieved 2012-06-17.
↑ "Anubis" . Retrieved 2012-06-17.
↑ "Wepawet" . Retrieved 2012-06-17.
↑ Kurt Avish (2012-05-22). "Stekct.Evl". Sparking Dawn. Retrieved 2012-06-17.
↑ Maninder Singh (2012-05-22). "Stekct.Evi". HackTik. Retrieved 2012-06-17.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[microsoft_win32/slenfbot-1] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Microsoft Malware Protection Center (2008-08-26). "Win32/Slenfbot". Microsoft. Retrieved 2012-06-17.

[microsoft_worm:win32/stekct.a-2] 1 2 3 4 5 6 7 Microsoft Malware Protection Center (2012-02-15). "Worm:Win32/Stekct.A". Microsoft. Retrieved 2012-06-17.

[microsoft_worm:win32/stekct.b-3] 1 2 3 4 5 6 7 8 Microsoft Malware Protection Center (2012-02-29). "Worm:Win32/Stekct.B". Microsoft. Retrieved 2012-06-17.

[win32/slenfbot-just_another_irc_bot?-4] 1 2 3 4 5 6 7 8 Microsoft Malware Protection Center (2008-09-17). "Win32/Slenfbot - Just Another IRC bot?". Hamish O'Dea. Retrieved 2012-06-17.

[ca_win32/slenfbot-5] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Methusela Cebrian Ferrer (2008-10-01). "Win32/Slenfbot". CA Technologies. Retrieved 2012-06-17.

[win32/slenfbot.ad-6] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 ESET Threat Encyclopaedia (2011-01-17). "Win32/Slenfbot.AD". ESET. Retrieved 2012-06-17.

[microsoft_ms06-040-7] Microsoft Security Tech Center (2006-08-08). "Microsoft Security Bulletin MS06-040". Microsoft. Retrieved 2012-06-17.

[microsoft_ms10-061-8] Microsoft Security Tech Center (2010-09-14). "Microsoft Security Bulletin MS10-061". Microsoft. Retrieved 2012-06-17.

[malwr-9] "Malwr.com" . Retrieved 2012-06-17.

[virustotal-10] "VirusTotal" . Retrieved 2012-06-17.

[anubis-11] "Anubis" . Retrieved 2012-06-17.

[wepawet-12] "Wepawet" . Retrieved 2012-06-17.

[sparkingdawn:stekct.evl-13] Kurt Avish (2012-05-22). "Stekct.Evl". Sparking Dawn. Retrieved 2012-06-17.

[hacktik:stekct.evi-14] Maninder Singh (2012-05-22). "Stekct.Evi". HackTik. Retrieved 2012-06-17.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

v t e Botnets
Notable botnets	Akbot Asprox Bagle BASHLITE Bredolab Cutwail Conficker Donbot Festi Grum Gumblar Kelihos Koobface Kraken Lethic Mariposa Mega-D Mirai Metulji Nitol Rustock Sality Slenfbot Srizbi Storm TDL-4 Torpig Virut Vulcanbot Waledac ZeroAccess Zeus
Main articles	Browser security Computer virus Computer worm Malbot Internet security Malware Man-in-the-browser Network security Operation: Bot Roast Trojan horse