{"id":11948,"date":"2011-10-21T16:04:54","date_gmt":"2011-10-21T23:04:54","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=11948"},"modified":"2025-06-04T03:58:48","modified_gmt":"2025-06-04T10:58:48","slug":"satanbot-employs-vbscript-to-create-botnet","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/satanbot-employs-vbscript-to-create-botnet\/","title":{"rendered":"Satanbot Employs VBScript to Create Botnet"},"content":{"rendered":"

Malware is on the rise. At the beginning of 2008, our malware collection had 10 million samples. Today we have already surpassed 70 million. Most of the malicious samples are Trojans (backdoors, downloaders, fake alerts), but there are also a lot of viruses, worms, and bots that in a short time can infect many computers without user interaction. Usually the malicious code comes in a form of an executable or DLL, but sometimes malware authors opt to use alternate languages such as VBScript<\/a>\u00a0(Visual Basic Scripting Edition), a lightweight Active Scripting language that is installed by default in most Microsoft Windows versions since Windows 98. One example of this kind of malware is Satanbot: a fully functional VBScript botnet that uses the Remote Desktop Connection to connect to infected systems.<\/p>\n

VBScript Files’ Functions<\/h2>\n

VBScript files are usually in clear text because they are interpreted at runtime, rather than being compiled previously by the author. However, for cases in which the user wants to avoid allowing others to view or modify the source code, Microsoft provides a command-line tool, Script Encoder, which will encode the final script by generating a .vbe file. This file looks like a normal executable, but it can be decoded to its original form.\u00a0Once that file is decoded, we can look at the bot’s source code, which is divided by sections. Each section specifies a different function of Satanbot, most of which we’ve already seen in AutoRun worms like Xirtem<\/a>. Here is a description of these functions:<\/p>\n

    \n
  1. \u00a0Enable CMD and REGEDIT: To perform all the changes in the system (modify the registry and execute BAT files), the edition of the registry (regedit) or the use of the command line (cmd) will be enabled by changing the values \u201cDisableRegistryTools\u201d and \u201cDisableCMD\u201d to 0. In addition, one AutoRun feature is configured by creating the value \u201cUpdate\u201d in the \u201cRun\u201d key with the path of the script, along with hiding files and file extensions in the system.<\/li>\n
  2. Disable UAC: The value \u201cEnableLUA\u201d is checked to verify whether it is necessary to disable the User Account Control in Windows Vista, Windows Server 2008 and Windows 7. If it is enabled, the script will create on the fly another script and a BAT file to disable UAC. Another modification in the registry is done to perform operations that require elevation of privileges without consent or credentials. At the end, all the temporary files used to do the modifications in the system will be deleted.<\/li>\n
  3. Take ownership of folders: The command TAKEOWN (in Windows Vista and 7) runs to take ownership and enable the modification of folders including Application Data, Cookies, and Local Settings<\/li>\n
  4. Self-Install and spread: Another BAT file in the %TEMP% path is created. It first changes the icon of .vbe files to the one used by Windows pictures so the user will think that it is a picture and not the malware. Also the original .vbe, along with a shortcut file, will be copied in several locations, including network shares and peer-to-peer shared folders from popular clients like eMule, LimeWire, and Ares. Another spreading vector this malware uses is infecting removable drives by creating autorun.inf files along with a copy of the original .vbe and a shortcut (.lnk) file.<\/li>\n
  5. Worm test: This may seem a confusing term, but it is another spreading method. The original .vbe will be copied to other folders such as Startup and %Userprofile%\\ Microsoft with the name \u201cSystem File [Not Delete]\u201d to trick the user to not delete the file.<\/li>\n
  6. Worm.s@tan: Contains a loop that will trigger the execution of the code every 60 minutes<\/li>\n
  7. Backdoor: Using another temporary BAT file, the malware will enable Remote Desktop Access by making the following changes to the system:<\/li>\n<\/ol>\n