A Bot Enhancement

W32/Rbot-GSN

SophosLabs encountered a new variant of a botnet worm today with the discovery of W32/Rbot-GSN .

While the worm still contains the usual zombie functionality of a typical botnet in that it can spread via removable shared drives and network shares (via exploiting Microsoft vulnerabilities) and can turn an infected computer into a zombie machine, this new variant is different in that the bot can repackage itself into existing zipfiles with a random filename but with a file extension of <many blank spaces>.scr using an internal zip engine.

Botnets tend to evolve over time. The first botnet variants had limited functionality like stealing CD game keys but later incarnations also included functionality to steal passwords, perform screen captures and exploiting Microsoft vulnerabilities to worm themselves.

At this stage, it is unclear if this latest incarnation by malware authors in extending the functionality of a botnet will catch on.