Forgot your password?
typodupeerror
Security Bug Operating Systems Software Windows

PhatBot Trojan Spreading Rapidly On Windows PCs 645

Posted by timothy
from the what-and-lose-all-my-pigeons dept.
prostoalex writes "The Washington Post alerts Windows users about a new peer-to-peer backdoor client that is installed maliciously on broadband-connected computers around Asia and the United States. The client is then used for distributed DOS attacks and sending out large amounts of spam. Phatbot, according to government sources, is installed on hundreds of thousands machines already. Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software, albeit it is detectable by antivirus packages." An anonymous reader submits a link to this description of the beast.
This discussion has been archived. No new comments can be posted.

PhatBot Trojan Spreading Rapidly On Windows PCs

Comments Filter:
  • by FortKnox (169099) on Wednesday March 17, 2004 @03:44PM (#8591171) Homepage Journal
    ... or does this sound dirty to you too??

    a new peer-to-peer backdoor client that is installed maliciously
    • Re:Is it just me... (Score:4, Interesting)

      by somethinghollow (530478) on Wednesday March 17, 2004 @03:51PM (#8591250) Homepage Journal
      Dirty as in dirty trick?

      I wouldn't put it past the RIAA after Berman pushed for the we-can-hack-you-if-we-suspect-you-have-copyrighted -material-on-your-machine bill a few (?) years back.

      But how often are backdoors installed for nobel intents?
    • Re:Is it just me... (Score:4, Interesting)

      by cetan (61150) on Wednesday March 17, 2004 @04:15PM (#8591516) Journal
      I think PhatBot was one of Bender's best friends growing up...
    • by CreatureComfort (741652) on Wednesday March 17, 2004 @04:27PM (#8591637)

      The Register just had a story about how a lot of the new virii are as small as 12kb, and how you could almost silk screen the code for one onto an XL T-shirt.

      I would love to have a pair of boxers with this code printed on them, and in large letters overlaying the code, "Let's install my peer-to-peer backdoor client."

      • Shit, all the old good virii were like sub-800 bytes. A friend of mine still has the source to Monkey-B on a 5.25" floppy diskette. It isn't much, but it's a bastard.
        • Shit, all the old good virii were like sub-800 bytes

          Yeah, gone are the days when F-Secure folks unceremoniously categorized everything over 10 kb or so "huge and technically uninteresting" =)

        • Re:Is it just me... (Score:5, Interesting)

          by nlindstrom (244357) on Wednesday March 17, 2004 @06:39PM (#8593125)
          I remember Monkey-B. I once went on a field service call to a large business in downtown Los Angeles, and discovered that most of their PCs were infected with it. "Most of their PCs" being defined as around 100 boxes.

          I informed their IT person that Monkey-B encrypts the files on the disk, so before we went willy-nilly removing the virus, we needed to backup the user data. They told me I was full of crap, and proceeded to clean the PCs themselves. Big mistake!

          Oddly enough, their VP later complained to the service company I worked for that I had not done my job, since his IT people were fuck-heads. He didn't exactly state it this way, of course, but that was the gist of the statement. When I started to explain what had happened to my boss, I only got as far as "...and I discovered that most of their PCs were infected with Monkey-B."

          He started laughing, and finished my sentence for me with "and their stupid IT people went around removing it, right? Idiots!"

  • Virizzle (Score:4, Funny)

    by DomCurtis187 (718788) on Wednesday March 17, 2004 @03:46PM (#8591186) Journal
    Since when did Snoop Dogg start writing code? Shizzle, dawg, dis virizzle be PHAT!
  • nice features list (Score:5, Informative)

    by Anonymous Coward on Wednesday March 17, 2004 @03:46PM (#8591198)
    # Has the ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system
    # Checks to see if it is allowed to send mail to AOL, for spamming purposes
    # Can steal Windows Product Keys
    # Can run an IDENT server on demand
    # Starts an FTP server to deliver the trojan binary to exploited hosts - ends the FTP session with the message "221 Goodbye, have a good infection :)."
    # Can run a socks, HTTP or HTTPS proxy on demand
    # Can start a redirection service for GRE or TCP protocols
    # Can scan for and use the following exploits to spread itself to new victims: * DCOM * DCOM2 * MyDoom backdoor * DameWare * Locator Service * Shares with weak passwords * WebDav * WKS - Windows Workstation Service
    # Attempts to kill instances of MSBlast, Welchia and Sobig.F
    # Can sniff IRC network traffic looking for logins to other botnets and IRC operator passwords
    # Can sniff FTP network traffic for usernames and passwords
    # Can sniff HTTP network traffic for Paypal cookies
    # Contains a list of nearly 600 processes to kill if found on an infected system.Some are antivirus software, others are competing viruses/trojans
    # Tests the available bandwidth by posting large amounts of data to the following websites:
    * www.st.lib.keio.ac.jp
    * www.lib.nthu.edu.tw
    * www.stanford.edu
    * www.xo.net
    * www.utwente.nl
    * www.schlund.net
    # Can steal AOL account logins and passwords
    # Can steal CD Keys for several popular games
    # Can harvest emails from the web for spam purposes
    # Can harvest emails from the local system for spam purposes
    • by Joe U (443617) * on Wednesday March 17, 2004 @03:52PM (#8591270) Homepage Journal
      I would really like to see a worm/virus/trojan that makes the user's hard drive rip itself out of the computer, beat the user with a bat and run screaming down the hall.

      Can someone code that feature?

      Seriously, I would love to see one of these programs that just turns the victims internet connection OFF. Granted, I don't think it would spread very well.
      • by Platinum Dragon (34829) on Wednesday March 17, 2004 @04:00PM (#8591358) Journal
        Granted, I don't think it would spread very well.

        Just code it to kill the connection after, say, fifty successful infections.

        You know what the real innovation would be, though? Writing an OS so that one process can't stomp on other processes it doesn't have permission to. It would also be nice to write something where worms couldn't just land on the system as executable files by default and scripts that do things like install other programs and do stuff without the user's knowledge can't be automatically run by a freaking e-mail program. Gee, too bad there's nothing around like that...
        • by Joe U (443617) on Wednesday March 17, 2004 @04:06PM (#8591419) Homepage Journal
          Writing an OS so that one process can't stomp on other processes it doesn't have permission to.

          I agree 100%. The windows developer community needs to totally and outright kill 95/98/Me support, and start using the built in security in 2000/XP.

          Having absolutely everything running as an administrator is a huge mistake.
          • by Platinum Dragon (34829) on Wednesday March 17, 2004 @04:21PM (#8591564) Journal
            *nods*

            Checking out the vulnerabilities used by Phatbot, I'm guessing most, if not all, of these holes were patched long ago. Short of forcing regular patching and upgrades, I guess there's not much that can be done to get around this. I get a shocking number of people through the store who never, ever use Windows Update.

            One part bad security model, one part careless users. Really, if there was an announced problem with your car that might lead to a thief getting in and driving off with it, wouldn't you get it fixed? Would you leave your door unlocked because it makes entering your car easier when you're in a rush?

            Computers have been sold as appliances, when they should be sold as flexible tools that aren't difficult to use, but take a minor bit of effort to maintain. I bet I could make big bucks just going to people's homes and carrying out basic upgrading and patching activities. $50/hr for running Windows Update, Ad-Aware and AVG, here I come...
            • by yeggman (599487) on Wednesday March 17, 2004 @05:25PM (#8592183)
              Really, if there was an announced problem with your car that might lead to a thief getting in and driving off with it, wouldn't you get it fixed?
              Not if he always brought it back in the morning ;)
              That's why people don't give a crap, cuz the machine still kinda runs. Most people probably chuck it up to: "God this old machine dosen't run like it use to could! I should have never upgraded to IE6."
          • by Kethinov (636034)
            Running WinNT, 2000, XP at user level is too restrictive. in *nix, if you need to install something it goes "hey feed me a password." In Windows it says "screw you, not enough privs." Then you have to logoff, logon admin, and do it.

            Furthermore, in Windows, there's a GREAT DEAL of things you can do in userland that should only be available in rootland. So because of these issues, I've ran every Windows computer I've ever owned at administrator level, as most people do.
            • by yabos (719499)
              You can use the run as.. feature in XP to run as the administrator or any other user, but I agree, that's a PITA and usually you forget the first time so you end up launching the program twice.
            • by red floyd (220712) on Wednesday March 17, 2004 @04:47PM (#8591835)
              Plus...

              <RANT type="favorite">
              Then there's programs that, because of sloppy/lazy coding, insist on being run as Admin on NT/2K/XP. Two that come to mind immediately are Mavis Beacon Teaches Typing 15 and The Sims.

              There is absolutely NO REASON WHATSOEVER for a typing tutor to require Admin, nor should there really be any for the Sims. AFAICT, they both write to the installation directory and HKLM instead of the user's "Application Data" and HKCU.

              </RANT>
              • by HSpirit (519997) on Wednesday March 17, 2004 @10:40PM (#8594974)

                I've been in regular contact with an antivirus vendor's support people over 2 weeks trying to explain to them that it is NOT acceptable for users to have Power User privileges in order for their AV definitions to auto-update... It's like talking to a brick wall, here's an example of their 'support' verbatim:

                You may need to change the permissions on your c drive or the vet folder to everyone

                Double click on My Computer
                Right click on C drive

                Left click on properties
                Left click on Sharing
                left click on permissions
                Choose everyone a click ok
                Then click o.k

                Then perform an autodownload

                Double click on My Computer
                Double left click on the Vet
                Right click on C drive

                Left click on properties
                Left click on Sharing
                Then click on share this folder left click on permissions
                Choose everyone a click ok
                Then click o.k

                This should allow you to perform an autodownload.

                You may have to do the same on the c:\temp or c:\windows\temp
                folder or c:\document and settingsyour username\temp

                Sorry? Do you mean give everyone full control to my system drive, as well as your AV definitions, configuration files and executable code? You've got to be kidding!

                And surely you'd think that AV vendors would understand better than most the need for their software to operate under the principle of least privilege.

                Give me a Mac (or other *nix) box anyday is what I say...

          • by Lumpy (12016) on Wednesday March 17, 2004 @04:57PM (#8591926) Homepage
            Having absolutely everything running as an administrator is a huge mistake.

            I so agree, so can ypu PLEASE tell corperate america IT managers this?

            Here I am IT professional in one of the worlds LARGEST telecommunications companies and EVERYONE's W2K domain profile is set to put them as administrator rights... repeated calls to the NOC about the security hole are unanswered, and my attempts to fix it locally get me reprimanded for messing with domain security settings.

            It's fine to have the ability to lock it down, but it's worthless when the people in charge of it are too stupid or spineless to use it.
          • by Nimey (114278) on Wednesday March 17, 2004 @10:54PM (#8595088) Homepage Journal

            Having absolutely everything running as an administrator is a huge mistake.


            Something else that really should be done is enforcing Intel's privilege rings.

            286+ processors have four privilege rings, 0 through 3. Processes running in ring 0 basically have root privs in the system, ring 1 processes can touch anything but those in ring 0, and so on.

            It's intended that critical OS functions, like the memory manager, run in ring 0. Device drivers and such live in ring 1, and user processes live in ring 3.

            Many operating systems, including Linux and all versions of Windows except NT 3.xx, run drivers in ring 0 because it's faster. However, it means that a bad driver can bring down the whole system. I bet the majority of Windows crashes lead back to crappy drivers, especially video drivers.

            Food for thought.
      • by Sowbug (16204) * on Wednesday March 17, 2004 @04:36PM (#8591718) Homepage
        Simple. Just spam 10 million people with the following e-mail:
        This is your system administrator. DO NOT DELETE THIS E-MAIL. Your computer has been infected with the latest trojan worm rotovirus. Please take the following steps to remove this infection:

        1. Open your computer and remove the hard drive. If you are not able to do this on your own, ask the nearest IS worker for help. Inform him that this is to be done on direct orders from his superior.

        2. Attach the hard drive to a bat using duct tape. Beat yourself severely with it.

        3. While clutching the hard drive, run screaming down the hall.

        4. Forward this e-mail to all your direct reports. Please instruct them to comply IMMEDIATELY.

        Thank you for your assistance in stopping this infection.

        Sincerely yours,

        The Management
        OK, so maybe you can't get the hard drive to do it on its own, but if you make the e-mail look official enough, at least 10 people will do it for you.

    • by EndlessNameless (673105) on Wednesday March 17, 2004 @03:53PM (#8591279)
      :::# Checks to see if it is allowed to send mail to AOL, for spamming purposes:::

      Best. Feature. Ever.
    • by bfg9000 (726447) on Wednesday March 17, 2004 @03:58PM (#8591325) Homepage Journal
      If only Microsoft gave us this much cool stuff with their godforsaken updates. I just KNOW Longhorn is gonna be WinXP with DRM (YAY!), just like XP was Win2000 with Prettiness Plus(TM), just like 2000 was WinNT with a blue default background, just like NT was Win98 with less games, just like 98 was Win95 with double the base install size, just like 95 was Win3.1 with less speed and stability, just like Win3.1 was DOS with a mouse.

      What better resume than a good virus or trojan?
    • by beacher (82033) on Wednesday March 17, 2004 @03:59PM (#8591333) Homepage
      1) Extract Windows product keys
      2) ???^H^H^H Email software keys to software@bsa.net and tell them that you think your employer is not running legitimate software. Include a paypal link for the reward
      3) Profit

      This bot looks NASTY.
      -B
      • by prockcore (543967) on Wednesday March 17, 2004 @04:22PM (#8591581)
        that's pretty ingenius.

        The quickest way to get people to take viruses seriously is to write a virus that reports all their pirated software.

        Most people don't care if their computer has a virus, but once a virus can bust them for all their illegal software, people will wise up in a hurry.
        • even better (Score:5, Funny)

          by Anonymous Coward on Wednesday March 17, 2004 @06:50PM (#8593252)
          Have it grep the HD for pr0n keywords, and mail the results to Outlook's Adressbook. After that, nobody would think little of viruses ever again...
          (here in double-moral country, that is)
  • Skynet (Score:5, Funny)

    by 3cents (741537) <salakowske&wisc,edu> on Wednesday March 17, 2004 @03:48PM (#8591213) Homepage
    How long before someone bootstraps a distributed Artificial life simulator to their virus and then we all watch in amazement as the first AI evolves and owns all our computers. This could never happen though...right?

    Slashrank [slashrank.org]
  • Idea? (Score:5, Interesting)

    by Anonymous Coward on Wednesday March 17, 2004 @03:49PM (#8591220)
    When a virus attempts to disable anti-virus and firewalls, there needs to be a better way to keep those programs operational and "clean". What if a virus altered your norton or mcafee to make it appear as though it is working(and not finding any viruses) when in fact it is not working at all?

    What if anti-virus, firewalls, and other critical software could somehow run in read-only memory space, which would have a physical barrier so that no bugs in software could be exploited to alter this space?

    What if we could "burn" memory space of a program to a CD rom so that a proper working, unaltered anti-virus and firewall could run without fear of being disabled?
    • Re:Idea? (Score:5, Insightful)

      by hawkbug (94280) <psx&fimble,com> on Wednesday March 17, 2004 @03:54PM (#8591285) Homepage
      Sadly, what you're suggesting is what TCPA or whatever the hell the trust computing platform is all about. I'm against the whole movement, because I think we need more secure OS software to begin with, not "trusted memory space" to protect us.
      • Re:Idea? (Score:4, Interesting)

        by bloosqr (33593) on Wednesday March 17, 2004 @04:03PM (#8591387) Homepage
        I don't see why actually. The problem seems to me to be the whole issue of windows users running as "admin" or "root" If people ran in user-space (or to be fair to users, if windows was set up to run easily and normally as a user rather than admin ) then no virus could easily affect any anti-virus software running as (if you are anal retentive about these things as unix tends to be not as root but as the "antivirus" user)

        I think macos X is a good example of an os that is pretty user friendly that doesn't encourage everyone to run as "admin". In fact there are no (by default) admin/root users, "admin" users are users that have sudo ability, so in a weird way its better than default redhat linux.

        -bloo
    • Re:Idea? (Score:3, Informative)

      by Nevo (690791)
      There's an inherent problem there. Anything you can do to make your program read-only, an administrator can undo.

      So if Joe User gets infected and is running as administrator, the virus can un-write-protect memory and keep going.

      This is a classic offense vs. defense escalation and is the type of problem Rootkits pose as well.
  • by slycer9 (264565) on Wednesday March 17, 2004 @03:49PM (#8591225) Journal
    But I'm getting so tired of these virus 'alerts' constantly bombarding me day in and day out!

    It's as bad as spam! It's EVERYWHERE!!

    I frequent a couple other message boards (damn, I almost said BBS'), and every few days, we get the same ol' thread...'VIRUS ALERT!!!!!!!'

    We live in the information age. The information has been disseminated that Windows users are:

    A) Prone to constant viral and security intrusions.
    B) In desperate need to constantly update their AV software.

    The SysAdmins who aren't keeping their servers locked down is another thing entirely...*grumble*

    But really, ABC, NBC, CBS, all these guys have done several stories on system security...EVERYONE's got a nephew that 'knows a lot 'bout dem 'puters'...

    I really don't understand why we're still being subjected to this crap. Virus news isn't news. It's spam.

    (See! A whole post about viruses and I never mentioned the fact that I run OS X and Yellow Dog Linux exclusively!!! Not once have I mentioned that I've never had to worry about a virus at all!!!)

    Yay me.
    • virus news = spam (Score:5, Insightful)

      by erikdotla (609033) on Wednesday March 17, 2004 @04:00PM (#8591359)
      I see where you're coming from here. However, there's other considerations. Some of us must operate Windows boxes, so we must deal with it.

      Obviously the "security-by-news-alert" method of keeping your systems secure is stupid. We must still update our AVs and Spy cleaners and run them regularly. If we do that, we'll get almost every virus and spyware and never have to worry.

      But some of like to know what the virus writers are doing. Trends in the virus business, as they evolve.

      Some of us may have firewalls that we might wish to alter based on major recent virus activity. I'm sure the Blaster variants caused several admins to alter the RPC port configuration of their firewalls.

      Isn't it better to be proactive rather than reacting to a virus-based DOS?

      I agree, of course, that people shouldn't email their buddies "OMG VIRUS ALERT!!!111one!!11" as we are able to keep up on virus news ourselves. We don't need these emails.

      The value of Slashdot posting a breaking story about a virus is early-warning in the event that we're sitting around reading Slashdot instead of doing our jobs and monitoring the other virus news systems. :)
      • by slycer9 (264565)
        You make a lot of good points, and I generally agree with what you've said...however...and no disrespect intended to /.

        But anyone who uses THIS SITE, as their 'early warning virus system', is already in serious trouble.

        There's plenty other sites that specialize in early warning, and they do a far better job than /. does, although /. reports the news far better than they do.

        Specialized tools for specialized jobs.
    • by 2MuchC0ffeeMan (201987) on Wednesday March 17, 2004 @04:01PM (#8591367) Homepage
      Nobody cares about the baghdad blast, or the crappy election that is going nowhere

      it's a slow news day, what do you expect?
  • Grr... (Score:5, Insightful)

    by MalaclypseTheYounger (726934) on Wednesday March 17, 2004 @03:49PM (#8591226) Journal
    Just once, JUST ONCE, I'd like our knee-jerking media to actually provide details to the public on how to combat a virus, or trojan horse, or whatever, in the text of their article. I understand the unwashed masses read Yahoo News and Washington Post, but maybe if we started to inform the public on how to find out if you're infected, and how to remove the offending virus, more people would actually check to see if they are infected, and might re-think their surfing & downloading habits.

    I understand the average user can't use Registry Editor, but maybe provide a simple link or website to get a tool to remove the Phatbot thing a ma jig. /end rant

    Happy St. Paddy's Day everyone, btw.

    • From the LURHQ alert (Score:5, Informative)

      by burgburgburg (574866) <splisken06@email . c om> on Wednesday March 17, 2004 @04:26PM (#8591625)
      Google cache [216.239.39.104]:

      Manual Removal
      Look for the following registry keys:

      HKLM\Software\Microsoft\Windows\CurrentVersion\Run \Generic Service Process
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\Generic Service Process

      The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory.

      Snort Signatures
      Here are some Snort signatures to detect Phatbot on a network:

      alert tcp any any -> any any (msg:"Agobot/Phatbot Infection Successful"; flow:established; content:"221 Goodbye, have a good infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; sid:1000075; rev:1;)

      alert tcp any any -> any any (msg:"Phatbot P2P Control Connection"; flow:established; content:"Wonk-"; content:"|00|#waste|00|"; within:15; classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; sid:1000076; rev:1;)

  • paypal? (Score:5, Insightful)

    by 2MuchC0ffeeMan (201987) on Wednesday March 17, 2004 @03:50PM (#8591229) Homepage
    Joe Stewart, a researcher at the Chicago-based security firm Lurhq, has catalogued Phatbot's many capabilities in an online posting. Those capabilities include: the "ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system"; "steal AOL account logins and passwords"; "harvest emails from the web for spam purposes" and "sniff [Internet] network traffic for Paypal cookies."

    aol, go for it... emails from the web are already public, go for it... paypal cookies? now that's just plain wrong, the feds are going to love that one.
  • by phoneboy (11009) <dwelch.phoneboy@com> on Wednesday March 17, 2004 @03:50PM (#8591243) Homepage
    I can't find out how the gory details of backdooring a computer. Oh well, I guess I'll have to settle for the more traditional form of pr0n.

    -- PhoneBoy
  • by Savatte (111615) on Wednesday March 17, 2004 @03:52PM (#8591263) Homepage Journal
    PhatBot Trojan would be a good name for a hip-hop group?
  • Spammer-Sponsored (Score:5, Insightful)

    by fembots (753724) on Wednesday March 17, 2004 @03:53PM (#8591276) Homepage
    It's hard to believe these kind of trojans are not in any way related to spammers.

    Just take a look at the feature list, it probably has more bells and whistles than most of the software out there.

    Is there a way to trace back the master of these trojans and do something about it? Surely these trojans need to do something for their masters at some stage, probably waiting for commands somewhere.
    • by arbitrary nickname (325162) on Wednesday March 17, 2004 @04:05PM (#8591408)
      But with all those features, how big is it? if Microsoft wrote something with all those features it'd probably come on 4 CDs.....
  • by nweaver (113078) on Wednesday March 17, 2004 @03:56PM (#8591302) Homepage
    The authors are getting better at designing control networks, but all it will take is one grayhat with an infected node to watch a command being executed and use that information to take out the entire botnet.

    Too bad it would be both grossly illegal and probably disruptive, because it would be a great favor to the rest of the net, to counter these botnets and squish-them into oblivion (at least this generation, until the attackers learn how to do authentication of commands correctly).
  • by DR SoB (749180) on Wednesday March 17, 2004 @03:59PM (#8591334) Journal
    This is also known as the "Agobot"

    http://news.yahoo.com/fc?tmpl=fc&cid=34&in=tech& ca t=hackers_and_crackers

    http://www.f-secure.com/v-descs/agobot_fo.shtml

    Detailed Description

    First of all, this new variant has 'Phatbot3' identifier and there are a few 'phat' string in its body. This may indicate that this version was not made by the original Agobot backdoor author, who calls himself TheAgo, but by a different person/group who got the source code of this backdoor.

    The backdoor's file is a PE executable 115738 bytes long compressed with PE-Diminisher file compressor. The unpacked file's size is over 245 kilobytes.

    Installation to system

    The Agobot.FO backdoor copies itself as NVCHIP4.EXE file to Windows System folder and creates startup keys for this file in System Registry:
    [HKLM\Software\Microsoft\Windows\Curren tVersion\Ru n]
    "nVidia Chip4" = "nvchip4.exe"
    [HKLM\Software\Microsoft\Windows\Cu rrentVersion\Ru nServices]
    "nVidia Chip4" = "nvchip4.exe"

    This allows the backdoor's file to start with every Windows session. On Windows NT-based systems the backdoor can start as a service.
    Scanning for vulnerable computers

    The backdoor can scan subnets for exploitable computers and send a list of their IPs to the bot operator. The scan is performed on ports 80, 135 and 445 for RPC/DCOM (MS03-026), RPC/Locator (MS03-001) and WebDAV (MS03-007) vulnerabilities. The backdoor can also scan for computers infected with MyDoom worm (port 3127), Bagle worm (port 2745) and also for computers where DameWare remote system management software is installed (port 6129).

    Performing a DDoS attack
    The backdoor can perform the following types of DDoS (Distributed Denial of Service) attacks:
    * HTTP flood * SYN flood * UDP flood * ICMP flood
    When performing a DDoS attack, the backdoor uses 33 unique client identifiers including Mozilla, Wget, Scooter, Webcrawler and Google bot.

    The backdoor sends 256000 bytes of random data to the following websites and checks the response times:
    www.schlund.net
    www.utwente.nl
    www.xo.net
    www.stanford.edu
    www.lib.nthu.edu.tw
    www.st.lib.keio.ac.jp

    Collecting e-mail addresses
    The bot can harvest e-mail addresses. It has the functionality to read user's Address Book and send the list of e-mail addresses to the bot operator.

    Obtainint Registry info
    The backdoor has the functionality to obtain System Registry info from an infected computer. This is a new feature for Agobot backdoor. Information obtained from the Registry can give a hacker a full overview of an infected system.

    Spreading to local network
    Agobot backdoor can scan computers on local network and copy itself there. The scan is initiated by a remote hacker. When spreading to local network, Agobot.FO probes the following shares:
    admin$ c$ d$ e$ print$ c

    Agobot.FO tries to connect using the following account names:
    (SEE LINKS AT TOP FOR INFORMATION)

    When connecting, Agobot.FO uses the following passwords:
    (SEE LINKS AT TOP FOR DETAILS)

    If the worm succeeds connecting to the above listed shares, it copies itself to a remote share and attempts to start that file as a service. The alternative way of infecting a remote host is to create a scheduled task on a remote computer that will start the backdoor's file.

    Teminating processes of security and anti-virus programs
    Agobot.FO has a huge list of process file names hardcoded in its body. The backdoor tries to terminate processes that have the following names:
    (NAMES REMOVED SO POST WOULD WORK, FOLLOW LINKS AT TOP)

    This functionality allows the backdoor to successfully disable anti-virus and security software that can not detect this backdoor before it's file is started. In most cases special tools are required to clean a computer infected with this backdoor.

    Additionally the
  • Lucky me (Score:5, Funny)

    by mixtape5 (762922) <hckymanr@yahoo.com> on Wednesday March 17, 2004 @04:00PM (#8591352) Journal
    is installed maliciously on broadband-connected computers...
    who knew that dial up internet was a form of virus protection? I dont feel so bad anymore!


  • The power of viruses (Score:5, Interesting)

    by mcrbids (148650) on Wednesday March 17, 2004 @04:03PM (#8591386) Journal
    I have a client who sends out an aviation newsletter, with a list size in the tens of thousands. They have their own dedicated mail server, running RH Linux that I set up for them. Email is virus filtered with MailScanner and f-prot.

    No complaints for months. And then, I add a new account to the mail server and restart sendmail.

    Within a few hours, I got complaints that the volume of email had at least tripled, and that *all* of the increase were viruses, being caught by McAffee! So bad it was difficult to simply empty out the inbox from all the popup notices of virus detection!

    Turns out when I restarted sendmail, I didn't restart MailScanner, so it was not running, letting everything through.

    Very sobering, to realize how bad viruses online have gotten...
  • nowhere to run (Score:4, Interesting)

    by segment (695309) <sil@NOSpam.politrix.org> on Wednesday March 17, 2004 @04:06PM (#8591424) Homepage Journal

    NANOG [merit.edu] this past week has had to deal with "h4r 3y3 j4m an 3fnet p4ck3tm0nk3y" bs. What I don't understand is how some people download and install something without checking exactly what it is. Look at the spyware situation: "Click here for a free weather clock" It should be obvious that there is no such thing as free. Everything has some form of price. What I find most alarming, is that most corporations - Symantec, Network Associates, and the major Windows based antivirus makers including Microsoft who has not got there act togeter - unleash errata of mass destruction. "Buy this patch/firewall/antivirus foo foo foo product to protect you now!" Why not release some Macromedia Flash like tutorial along with their products to educate users about the dangers of downloading unnecessary 'tools/products/virtuagirls/etc' and how to protect themselves from these thing... I'm willing to bet if some company did something like this, most of these annoyances would drop big time
  • Mirror (Score:5, Informative)

    by httptech (5553) on Wednesday March 17, 2004 @04:08PM (#8591450) Homepage
    Here's a mirror of my analysis:

    http://www.joestewart.org/phatbot.html [joestewart.org]

    -Joe

  • Interesting that (Score:4, Interesting)

    by Doofus (43075) on Wednesday March 17, 2004 @04:15PM (#8591513)
    I find it interesting that I submitted this story shortly after 0900 EST in an effort to get the word out to /. readers, but it was rejected.

    Was I wrong to consider using /. as an effective way to communicate issues like this to the technical community, or am I just bitching because my story was rejected?

    Good luck everyone out there who should be checking/cleaning your systems -

    • by LinuxParanoid (64467) * on Wednesday March 17, 2004 @06:19PM (#8592873) Homepage Journal
      I've never had a story accepted either, and on a number of occassions I've submitted stories hours, days or weeks before the topic appeared on Slashdot. It's pretty common; I wouldn't make anything out of it. It's quite possible that someone submitted the story before you did even earlier in the morning and the editors put that one in the queue to go up at 2:43PM. They pre-scheduled the various stories that go up hours (and sometimes even days?) in advance. Or perhaps they decided it was a worthy story after they saw the 27th submission of it.

      I realized one day that we could essentially have a user-contributed, user-moderated article queue of sorts using the journaling system here. I've dedicated my journal [slashdot.org] to it. I haven't figured out how to draw larger traffic to it without making this a part-time job, but you're welcome to contribute to it and I welcome suggestions.

      --LP
  • On the Positive Side (Score:4, Interesting)

    by Doesn't_Comment_Code (692510) on Wednesday March 17, 2004 @04:15PM (#8591517)
    On the positive side, it looks like this thing whacks any competing virus it finds on your computer. So if you have a bunch of sneaky little programs on your computer, all you have to do is "install" this program, then remove it. It's like letting a wild cat loose in a house full of mice, then catching the cat.
  • by leereyno (32197) on Wednesday March 17, 2004 @04:17PM (#8591534) Homepage Journal
    How about a virus that does nothing but try to spread as far and wide as possible without doing anything malicious. Then, after a pre-determined ammount of time it would announce its presence to the luser and provide both instructions for its removal and common sense advice on how to avoid being infected by viri in the first place.

    Viruses spread due to stupidity, ignorance, and laziness on the part of users. A virus like this MIGHT help with the ignorance part.

    Now please don't think I'm advising anyone to go out and write such a thing, I'm only saying that I think the idea would be interesting.

    I think it would also be interesting to hunt down the creators of malicious viruses and have them drawn and quartered, preferably on live TV. Next their parents should be beat within an inch of their lives for not raising them right in the first place.

    Lee
    • How about a virus that does nothing but try to spread as far and wide as possible without doing anything malicious. Then, after a pre-determined ammount of time it would announce its presence to the luser and provide both instructions for its removal and common sense advice on how to avoid being infected by viri in the first place.

      Interesting, yes. But, unfortunately, its delivery to the user wouldn't differ significantly from the endless popups proclaiming "Your PC is broadcasting its address!!!!" Very
    • by Lumpy (12016) on Wednesday March 17, 2004 @05:06PM (#8592024) Homepage
      been there done that..

      I wrote a email "virus" that simply made everyone think their hard drive was being erased andthen emailed it to all my users here at work and waited for the calls.. even after the "scare" I sent a second "virus" that silently wrote the username of the person that opened it to a file on the server... guess what... the damned sheep still did everything as normal...

      you cant, educate most people. once they have a "way" of doing something it's like pulling teeth to get them to change...

      hell we had people bitch for 2 months about the change in the color of the office pencil supply.
  • by LittleLebowskiUrbanA (619114) on Wednesday March 17, 2004 @04:18PM (#8591544) Homepage Journal
    Maybe they got the name from Fatbot on Futurama episodes Mars U and Crimes of the Hot.
  • by AndroidCat (229562) on Wednesday March 17, 2004 @04:21PM (#8591572) Homepage
    [..] said a cyber-security official at the Department of Homeland Security who asked not be identified because the agency is still considering whether to issue a more public alert about Phatbot.
    Umm, what? Why is it that every five-cent functionary asks not to be identified these days, when nobody gave a damn who they were in the first place? If they issue a more public alert, will they identify him?
  • Suspicious... (Score:4, Interesting)

    by Phisbut (761268) on Wednesday March 17, 2004 @04:22PM (#8591585)
    A quick search on McAfee and Symantec websites yielded no result for "phatbot" on Symantec, and a 18 months old virus on McAfee...

    If the US government is announcing this publically, and the virus has already infected "hundreds of thousands of computers already", wouldn't the anti-virus companies *know* that?!?
    • Re:Suspicious... (Score:5, Informative)

      by httptech (5553) on Wednesday March 17, 2004 @04:44PM (#8591809) Homepage
      Some AV companies consider this a variant of Agobot/Gaobot, since it shares a lot of the same code base. Which is funny, because when I analyzed Doomjuice and called it "MyDoom.C", they all said it was too different to be called a MyDoom variant (even though it was the same code with functionality removed).

      I consider the addition of the WASTE code and removal of the IRC code to be significant enough to call this by a new name. Not to mention all the other added features that are not part of the Agobot code.

      -Joe
  • The good 'ol days (Score:4, Insightful)

    by Ibanez (37490) on Wednesday March 17, 2004 @04:26PM (#8591622)
    What the hell happened to them? You know, when you used to download a program off of FTP or Firstclass, forgot to scan it for viruses, installed it, had your harddrive wiped clean. And then you had to reinstall from your backup floppies, and had no one to blame but your own stupid self?

    Now its not your fault, and it hurts you as well as everyone else!
  • by Anubis333 (103791) on Wednesday March 17, 2004 @04:27PM (#8591639) Homepage

    Here is a problem I had never thought about with open source initiatives. What happens when someone steals your source without obeying GPL or anything and turns it into a monster? It would have ben *MUCH* harder for the PhatBot authors to code their own Waste-like [slashdot.org] clustering P2P system. Perhaps they might not have even been able to do so. Instead they grab an open source app and use it to create something ilegal, and in this case even dangerous.

    These are the same problems faced in the emulation field. Many open source emu programmers do not allow any game from the past 2-3 years to be played, mainly to appease the corporations that still make arcade titles (SNK etc). But people open up their source and release renegade versions of their own apps without their permission and in violation of GPL and everything, often packaging them with illegal arcade ROMs.
    • Here is a problem I had never thought about with open source initiatives. What happens when someone steals your source without obeying GPL or anything and turns it into a monster? It would have ben *MUCH* harder for the PhatBot authors to code their own Waste-like clustering P2P system.

      The same thing you do when someone buys a hammer and then uses it to kill someone. You just deal with it.
      Once you distribute something, be it a physical object like a hammer, or source code, you loose a certain amount of
    • What happens when someone steals your source without obeying GPL or anything and turns it into a monster?

      That's what Dr. Frankenstein said when he took the corpses for his creature. But he showed them, didn't he! They all thought he was crazy! Bbbut whooss teH CRzy onE now, HAH? You fooLS, YOU ALL LAUGHED, BUT IL HAV THE LAAST LAUHG!

      MWAHAHAHAHAHA!
  • Uh oh! (Score:3, Funny)

    by cgreuter (82182) on Wednesday March 17, 2004 @04:57PM (#8591923)

    They use GPL'd code from WASTE but haven't released the whole source code! They're in a world of legal hurt now.

  • possible hoax? (Score:4, Interesting)

    by KaiserZoze_860 (714450) on Wednesday March 17, 2004 @05:15PM (#8592106) Homepage
    Hi Everyone

    As many people have pointed out there is an utter lack of response by the top three anti-virus companies to this threat. I find this disturbing and also, unlikely. Why would the Department of Homeland Defense have better intelligence on a clearly US based threat (Phat is not an international phrase by any means) than the people who make their lively hood based on threat detection and elimination?

    This has to me the markings of a hoax. The list of *features* as one poster put it is indeed staggering. That, coupled with the silence coming from Symantec, McAfee et al. makes it look fishy. A google search shows one recent post and a bunch of older hits (possibly the same as in the McAfee search ).

    So that leaves me with 3 questions:
    1 - Is it real
    2 - How do we detect it
    3 - How do we kill it.

    --KS
    • Re:possible hoax? (Score:4, Informative)

      by httptech (5553) on Wednesday March 17, 2004 @09:28PM (#8594597) Homepage
      This has to me the markings of a hoax.

      It's not. I spent several hours analyzing it. You can connect to the Gnutella cache servers and see Phatbot clients registered using port 4387. You can portscan the infected hosts, find the mini-ftp server it runs and download the code yourself if you need tangible proof.

      The list of *features* as one poster put it is indeed staggering.

      Most of these features are part of Agobot. Yet no one disputes its existence.

      That, coupled with the silence coming from Symantec, McAfee et al. makes it look fishy.

      They're not silent - to them this is just another Agobot variant, one of dozens released in the last few months. And they are not making a big deal about it because it really isn't that much of a threat. If you're running Windows with the latest patches and aren't infected with MyDoom or a Dameware backdoor and aren't using weakly passworded shares, you have nothing to worry about from this trojan.

      So that leaves me with 3 questions:
      1 - Is it real

      Yes.

      2 - How do we detect it

      With just about any AntiVirus solution.

      3 - How do we kill it.

      In terms of killing it from one machine: disinfect manually or use a tool from the AV companies. In terms of killing the entire network, you would need to reprogram the Gnutella cache servers it uses to detect and refuse connections from the Phatbots.

      -Joe

  • by groomed (202061) on Wednesday March 17, 2004 @05:58PM (#8592629)
    Well, I suppose it's a lost cause (as with the "hacker" term), but I it can't hurt to point out that it really doesn't make much sense to call this program a "trojan".

    The article suggests that this is a "trojan" because it lets attackers stealthily take control of your computer. But that was not what was remarkable about the historical Trojan horse. What was remarkable about it is that it was presented as a gift. The distinguishing characteric of a trojan is that it has a friendly outward appearance but contains a deadly payload. That's certainly not the case with Phatbot.

    Rather, I'd say that Phatbot is a virus, because a) it is malicious and b) it doesn't rely on deception to spread itself. This is, again, subtly different from a worm, which generally aren't malicious, just annoying.

    Of course it's water under the bridge at this point.

Programmers do it bit by bit.

Working...