PhatBot Trojan Spreading Rapidly On Windows PCs

prostoalex writes "The Washington Post alerts Windows users about a new peer-to-peer backdoor client that is installed maliciously on broadband-connected computers around Asia and the United States. The client is then used for distributed DOS attacks and sending out large amounts of spam. Phatbot, according to government sources, is installed on hundreds of thousands machines already. Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software, albeit it is detectable by antivirus packages." An anonymous reader submits a link to this description of the beast.

I'm TRULY not attempting to Troll

[slycer9]

But I'm getting so tired of these virus 'alerts' constantly bombarding me day in and day out!

It's as bad as spam! It's EVERYWHERE!!

I frequent a couple other message boards (damn, I almost said BBS'), and every few days, we get the same ol' thread...'VIRUS ALERT!!!!!!!'

We live in the information age. The information has been disseminated that Windows users are:

A) Prone to constant viral and security intrusions.
B) In desperate need to constantly update their AV software.

The SysAdmins who aren't keeping their servers locked down is another thing entirely...*grumble*

But really, ABC, NBC, CBS, all these guys have done several stories on system security...EVERYONE's got a nephew that 'knows a lot 'bout dem 'puters'...

I really don't understand why we're still being subjected to this crap. Virus news isn't news. It's spam.

(See! A whole post about viruses and I never mentioned the fact that I run OS X and Yellow Dog Linux exclusively!!! Not once have I mentioned that I've never had to worry about a virus at all!!!)

Yay me.

Grr...

[MalaclypseTheYounger]

Just once, JUST ONCE, I'd like our knee-jerking media to actually provide details to the public on how to combat a virus, or trojan horse, or whatever, in the text of their article. I understand the unwashed masses read Yahoo News and Washington Post, but maybe if we started to inform the public on how to find out if you're infected, and how to remove the offending virus, more people would actually check to see if they are infected, and might re-think their surfing & downloading habits.

I understand the average user can't use Registry Editor, but maybe provide a simple link or website to get a tool to remove the Phatbot thing a ma jig. /end rant

Happy St. Paddy's Day everyone, btw.

paypal?

[2MuchC0ffeeMan]

Joe Stewart, a researcher at the Chicago-based security firm Lurhq, has catalogued Phatbot's many capabilities in an online posting. Those capabilities include: the "ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system"; "steal AOL account logins and passwords"; "harvest emails from the web for spam purposes" and "sniff [Internet] network traffic for Paypal cookies."

aol, go for it... emails from the web are already public, go for it... paypal cookies? now that's just plain wrong, the feds are going to love that one.

Spammer-Sponsored

[fembots]

It's hard to believe these kind of trojans are not in any way related to spammers.

Just take a look at the feature list, it probably has more bells and whistles than most of the software out there.

Is there a way to trace back the master of these trojans and do something about it? Surely these trojans need to do something for their masters at some stage, probably waiting for commands somewhere.

Re:Idea?

[hawkbug]

Sadly, what you're suggesting is what TCPA or whatever the hell the trust computing platform is all about. I'm against the whole movement, because I think we need more secure OS software to begin with, not "trusted memory space" to protect us.

Re:Happened to a friend

[schatten]

Did you just start receiving emails last week?

Apparently, your name and his name is in the address book, or in an email of an infected computer's system. That system spoofs the From: address, and sends it To: someone else in there. Sometimes you will receive it from friends that do not have it, other times you'll get a kickback saying undeliverable due to a virus that you sent. But... you didn't send it. Instead, you were spoofed as the From: address and the To: was unreachable, thus bouncing back to you.

Hope this helps.

Still Countergrabbable

[nweaver]

The authors are getting better at designing control networks, but all it will take is one grayhat with an infected node to watch a command being executed and use that information to take out the entire botnet.

Too bad it would be both grossly illegal and probably disruptive, because it would be a great favor to the rest of the net, to counter these botnets and squish-them into oblivion (at least this generation, until the attackers learn how to do authentication of commands correctly).

Re:Jesus.

[rritterson]

No it doesn't. WTH are you talking about? All it merely does it combine attacks against all known security flaws into a single package. It is also a trojan horse meaning that it uses user idiocy to get itself installed.

Hmm... I suppose user idiocy is a flaw that Windows has that Linux doesn't.

Okay, I see your point.

Re:nice features list

[Platinum Dragon]

Granted, I don't think it would spread very well.

Just code it to kill the connection after, say, fifty successful infections.

You know what the real innovation would be, though? Writing an OS so that one process can't stomp on other processes it doesn't have permission to. It would also be nice to write something where worms couldn't just land on the system as executable files by default and scripts that do things like install other programs and do stuff without the user's knowledge can't be automatically run by a freaking e-mail program. Gee, too bad there's nothing around like that...

virus news = spam

[erikdotla]

I see where you're coming from here. However, there's other considerations. Some of us must operate Windows boxes, so we must deal with it.

Obviously the "security-by-news-alert" method of keeping your systems secure is stupid. We must still update our AVs and Spy cleaners and run them regularly. If we do that, we'll get almost every virus and spyware and never have to worry.

But some of like to know what the virus writers are doing. Trends in the virus business, as they evolve.

Some of us may have firewalls that we might wish to alter based on major recent virus activity. I'm sure the Blaster variants caused several admins to alter the RPC port configuration of their firewalls.

Isn't it better to be proactive rather than reacting to a virus-based DOS?

I agree, of course, that people shouldn't email their buddies "OMG VIRUS ALERT!!!111one!!11" as we are able to keep up on virus news ourselves. We don't need these emails.

The value of Slashdot posting a breaking story about a virus is early-warning in the event that we're sitting around reading Slashdot instead of doing our jobs and monitoring the other virus news systems. :)

Re:virus news = spam

[slycer9]

You make a lot of good points, and I generally agree with what you've said...however...and no disrespect intended to /.

But anyone who uses THIS SITE, as their 'early warning virus system', is already in serious trouble.

There's plenty other sites that specialize in early warning, and they do a far better job than /. does, although /. reports the news far better than they do.

Specialized tools for specialized jobs.

Re:paypal?

[NineNine]

Anyone using Paypal deserves what they get. They're a fake bank, operating under the pretense that they are a bank. They have a terrible business history, to boot. Why anyone in their right mind would use them is beyond me.

Re:nice features list

[Joe U]

Writing an OS so that one process can't stomp on other processes it doesn't have permission to.

I agree 100%. The windows developer community needs to totally and outright kill 95/98/Me support, and start using the built in security in 2000/XP.

Having absolutely everything running as an administrator is a huge mistake.

Re:I'm TRULY not attempting to Troll

[djdavetrouble]

It doesn't matter how many alerts come out as long as there is one idiot on the LAN that clicks the email attachment.

The good 'ol days

[Ibanez]

What the hell happened to them? You know, when you used to download a program off of FTP or Firstclass, forgot to scan it for viruses, installed it, had your harddrive wiped clean. And then you had to reinstall from your backup floppies, and had no one to blame but your own stupid self?

Now its not your fault, and it hurts you as well as everyone else!

Re:I'm TRULY not attempting to Troll

[Anonymous Coward]

"A whole post about viruses and I never mentioned the fact that I run OS X and Yellow Dog Linux exclusively!!! Not once have I mentioned that I've never had to worry about a virus at all!!!"

Eventually, you will have to deal with worms/trojans/viruses. It's just a matter of time before Linux and OSX reach that critical mass where the malware authors decide it's ripe enough to harvest. Don't fall into the mistaken belief that you are utterly immune, because you are not. No OS is perfectly secure.

Re:what else is new?

[rixstep]

hey really only seem to hurt people who are already pretty ignorant

The word 'only' is misplaced. The Internet is full of idiots. They're in the majority.

They get the shit kicked out of them every time they go online. They take their junky Gateways back to PC shops to 'wipe and reinstall' every six months. They lose files because 'I know I didn't download that file to my hard drive - I downloaded it to my desktop instead' and then they can't find it.

You tell them the simplest things to get them out of the most complex situations and they demand 'user friendly'. They want products that cure only the latest ill and demand at most one mouse click.

Wonder of wonders the world (the Internet) is as it is. And wonder of wonders is that it's taken the sophisticated malware engineers so long to get sophisticated.

There's a slaughter going on, and although MS are responsible with their crappy stuff, the users are also responsible - for using it. And I hope we've heard the last of that classic line 'it only affects Windows users', because it should be evident to even the most brain-dead MS fanatic at this point that the entire Internet is affected.

It's time to put up some housing ordinances so MS users aren't allowed to ruin the neighbourhood. High time and beyond.

Re:nice features list

[Platinum Dragon]

P.S: If, whilst their at it, they could make it so that you don't need the RPC to run the thing, it'd be swell too... But I suppose that I'm asking for too much there.

I hope the Fedora Core crew keeps this in mind and locks down everything that's not essential for just getting a system up and running. If a business has the need for particular services, this information should be gathered during install from the sysadmin, or a kickstart image should be used. I see no reason why sendmail and rpc/whatever need to be running by default on a machine intended for desktop use.

This may be a Windows trojan, but like all others, there are lessons in system security that all operating system producers need to keep in mind, whether that OS is supposedly "more secure" or not.

Re:nice features list

[Kethinov]

Running WinNT, 2000, XP at user level is too restrictive. in *nix, if you need to install something it goes "hey feed me a password." In Windows it says "screw you, not enough privs." Then you have to logoff, logon admin, and do it.

Furthermore, in Windows, there's a GREAT DEAL of things you can do in userland that should only be available in rootland. So because of these issues, I've ran every Windows computer I've ever owned at administrator level, as most people do.

Re:Nullsoft Waste code used? Open source scariness

[Anonymous Coward]

Note that only a VERY small portion of the code is based on open-source software. The majority of the system relies on closed-source software (Microsoft Windows) to work. Moreover, the open-source software itself isn't doing anything nefarious -- it's simply implementing a communications protocol.

Keep in mind that nothing of this sort could ever happen if people weren't using TCP, or CPUs that have the same instruction sets, etc. Of course, without those things computing wouldn't be mouch fun either...

Re:nice features list

[Platinum Dragon]

I know you're a troll, but you have no idea how many:

a) people who still run Win98/ME, with their total lack of a permissions model, come into the store, and
b) how many people give their XP accounts administrator-level powers just to "make things easier". Shit, the TRON 2.0 demo required administrator privileges to run! We (ie, me and the other employees) have no idea why, it was the most fucking crackheaded thing I've seen since Windows ME, but there it was. I can't imagine how many other programs require admin access to run. And geeks wonder why people have no concept of why it's dangerous to run as root/admin...

Re:nice features list

[red floyd]

Plus...

<RANT type="favorite">
Then there's programs that, because of sloppy/lazy coding, insist on being run as Admin on NT/2K/XP. Two that come to mind immediately are Mavis Beacon Teaches Typing 15 and The Sims.

There is absolutely NO REASON WHATSOEVER for a typing tutor to require Admin, nor should there really be any for the Sims. AFAICT, they both write to the installation directory and HKLM instead of the user's "Application Data" and HKCU.

</RANT>

Re:Jesus.

[jilles]

If linux were as popular as windows, I'm sure someone would exploit one of the widely published security holes in key linux software such as the kernel or other server software written in C. Just monitor the appropriate mailinglists if you are interested in the latest identified buffer overflows. Of course those running the latest patches would hardly be affected but we all know that world + dog doesn't update their linux software just like their windows counterparts don't update their windows software. However, worms and viruses need something linux cannot (yet) provide: substantial market penetration. Linux software has many known issues and many organizations are very reluctant to upgrade their software (redhat 6.2 is still found in the wild even though red hat has long since stopped supporting it, aside from really critical updates). However, deployed linux configurations tend to be very dissimilar so you are unlikely to find a security hole that affects more than a few percent of users (of which the total population is 1 or 2 percent of pc users according to the most optimistic estimates). Because of this linux viruses and worms cannot propagate. A good mailvirus needs an addressbook full of potential victims. A hypothetical pine worm would not find many potential victims in the average pine user's addressbook (is there such a thing in pine?).

This security is no inherent quality of the software but just a consequence of very few people using the same version of linux. Linux security is essentially security by obscurity. By using software that nobody else uses you avoid being targeted by viruses and worms that depend on mainstream adoption for propagation. Just like in nature, monocultures are vulnerable to viruses. I'm not saying that linux is insecure, I'm just saying that many people confuse the lack of attacks on linux with its alledged security.

If you want security, install BSD. Even less people use it and many BSD users suffer from severe paranoia (resulting in increased awareness with respect to security issues) so you are unlikely to be ever affected by the latent security holes that are waiting to be discovered. Even MS uses BSD software to keep the scriptkiddies out :-).

Ironically, Microsoft's biggest security problem is that people are buying and using their products. I'm sure that is something they don't want to fix. Upgrading is another issue, MS is actively pushing their customers to upgrade (though not necessarily to protect them :-).

Re:nice features list

[Lumpy]

Having absolutely everything running as an administrator is a huge mistake.

I so agree, so can ypu PLEASE tell corperate america IT managers this?

Here I am IT professional in one of the worlds LARGEST telecommunications companies and EVERYONE's W2K domain profile is set to put them as administrator rights... repeated calls to the NOC about the security hole are unanswered, and my attempts to fix it locally get me reprimanded for messing with domain security settings.

It's fine to have the ability to lock it down, but it's worthless when the people in charge of it are too stupid or spineless to use it.

Nothing New Here.

[Anonymous Coward]

News relating to Viruses and spam is becoming very boring.

When surfing the net at home, I frequently (not always) use Opera Browser with JScript, Plugins, Java, and even Gif animation disabled.The Cache and cookies are all deleted on exit (nice in Opera; cannot empty cache in Mozilla or FireFox).
I use Pegasus for email. I stopped using Norton (after it failed to detect one of the email viruses although it was up to date) and switched to Nod32. I started using Tiny Personal Firewall after Norton Internet security failed me too.

I feel a bit safer, but I always think of asking M$ developers: Why?

Firestone and Ford were sued for the "few" defective tires and/or cars. Defective software costs millions of dollars each year and no one thinks of taking the defective software companies to court.

I want to say that although this is not "breaking news", this PhatBot thing is one impressive piece of software!

Re:nice features list

[gmuslera]

If even several MS games requires [theregister.co.uk] to have admin access to be used, you agree that is Microsoft the one that should be blamed?

Don't matter how you want to justify them, is always MS's fault.

Re:nice features list

[Anonymous Coward]

Microsoft is to blame.

If they had just shot the guy who suggested the registry in the first place, we wouldn't have this problem.

Most programs fail because they are trying to save settings under HKEY_LOCAL_MACHINE. Something Microsoft encouraged for many years.

Also knowing that all these legacy programs are out there that people are going to want to use, they sould have made an easy way to automaticly sudo programs. A setting on the property page of the executable would have been a good idea.

Yes you can tweak registry settings or use run as, but we are talking about lusers here. It's easier for them to just run as root.

Re:nice features list

[yeggman]

Really, if there was an announced problem with your car that might lead to a thief getting in and driving off with it, wouldn't you get it fixed?
Not if he always brought it back in the morning ;)
That's why people don't give a crap, cuz the machine still kinda runs. Most people probably chuck it up to: "God this old machine dosen't run like it use to could! I should have never upgraded to IE6."

Re:nice features list

[Platinum Dragon]

So the problem is partly a company that trained users to live as all-powerful administrator, then wonders why people keep running as admin even when user accounts are introduced.

The other part of the problem is a company that trained programmers to assume the same thing, and write their programs accordingly. Now that the new versions of the company's primary OS implement some security, the programmers that were used to having complete power are running into justifiable roadblocks.

Nice security culture Microsoft created. The Unix folks learned the folly of getting lax on security long, long ago, thanks to stuff like the Morris worm. How many Morris worms will it take for the Windows world to do the necessary overhaul, on the OS (partly already done, from what I gather), programs, and attitudes of users along with programemrs?

Re:nice features list

[Frizzle Fry]

you agree that is Microsoft the one that should be blamed?

I will restate what I said since it was obviously unclear: Windows XP provides everything that is needed to allow you to run day-to-day as an ordinary user. It does not require you to be root unless you are doing the kind of things that should require you to be root. The same is true of Unix. In both environments, it is possible to write software that requires the user to be root. If you write your software that way unnecessarily, you are doing something wrong, regardless of whether your software is for windows or for unix.

The parent had said that there is a problem with Windows in this regard, and that simply is not true (at least for current versions of Windows). Just like Unix, Windows does a fine job of allowing you not to be root. If there are problems caused by individual applications, you should blame the applications, not the operating system. The article to which you linked discusses Age of Empires which is a piece of software that runs on top of Windows. If it requires you to be root, then that is unfortunate, just like it would be if the (hypothetical) OS X version of that game required you to be root. But again, saying that a certain windows application is not doing what it should is not the same as saying that the os should be designed different.

The meaning of "Trojan"

[groomed]

Well, I suppose it's a lost cause (as with the "hacker" term), but I it can't hurt to point out that it really doesn't make much sense to call this program a "trojan".

The article suggests that this is a "trojan" because it lets attackers stealthily take control of your computer. But that was not what was remarkable about the historical Trojan horse. What was remarkable about it is that it was presented as a gift. The distinguishing characteric of a trojan is that it has a friendly outward appearance but contains a deadly payload. That's certainly not the case with Phatbot.

Rather, I'd say that Phatbot is a virus, because a) it is malicious and b) it doesn't rely on deception to spread itself. This is, again, subtly different from a worm, which generally aren't malicious, just annoying.

Of course it's water under the bridge at this point.

Re:what else is new?

[joggle]

It's time to put up some housing ordinances so MS users aren't allowed to ruin the neighbourhood. High time and beyond.

I have a better suggestion. How about we give people a better education in school about computers, etc.? From what I've heard, they already are giving much more in-depth instruction at many public schools on computer use. This doesn't help out ignorant adults (esp. the ones without kids), but at least the next generation should generally be more competent.

It could be a class along side sex-ed called computer-ed. All they need to teach is:

• Use protection! (firewall, software patches, ant-virus software, etc.). You can really fsck yourself up with a computer, esp if you're careless.
• Don't believe everything you read on the net or in your e-mail. Even if the e-mail is from a friend, don't automatically click the attachment!!!
• Just because a website is using https, that doesn't mean it is legit. If you doubt the website's authenticity, simply check its certificate.
• Change your password from time to time and don't use the same one for everything.
• Don't leave your home PC connected to broadband 24/7 if you don't have to. (not strictly necessary, but it can help mitigate damage)
• Keep an eye on your net usage (if you're on broadband). If you see tons of traffic on your computer unexpectedly, you should probably do a virus update and scan.
• Don't ever give away important personal information over a non-secured link (ssn, credit card#, etc.) That includes IM, e-mail, blogs, etc. (duh)
• Run virus scans on apps you download off the net before running them.

Re:nice features list

[Mesaeus]

Exactly. Today I took all known variants of msblaster from a new client's personal machine (the original and B,C,D variants, all in memory at the same time). He then tried to skip paying for it because "it didn't bother him so I didn't have to remove it". His machine was constantly online with four variants in memory all sending copies of themselves to the outside world. People like this should have their connections disabled when they start spout virusses and worms, but few ISP's seem to care.

Re:possible hoax?

[KaiserZoze_860]

Reading it now... Gaobot.RF [symantec.com]

Doesn't look like the same payload as descibed in above posts. Still a nasty little bugger.

--KS

Re:Want to statr the revolution in a hurry?

[EndlessNameless]

::: Legit companies can't do it for obvious reason. Black hats will not do it because if everyone takes virii seriously and install firewalls, delets mail attachments, etc., then they can't take advantage of security holes. That leaves white hats. But, writing virus that damages people's reputation is not something that white hats do, isn't it?:::

I think you're oversimplifying. There's no "this guy is black hat, and that guy is straight white hat". Even white hats disagree on what's acceptable sometimes... it's not like there is an Official Bible of Heavenly Hackerdom describing the different ranks of the hacker angelic host. I mean, some things are obvious no-no's like selling downloaded prototype docs on eBay, but not everything is pure black and white.

What I'm saying is I think it's entirely conceivable that someone who has a bit of a vigilante tendency could view such a trojan/worm as helping law enforcement or copyright holders. I mean, seriously, whoever wrote welchia probably fancied himself a white hat (or if not, at least not a black hat). Not saying I agree or disagree beause I'm not even 100% sure myself on that one, but there are probably as many different "fits" for "white hats" as there are people who want to wear them.

Re:nice features list

[Anonymous Coward]

Actually, most people wouldn't even sidegrade to IE6 (it is not an upgrade). They just let things "happen" to their computers, and they click on whatever button is prettiest. When they install software, security is NOT an issue, only functionality - that's how those clock synchronization adware tracker things are always getting installed, or how wildtangent finds its way onto even "careful" people's computers.

The fault lies with 100% Microsoft. Operating systems for dumb people shouldn't let the user do dumb things.

Re:nice features list

[Anonymous Coward]

...which would be nice, except for that little problem that SP2 ISN'T OUT YET.

Re:nice features list

[Anonymous Coward]

Exactly. I tried running as an unpriviledged user under Windows, as I always do under Unix and Mac OS X. It works fine for a few minutes, until you want to run an application that insists on writing into windows\system, insists on writing to c:\temp or even c:\, or you try to plug in a scanner and its driver or plugin insists on writing to a system directory or some temporary directory that is equally inconvenient and unreconfigurable. It is a completely self-defeating situation -- you can try to run secure, but almost half the apps out there won't let you, or they spew up all sorts of error messages that freak out the users. For example: "Can't write log file to C:\Program Files\App\... because file is read only. Do you want to change to writeable and try again? Yes No" How helpful, eh? But the problem runs deep: pressing either option does not work. You can click all day and the program just pops up the same message hundreds of times. The only way to fix it is to let it have its way.

Frankly, I have no idea how Microsoft is ever going to implement genuine "secure computing". Even if they clean up their OS, there are thousands of legacy apps that will either a) break, or b) need so many security loopholes to still function that it will be easy for virus/worm writers to use the same loopholes.

It is going to take *years* for the last decade or so of Microsoft's lax security attitude to get sorted out, because Microsoft is only half of the problem they have established. The other half is what other people have built to that lax standard.