PhatBot Trojan Spreading Rapidly On Windows PCs 645
prostoalex writes "The Washington Post alerts Windows users about a new peer-to-peer backdoor client that is installed maliciously on broadband-connected computers around Asia and the United States. The client is then used for distributed DOS attacks and sending out large amounts of spam. Phatbot, according to government sources, is installed on hundreds of thousands machines already. Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software, albeit it is detectable by antivirus packages." An anonymous reader submits a link to this description of the beast.
I'm TRULY not attempting to Troll (Score:4, Insightful)
It's as bad as spam! It's EVERYWHERE!!
I frequent a couple other message boards (damn, I almost said BBS'), and every few days, we get the same ol' thread...'VIRUS ALERT!!!!!!!'
We live in the information age. The information has been disseminated that Windows users are:
A) Prone to constant viral and security intrusions.
B) In desperate need to constantly update their AV software.
The SysAdmins who aren't keeping their servers locked down is another thing entirely...*grumble*
But really, ABC, NBC, CBS, all these guys have done several stories on system security...EVERYONE's got a nephew that 'knows a lot 'bout dem 'puters'...
I really don't understand why we're still being subjected to this crap. Virus news isn't news. It's spam.
(See! A whole post about viruses and I never mentioned the fact that I run OS X and Yellow Dog Linux exclusively!!! Not once have I mentioned that I've never had to worry about a virus at all!!!)
Yay me.
Grr... (Score:5, Insightful)
I understand the average user can't use Registry Editor, but maybe provide a simple link or website to get a tool to remove the Phatbot thing a ma jig.
Happy St. Paddy's Day everyone, btw.
paypal? (Score:5, Insightful)
aol, go for it... emails from the web are already public, go for it... paypal cookies? now that's just plain wrong, the feds are going to love that one.
Spammer-Sponsored (Score:5, Insightful)
Just take a look at the feature list, it probably has more bells and whistles than most of the software out there.
Is there a way to trace back the master of these trojans and do something about it? Surely these trojans need to do something for their masters at some stage, probably waiting for commands somewhere.
Re:Idea? (Score:5, Insightful)
Re:Happened to a friend (Score:3, Insightful)
Apparently, your name and his name is in the address book, or in an email of an infected computer's system. That system spoofs the From: address, and sends it To: someone else in there. Sometimes you will receive it from friends that do not have it, other times you'll get a kickback saying undeliverable due to a virus that you sent. But... you didn't send it. Instead, you were spoofed as the From: address and the To: was unreachable, thus bouncing back to you.
Hope this helps.
Still Countergrabbable (Score:5, Insightful)
Too bad it would be both grossly illegal and probably disruptive, because it would be a great favor to the rest of the net, to counter these botnets and squish-them into oblivion (at least this generation, until the attackers learn how to do authentication of commands correctly).
Re:Jesus. (Score:4, Insightful)
Hmm... I suppose user idiocy is a flaw that Windows has that Linux doesn't.
Okay, I see your point.
Re:nice features list (Score:5, Insightful)
Just code it to kill the connection after, say, fifty successful infections.
You know what the real innovation would be, though? Writing an OS so that one process can't stomp on other processes it doesn't have permission to. It would also be nice to write something where worms couldn't just land on the system as executable files by default and scripts that do things like install other programs and do stuff without the user's knowledge can't be automatically run by a freaking e-mail program. Gee, too bad there's nothing around like that...
virus news = spam (Score:5, Insightful)
Obviously the "security-by-news-alert" method of keeping your systems secure is stupid. We must still update our AVs and Spy cleaners and run them regularly. If we do that, we'll get almost every virus and spyware and never have to worry.
But some of like to know what the virus writers are doing. Trends in the virus business, as they evolve.
Some of us may have firewalls that we might wish to alter based on major recent virus activity. I'm sure the Blaster variants caused several admins to alter the RPC port configuration of their firewalls.
Isn't it better to be proactive rather than reacting to a virus-based DOS?
I agree, of course, that people shouldn't email their buddies "OMG VIRUS ALERT!!!111one!!11" as we are able to keep up on virus news ourselves. We don't need these emails.
The value of Slashdot posting a breaking story about a virus is early-warning in the event that we're sitting around reading Slashdot instead of doing our jobs and monitoring the other virus news systems.
Re:virus news = spam (Score:3, Insightful)
But anyone who uses THIS SITE, as their 'early warning virus system', is already in serious trouble.
There's plenty other sites that specialize in early warning, and they do a far better job than
Specialized tools for specialized jobs.
Re:paypal? (Score:3, Insightful)
Re:nice features list (Score:5, Insightful)
I agree 100%. The windows developer community needs to totally and outright kill 95/98/Me support, and start using the built in security in 2000/XP.
Having absolutely everything running as an administrator is a huge mistake.
Re:I'm TRULY not attempting to Troll (Score:2, Insightful)
The good 'ol days (Score:4, Insightful)
Now its not your fault, and it hurts you as well as everyone else!
Re:I'm TRULY not attempting to Troll (Score:1, Insightful)
Eventually, you will have to deal with worms/trojans/viruses. It's just a matter of time before Linux and OSX reach that critical mass where the malware authors decide it's ripe enough to harvest. Don't fall into the mistaken belief that you are utterly immune, because you are not. No OS is perfectly secure.
Re:what else is new? (Score:5, Insightful)
The word 'only' is misplaced. The Internet is full of idiots. They're in the majority.
They get the shit kicked out of them every time they go online. They take their junky Gateways back to PC shops to 'wipe and reinstall' every six months. They lose files because 'I know I didn't download that file to my hard drive - I downloaded it to my desktop instead' and then they can't find it.
You tell them the simplest things to get them out of the most complex situations and they demand 'user friendly'. They want products that cure only the latest ill and demand at most one mouse click.
Wonder of wonders the world (the Internet) is as it is. And wonder of wonders is that it's taken the sophisticated malware engineers so long to get sophisticated.
There's a slaughter going on, and although MS are responsible with their crappy stuff, the users are also responsible - for using it. And I hope we've heard the last of that classic line 'it only affects Windows users', because it should be evident to even the most brain-dead MS fanatic at this point that the entire Internet is affected.
It's time to put up some housing ordinances so MS users aren't allowed to ruin the neighbourhood. High time and beyond.
Re:nice features list (Score:2, Insightful)
I hope the Fedora Core crew keeps this in mind and locks down everything that's not essential for just getting a system up and running. If a business has the need for particular services, this information should be gathered during install from the sysadmin, or a kickstart image should be used. I see no reason why sendmail and rpc/whatever need to be running by default on a machine intended for desktop use.
This may be a Windows trojan, but like all others, there are lessons in system security that all operating system producers need to keep in mind, whether that OS is supposedly "more secure" or not.
Re:nice features list (Score:3, Insightful)
Furthermore, in Windows, there's a GREAT DEAL of things you can do in userland that should only be available in rootland. So because of these issues, I've ran every Windows computer I've ever owned at administrator level, as most people do.
Re:Nullsoft Waste code used? Open source scariness (Score:1, Insightful)
Keep in mind that nothing of this sort could ever happen if people weren't using TCP, or CPUs that have the same instruction sets, etc. Of course, without those things computing wouldn't be mouch fun either...
Re:nice features list (Score:4, Insightful)
a) people who still run Win98/ME, with their total lack of a permissions model, come into the store, and
b) how many people give their XP accounts administrator-level powers just to "make things easier". Shit, the TRON 2.0 demo required administrator privileges to run! We (ie, me and the other employees) have no idea why, it was the most fucking crackheaded thing I've seen since Windows ME, but there it was. I can't imagine how many other programs require admin access to run. And geeks wonder why people have no concept of why it's dangerous to run as root/admin...
Re:nice features list (Score:5, Insightful)
<RANT type="favorite">
Then there's programs that, because of sloppy/lazy coding, insist on being run as Admin on NT/2K/XP. Two that come to mind immediately are Mavis Beacon Teaches Typing 15 and The Sims.
There is absolutely NO REASON WHATSOEVER for a typing tutor to require Admin, nor should there really be any for the Sims. AFAICT, they both write to the installation directory and HKLM instead of the user's "Application Data" and HKCU.
</RANT>
Re:Jesus. (Score:4, Insightful)
This security is no inherent quality of the software but just a consequence of very few people using the same version of linux. Linux security is essentially security by obscurity. By using software that nobody else uses you avoid being targeted by viruses and worms that depend on mainstream adoption for propagation. Just like in nature, monocultures are vulnerable to viruses. I'm not saying that linux is insecure, I'm just saying that many people confuse the lack of attacks on linux with its alledged security.
If you want security, install BSD. Even less people use it and many BSD users suffer from severe paranoia (resulting in increased awareness with respect to security issues) so you are unlikely to be ever affected by the latent security holes that are waiting to be discovered. Even MS uses BSD software to keep the scriptkiddies out
Ironically, Microsoft's biggest security problem is that people are buying and using their products. I'm sure that is something they don't want to fix. Upgrading is another issue, MS is actively pushing their customers to upgrade (though not necessarily to protect them
Re:nice features list (Score:5, Insightful)
I so agree, so can ypu PLEASE tell corperate america IT managers this?
Here I am IT professional in one of the worlds LARGEST telecommunications companies and EVERYONE's W2K domain profile is set to put them as administrator rights... repeated calls to the NOC about the security hole are unanswered, and my attempts to fix it locally get me reprimanded for messing with domain security settings.
It's fine to have the ability to lock it down, but it's worthless when the people in charge of it are too stupid or spineless to use it.
Nothing New Here. (Score:1, Insightful)
When surfing the net at home, I frequently (not always) use Opera Browser with JScript, Plugins, Java, and even Gif animation disabled.The Cache and cookies are all deleted on exit (nice in Opera; cannot empty cache in Mozilla or FireFox).
I use Pegasus for email. I stopped using Norton (after it failed to detect one of the email viruses although it was up to date) and switched to Nod32. I started using Tiny Personal Firewall after Norton Internet security failed me too.
I feel a bit safer, but I always think of asking M$ developers: Why?
Firestone and Ford were sued for the "few" defective tires and/or cars. Defective software costs millions of dollars each year and no one thinks of taking the defective software companies to court.
I want to say that although this is not "breaking news", this PhatBot thing is one impressive piece of software!
Re:nice features list (Score:3, Insightful)
Don't matter how you want to justify them, is always MS's fault.
Re:nice features list (Score:1, Insightful)
If they had just shot the guy who suggested the registry in the first place, we wouldn't have this problem.
Most programs fail because they are trying to save settings under HKEY_LOCAL_MACHINE. Something Microsoft encouraged for many years.
Also knowing that all these legacy programs are out there that people are going to want to use, they sould have made an easy way to automaticly sudo programs. A setting on the property page of the executable would have been a good idea.
Yes you can tweak registry settings or use run as, but we are talking about lusers here. It's easier for them to just run as root.
Re:nice features list (Score:5, Insightful)
Not if he always brought it back in the morning
That's why people don't give a crap, cuz the machine still kinda runs. Most people probably chuck it up to: "God this old machine dosen't run like it use to could! I should have never upgraded to IE6."
Re:nice features list (Score:5, Insightful)
The other part of the problem is a company that trained programmers to assume the same thing, and write their programs accordingly. Now that the new versions of the company's primary OS implement some security, the programmers that were used to having complete power are running into justifiable roadblocks.
Nice security culture Microsoft created. The Unix folks learned the folly of getting lax on security long, long ago, thanks to stuff like the Morris worm. How many Morris worms will it take for the Windows world to do the necessary overhaul, on the OS (partly already done, from what I gather), programs, and attitudes of users along with programemrs?
Re:nice features list (Score:4, Insightful)
I will restate what I said since it was obviously unclear: Windows XP provides everything that is needed to allow you to run day-to-day as an ordinary user. It does not require you to be root unless you are doing the kind of things that should require you to be root. The same is true of Unix. In both environments, it is possible to write software that requires the user to be root. If you write your software that way unnecessarily, you are doing something wrong, regardless of whether your software is for windows or for unix.
The parent had said that there is a problem with Windows in this regard, and that simply is not true (at least for current versions of Windows). Just like Unix, Windows does a fine job of allowing you not to be root. If there are problems caused by individual applications, you should blame the applications, not the operating system. The article to which you linked discusses Age of Empires which is a piece of software that runs on top of Windows. If it requires you to be root, then that is unfortunate, just like it would be if the (hypothetical) OS X version of that game required you to be root. But again, saying that a certain windows application is not doing what it should is not the same as saying that the os should be designed different.
The meaning of "Trojan" (Score:5, Insightful)
The article suggests that this is a "trojan" because it lets attackers stealthily take control of your computer. But that was not what was remarkable about the historical Trojan horse. What was remarkable about it is that it was presented as a gift. The distinguishing characteric of a trojan is that it has a friendly outward appearance but contains a deadly payload. That's certainly not the case with Phatbot.
Rather, I'd say that Phatbot is a virus, because a) it is malicious and b) it doesn't rely on deception to spread itself. This is, again, subtly different from a worm, which generally aren't malicious, just annoying.
Of course it's water under the bridge at this point.
Re:what else is new? (Score:4, Insightful)
I have a better suggestion. How about we give people a better education in school about computers, etc.? From what I've heard, they already are giving much more in-depth instruction at many public schools on computer use. This doesn't help out ignorant adults (esp. the ones without kids), but at least the next generation should generally be more competent.
It could be a class along side sex-ed called computer-ed. All they need to teach is:
Re:nice features list (Score:2, Insightful)
Re:possible hoax? (Score:2, Insightful)
Doesn't look like the same payload as descibed in above posts. Still a nasty little bugger.
--KSRe:Want to statr the revolution in a hurry? (Score:2, Insightful)
I think you're oversimplifying. There's no "this guy is black hat, and that guy is straight white hat". Even white hats disagree on what's acceptable sometimes... it's not like there is an Official Bible of Heavenly Hackerdom describing the different ranks of the hacker angelic host. I mean, some things are obvious no-no's like selling downloaded prototype docs on eBay, but not everything is pure black and white.
What I'm saying is I think it's entirely conceivable that someone who has a bit of a vigilante tendency could view such a trojan/worm as helping law enforcement or copyright holders. I mean, seriously, whoever wrote welchia probably fancied himself a white hat (or if not, at least not a black hat). Not saying I agree or disagree beause I'm not even 100% sure myself on that one, but there are probably as many different "fits" for "white hats" as there are people who want to wear them.
Re:nice features list (Score:1, Insightful)
The fault lies with 100% Microsoft. Operating systems for dumb people shouldn't let the user do dumb things.
Re:nice features list (Score:1, Insightful)
Re:nice features list (Score:3, Insightful)
Frankly, I have no idea how Microsoft is ever going to implement genuine "secure computing". Even if they clean up their OS, there are thousands of legacy apps that will either a) break, or b) need so many security loopholes to still function that it will be easy for virus/worm writers to use the same loopholes.
It is going to take *years* for the last decade or so of Microsoft's lax security attitude to get sorted out, because Microsoft is only half of the problem they have established. The other half is what other people have built to that lax standard.