PhatBot Trojan Spreading Rapidly On Windows PCs 645
prostoalex writes "The Washington Post alerts Windows users about a new peer-to-peer backdoor client that is installed maliciously on broadband-connected computers around Asia and the United States. The client is then used for distributed DOS attacks and sending out large amounts of spam. Phatbot, according to government sources, is installed on hundreds of thousands machines already. Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software, albeit it is detectable by antivirus packages." An anonymous reader submits a link to this description of the beast.
Idea? (Score:5, Interesting)
What if anti-virus, firewalls, and other critical software could somehow run in read-only memory space, which would have a physical barrier so that no bugs in software could be exploited to alter this space?
What if we could "burn" memory space of a program to a CD rom so that a proper working, unaltered anti-virus and firewall could run without fear of being disabled?
Re:Is it just me... (Score:4, Interesting)
I wouldn't put it past the RIAA after Berman pushed for the we-can-hack-you-if-we-suspect-you-have-copyrighte
But how often are backdoors installed for nobel intents?
Re:Idea? (Score:2, Interesting)
Re:Idea? (Score:2, Interesting)
The power of viruses (Score:5, Interesting)
No complaints for months. And then, I add a new account to the mail server and restart sendmail.
Within a few hours, I got complaints that the volume of email had at least tripled, and that *all* of the increase were viruses, being caught by McAffee! So bad it was difficult to simply empty out the inbox from all the popup notices of virus detection!
Turns out when I restarted sendmail, I didn't restart MailScanner, so it was not running, letting everything through.
Very sobering, to realize how bad viruses online have gotten...
Re:Idea? (Score:4, Interesting)
I think macos X is a good example of an os that is pretty user friendly that doesn't encourage everyone to run as "admin". In fact there are no (by default) admin/root users, "admin" users are users that have sudo ability, so in a weird way its better than default redhat linux.
-bloo
nowhere to run (Score:4, Interesting)
NANOG [merit.edu] this past week has had to deal with "h4r 3y3 j4m an 3fnet p4ck3tm0nk3y" bs. What I don't understand is how some people download and install something without checking exactly what it is. Look at the spyware situation: "Click here for a free weather clock" It should be obvious that there is no such thing as free. Everything has some form of price. What I find most alarming, is that most corporations - Symantec, Network Associates, and the major Windows based antivirus makers including Microsoft who has not got there act togeter - unleash errata of mass destruction. "Buy this patch/firewall/antivirus foo foo foo product to protect you now!" Why not release some Macromedia Flash like tutorial along with their products to educate users about the dangers of downloading unnecessary 'tools/products/virtuagirls/etc' and how to protect themselves from these thing... I'm willing to bet if some company did something like this, most of these annoyances would drop big time
Interesting that (Score:4, Interesting)
Was I wrong to consider using
Good luck everyone out there who should be checking/cleaning your systems -
Re:Is it just me... (Score:4, Interesting)
On the Positive Side (Score:4, Interesting)
Re:Idea? (Score:1, Interesting)
Kryptos
How about a virus that educates users? (Score:4, Interesting)
Viruses spread due to stupidity, ignorance, and laziness on the part of users. A virus like this MIGHT help with the ignorance part.
Now please don't think I'm advising anyone to go out and write such a thing, I'm only saying that I think the idea would be interesting.
I think it would also be interesting to hunt down the creators of malicious viruses and have them drawn and quartered, preferably on live TV. Next their parents should be beat within an inch of their lives for not raising them right in the first place.
Lee
Anonymous Coward officials? (Score:3, Interesting)
Re:Want to statr the revolution in a hurry? (Score:5, Interesting)
The quickest way to get people to take viruses seriously is to write a virus that reports all their pirated software.
Most people don't care if their computer has a virus, but once a virus can bust them for all their illegal software, people will wise up in a hurry.
Suspicious... (Score:4, Interesting)
If the US government is announcing this publically, and the virus has already infected "hundreds of thousands of computers already", wouldn't the anti-virus companies *know* that?!?
Nullsoft Waste code used? Open source scariness.. (Score:4, Interesting)
Here is a problem I had never thought about with open source initiatives. What happens when someone steals your source without obeying GPL or anything and turns it into a monster? It would have ben *MUCH* harder for the PhatBot authors to code their own Waste-like [slashdot.org] clustering P2P system. Perhaps they might not have even been able to do so. Instead they grab an open source app and use it to create something ilegal, and in this case even dangerous.
These are the same problems faced in the emulation field. Many open source emu programmers do not allow any game from the past 2-3 years to be played, mainly to appease the corporations that still make arcade titles (SNK etc). But people open up their source and release renegade versions of their own apps without their permission and in violation of GPL and everything, often packaging them with illegal arcade ROMs.
Re:what else is new? (Score:2, Interesting)
My day-job (Win32 integration with predominantly Linux environment) exists because of this. Basically, the summer before I was hired, several offices (main office, business, support, pr, etc) were shut down because of a rampant virus that they actually spread to eachother (it came attached as a background cycling program... one person liked it and spread it to everyone else). If it wasn't for my efforts here, I'll readily admit that the staff would have been hosed when the DCOM viri began spreading last year, they would probably be being hit pretty hard by these Agobot variants right now.
Now, these staff members aren't stupid in the slightest... but they are pretty darn ignorant with respect to technology. If it wasn't for my BOFH tactics, we'd be awash in viral troubles
Of course, before anyone goes and says "why am I complaining, I have a job from it" let me just say that I
Re:Happened to a friend (Score:3, Interesting)
then he noticed in outlook the "save password" button no longer worked
It might not be related to this problem, but using Outlook is probably the fastest way to get a virus short of deliberately installing one. The only exception to that is if you use Outlook in an extremely tight network where all the mail is examined before Outlook gets it's retarded little mitts on it.
So basically what we're saying is that outside of the context of a trusted corporate network where all mail is thoroughly scanned by the incoming server, Outlook = get virus. Do your friend a favor and have him try Mozilla, Eudora, Netscape, anything but Outlook.
I've actually been doing a lot of tech support work to pay bills in these economic glory days and if someone tells me that they use Outlook, I won't even bother trying to fix it. I tell them it'll be $50 an hour for probably 12 hours to clean up what Outlook did or for $50 I'll reinstall everything. And honestly, $600 to clean up what Outlook lets in is being very generous.
Re:Detection/Removal instructions? (Score:1, Interesting)
Re:nice features list (Score:2, Interesting)
XP: Impractical Not to Run as Admin (Score:2, Interesting)
I recently installed some financial software. Of course I had to do that as admin. It wouldn't run when I switched to my user acct. The vendor help desk's advice? It's designed to be accessed by one user. Read the EULA! Uninstall it and reinstall it from the user account. Oh, you can't do that? I guess you have a problem....
They also informed me that "we don't support firewalls", you have to disconnect that if you want help.
possible hoax? (Score:4, Interesting)
As many people have pointed out there is an utter lack of response by the top three anti-virus companies to this threat. I find this disturbing and also, unlikely. Why would the Department of Homeland Defense have better intelligence on a clearly US based threat (Phat is not an international phrase by any means) than the people who make their lively hood based on threat detection and elimination?
This has to me the markings of a hoax. The list of *features* as one poster put it is indeed staggering. That, coupled with the silence coming from Symantec, McAfee et al. makes it look fishy. A google search shows one recent post and a bunch of older hits (possibly the same as in the McAfee search ).
So that leaves me with 3 questions:
1 - Is it real
2 - How do we detect it
3 - How do we kill it.
--KS
Re:nice features list (Score:1, Interesting)
Re:Nullsoft Waste code used? Open source scariness (Score:3, Interesting)
The same thing you do when someone buys a hammer and then uses it to kill someone. You just deal with it.
Once you distribute something, be it a physical object like a hammer, or source code, you loose a certain amount of control over it. It's just a fact of life.
Sure you could try and make your hammer harder to kill someone with, or make it stupidly difficult to buy a hammer in the first place, but all you really end up doing is hurting people who need your hammer for legitimate purposes.
Re:paypal? (Score:2, Interesting)
Stories rejected by slashdot (Score:4, Interesting)
I realized one day that we could essentially have a user-contributed, user-moderated article queue of sorts using the journaling system here. I've dedicated my journal [slashdot.org] to it. I haven't figured out how to draw larger traffic to it without making this a part-time job, but you're welcome to contribute to it and I welcome suggestions.
--LP
Re:Is it just me... (Score:5, Interesting)
I informed their IT person that Monkey-B encrypts the files on the disk, so before we went willy-nilly removing the virus, we needed to backup the user data. They told me I was full of crap, and proceeded to clean the PCs themselves. Big mistake!
Oddly enough, their VP later complained to the service company I worked for that I had not done my job, since his IT people were fuck-heads. He didn't exactly state it this way, of course, but that was the gist of the statement. When I started to explain what had happened to my boss, I only got as far as "...and I discovered that most of their PCs were infected with Monkey-B."
He started laughing, and finished my sentence for me with "and their stupid IT people went around removing it, right? Idiots!"
Re:Idea? (Score:3, Interesting)
So what data do you care about more - an OS you can reinstall in half an hour or five years worth of email, porn, mp3s and other miscellaneous documents ?
All the other accounts are safe and the system itself will not be compromised (barring exploitation of a vulnerability in the system which is a whole different ballgame than what we have here).
Most machines only have on user one them. There *aren't* any other accounts. This commonly made "but it can only hurt the user's data" is completely specious, since 9/10 times the only important data on the machine *is* the user's.
The worst it can do to the rest of the system is a resource exhaustion or similarly annoying-but-ultimately-benign attack.
Untrue. It can use the system as a launching point for itself. It can trawl through the machine looking for email addresses and mass-mail itself. It can run a daemon allowing remote logons for someone to try local exploits. In short, it can do pretty much everything any virus would want to do.
This is not a hard concept, it's just not one Windows was built on in the name of "ease of use".
Windows NT was most certainly built on this concept. It's simply that in most cases it makes no bloody difference.
Re:Still Countergrabbable (Score:3, Interesting)
It's only a matter of time.
Re:Want to statr the revolution in a hurry? (Score:3, Interesting)
Not only conceivable, but it has already happened.
"Reports on US news site CNET News.com explain that an anonymous hacker, known only as Unknownuser, planted a malicious Trojan horse, Subseven, on the computer of William Jarrett, a visitor to an internet message board. The hacker then used this Trojan to remotely search Jarrett's computer for pornographic downloads and followed up by sending tip offs to the FBI."
http://www.sophos.com/virusinfo/articles/blinde
Re:For a mainframe version... (Score:1, Interesting)
It's even more impressive than that - the book is the second link it turns up [google.com] if you restrict the search to the Amazon.com website. The first is an Amazon search for the title.
Re:nice features list (Score:4, Interesting)
Something else that really should be done is enforcing Intel's privilege rings.
286+ processors have four privilege rings, 0 through 3. Processes running in ring 0 basically have root privs in the system, ring 1 processes can touch anything but those in ring 0, and so on.
It's intended that critical OS functions, like the memory manager, run in ring 0. Device drivers and such live in ring 1, and user processes live in ring 3.
Many operating systems, including Linux and all versions of Windows except NT 3.xx, run drivers in ring 0 because it's faster. However, it means that a bad driver can bring down the whole system. I bet the majority of Windows crashes lead back to crappy drivers, especially video drivers.
Food for thought.
Use an emulator! (Score:3, Interesting)
Could an emulator like VMWare be useful? You could run a second Windows installation in a "sandbox" to use the old programs.