PhatBot Trojan Spreading Rapidly On Windows PCs 645
prostoalex writes "The Washington Post alerts Windows users about a new peer-to-peer backdoor client that is installed maliciously on broadband-connected computers around Asia and the United States. The client is then used for distributed DOS attacks and sending out large amounts of spam. Phatbot, according to government sources, is installed on hundreds of thousands machines already. Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software, albeit it is detectable by antivirus packages." An anonymous reader submits a link to this description of the beast.
Is it just me... (Score:4, Funny)
a new peer-to-peer backdoor client that is installed maliciously
Re:Is it just me... (Score:4, Interesting)
I wouldn't put it past the RIAA after Berman pushed for the we-can-hack-you-if-we-suspect-you-have-copyrighte
But how often are backdoors installed for nobel intents?
Re:Is it just me... (Score:3, Funny)
Chemistry would probably be your best bet...
Re:Is it just me... (Score:4, Interesting)
Re:Is it just me... (Score:5, Funny)
No idea if there's a connection.
-B
Re:Is it just me... (Score:5, Funny)
The Register just had a story about how a lot of the new virii are as small as 12kb, and how you could almost silk screen the code for one onto an XL T-shirt.
I would love to have a pair of boxers with this code printed on them, and in large letters overlaying the code, "Let's install my peer-to-peer backdoor client."
Re:Is it just me... (Score:3, Informative)
Re:Is it just me... (Score:3, Funny)
Yeah, gone are the days when F-Secure folks unceremoniously categorized everything over 10 kb or so "huge and technically uninteresting" =)
Re:Is it just me... (Score:5, Interesting)
I informed their IT person that Monkey-B encrypts the files on the disk, so before we went willy-nilly removing the virus, we needed to backup the user data. They told me I was full of crap, and proceeded to clean the PCs themselves. Big mistake!
Oddly enough, their VP later complained to the service company I worked for that I had not done my job, since his IT people were fuck-heads. He didn't exactly state it this way, of course, but that was the gist of the statement. When I started to explain what had happened to my boss, I only got as far as "...and I discovered that most of their PCs were infected with Monkey-B."
He started laughing, and finished my sentence for me with "and their stupid IT people went around removing it, right? Idiots!"
Virizzle (Score:4, Funny)
Re:Virizzle (Score:4, Funny)
He has the bitches write code for him.
nice features list (Score:5, Informative)
# Checks to see if it is allowed to send mail to AOL, for spamming purposes
# Can steal Windows Product Keys
# Can run an IDENT server on demand
# Starts an FTP server to deliver the trojan binary to exploited hosts - ends the FTP session with the message "221 Goodbye, have a good infection
# Can run a socks, HTTP or HTTPS proxy on demand
# Can start a redirection service for GRE or TCP protocols
# Can scan for and use the following exploits to spread itself to new victims: * DCOM * DCOM2 * MyDoom backdoor * DameWare * Locator Service * Shares with weak passwords * WebDav * WKS - Windows Workstation Service
# Attempts to kill instances of MSBlast, Welchia and Sobig.F
# Can sniff IRC network traffic looking for logins to other botnets and IRC operator passwords
# Can sniff FTP network traffic for usernames and passwords
# Can sniff HTTP network traffic for Paypal cookies
# Contains a list of nearly 600 processes to kill if found on an infected system.Some are antivirus software, others are competing viruses/trojans
# Tests the available bandwidth by posting large amounts of data to the following websites:
* www.st.lib.keio.ac.jp
* www.lib.nthu.edu.tw
* www.stanford.edu
* www.xo.net
* www.utwente.nl
* www.schlund.net
# Can steal AOL account logins and passwords
# Can steal CD Keys for several popular games
# Can harvest emails from the web for spam purposes
# Can harvest emails from the local system for spam purposes
Re:nice features list (Score:5, Funny)
Can someone code that feature?
Seriously, I would love to see one of these programs that just turns the victims internet connection OFF. Granted, I don't think it would spread very well.
Re:nice features list (Score:5, Insightful)
Just code it to kill the connection after, say, fifty successful infections.
You know what the real innovation would be, though? Writing an OS so that one process can't stomp on other processes it doesn't have permission to. It would also be nice to write something where worms couldn't just land on the system as executable files by default and scripts that do things like install other programs and do stuff without the user's knowledge can't be automatically run by a freaking e-mail program. Gee, too bad there's nothing around like that...
Re:nice features list (Score:5, Insightful)
I agree 100%. The windows developer community needs to totally and outright kill 95/98/Me support, and start using the built in security in 2000/XP.
Having absolutely everything running as an administrator is a huge mistake.
Re:nice features list (Score:5, Informative)
Checking out the vulnerabilities used by Phatbot, I'm guessing most, if not all, of these holes were patched long ago. Short of forcing regular patching and upgrades, I guess there's not much that can be done to get around this. I get a shocking number of people through the store who never, ever use Windows Update.
One part bad security model, one part careless users. Really, if there was an announced problem with your car that might lead to a thief getting in and driving off with it, wouldn't you get it fixed? Would you leave your door unlocked because it makes entering your car easier when you're in a rush?
Computers have been sold as appliances, when they should be sold as flexible tools that aren't difficult to use, but take a minor bit of effort to maintain. I bet I could make big bucks just going to people's homes and carrying out basic upgrading and patching activities. $50/hr for running Windows Update, Ad-Aware and AVG, here I come...
Re:nice features list (Score:5, Insightful)
Not if he always brought it back in the morning
That's why people don't give a crap, cuz the machine still kinda runs. Most people probably chuck it up to: "God this old machine dosen't run like it use to could! I should have never upgraded to IE6."
Re:nice features list (Score:3, Insightful)
Furthermore, in Windows, there's a GREAT DEAL of things you can do in userland that should only be available in rootland. So because of these issues, I've ran every Windows computer I've ever owned at administrator level, as most people do.
Re:nice features list (Score:3, Informative)
Re:nice features list (Score:5, Informative)
Re:nice features list (Score:5, Insightful)
<RANT type="favorite">
Then there's programs that, because of sloppy/lazy coding, insist on being run as Admin on NT/2K/XP. Two that come to mind immediately are Mavis Beacon Teaches Typing 15 and The Sims.
There is absolutely NO REASON WHATSOEVER for a typing tutor to require Admin, nor should there really be any for the Sims. AFAICT, they both write to the installation directory and HKLM instead of the user's "Application Data" and HKCU.
</RANT>
Re:nice features list (Score:4, Informative)
I've been in regular contact with an antivirus vendor's support people over 2 weeks trying to explain to them that it is NOT acceptable for users to have Power User privileges in order for their AV definitions to auto-update... It's like talking to a brick wall, here's an example of their 'support' verbatim:
Sorry? Do you mean give everyone full control to my system drive, as well as your AV definitions, configuration files and executable code? You've got to be kidding!
And surely you'd think that AV vendors would understand better than most the need for their software to operate under the principle of least privilege.
Give me a Mac (or other *nix) box anyday is what I say...
Re:nice features list (Score:5, Insightful)
I so agree, so can ypu PLEASE tell corperate america IT managers this?
Here I am IT professional in one of the worlds LARGEST telecommunications companies and EVERYONE's W2K domain profile is set to put them as administrator rights... repeated calls to the NOC about the security hole are unanswered, and my attempts to fix it locally get me reprimanded for messing with domain security settings.
It's fine to have the ability to lock it down, but it's worthless when the people in charge of it are too stupid or spineless to use it.
Re:nice features list (Score:4, Interesting)
Something else that really should be done is enforcing Intel's privilege rings.
286+ processors have four privilege rings, 0 through 3. Processes running in ring 0 basically have root privs in the system, ring 1 processes can touch anything but those in ring 0, and so on.
It's intended that critical OS functions, like the memory manager, run in ring 0. Device drivers and such live in ring 1, and user processes live in ring 3.
Many operating systems, including Linux and all versions of Windows except NT 3.xx, run drivers in ring 0 because it's faster. However, it means that a bad driver can bring down the whole system. I bet the majority of Windows crashes lead back to crappy drivers, especially video drivers.
Food for thought.
Re:nice features list (Score:4, Insightful)
a) people who still run Win98/ME, with their total lack of a permissions model, come into the store, and
b) how many people give their XP accounts administrator-level powers just to "make things easier". Shit, the TRON 2.0 demo required administrator privileges to run! We (ie, me and the other employees) have no idea why, it was the most fucking crackheaded thing I've seen since Windows ME, but there it was. I can't imagine how many other programs require admin access to run. And geeks wonder why people have no concept of why it's dangerous to run as root/admin...
Re:nice features list (Score:5, Informative)
I'm currently working at a company that is migrating to WinXP in a very locked down environment. Everyone is a user and software restriction policies only allow files to be executed from specific locations. Users have no write access to C: at all... all user profiles and data are on D: (which is not allowed to execute anything).
My job is to make the apps work. It's horrible. We have to give write access to the app's dir in Program Files to probably 40% of the apps. Some apps require write access to the root of C:\. Many want to create/modify files in Windows and System32. Far too many insist on writing to HKLM and even HKCR.
We repackage all the apps as MSIs and include the needed permissions changes in the installer. By the time the apps are loaded, most machines security have been drastically compromised.
Re:nice features list (Score:5, Insightful)
The other part of the problem is a company that trained programmers to assume the same thing, and write their programs accordingly. Now that the new versions of the company's primary OS implement some security, the programmers that were used to having complete power are running into justifiable roadblocks.
Nice security culture Microsoft created. The Unix folks learned the folly of getting lax on security long, long ago, thanks to stuff like the Morris worm. How many Morris worms will it take for the Windows world to do the necessary overhaul, on the OS (partly already done, from what I gather), programs, and attitudes of users along with programemrs?
Re:nice features list (Score:3, Insightful)
Don't matter how you want to justify them, is always MS's fault.
Re:nice features list (Score:4, Insightful)
I will restate what I said since it was obviously unclear: Windows XP provides everything that is needed to allow you to run day-to-day as an ordinary user. It does not require you to be root unless you are doing the kind of things that should require you to be root. The same is true of Unix. In both environments, it is possible to write software that requires the user to be root. If you write your software that way unnecessarily, you are doing something wrong, regardless of whether your software is for windows or for unix.
The parent had said that there is a problem with Windows in this regard, and that simply is not true (at least for current versions of Windows). Just like Unix, Windows does a fine job of allowing you not to be root. If there are problems caused by individual applications, you should blame the applications, not the operating system. The article to which you linked discusses Age of Empires which is a piece of software that runs on top of Windows. If it requires you to be root, then that is unfortunate, just like it would be if the (hypothetical) OS X version of that game required you to be root. But again, saying that a certain windows application is not doing what it should is not the same as saying that the os should be designed different.
Re:nice features list (Score:5, Funny)
Re:nice features list (Score:5, Funny)
Best. Feature. Ever.
Re:nice features list (Score:5, Funny)
What better resume than a good virus or trojan?
Want to statr the revolution in a hurry? (Score:5, Funny)
2) ???^H^H^H Email software keys to software@bsa.net and tell them that you think your employer is not running legitimate software. Include a paypal link for the reward
3) Profit
This bot looks NASTY.
-B
Re:Want to statr the revolution in a hurry? (Score:5, Interesting)
The quickest way to get people to take viruses seriously is to write a virus that reports all their pirated software.
Most people don't care if their computer has a virus, but once a virus can bust them for all their illegal software, people will wise up in a hurry.
even better (Score:5, Funny)
(here in double-moral country, that is)
Re:Want to statr the revolution in a hurry? (Score:3, Interesting)
Not only conceivable, but it has already happened.
"Reports on US news site CNET News.com explain that an anonymous hacker, known only as Unknownuser, planted a malicious Trojan horse, Subseven, on the computer of William Jarrett, a visitor to an internet message board. The hacker then used this Trojan to remotely search Jarre
Skynet (Score:5, Funny)
Slashrank [slashrank.org]
Re:Skynet (Score:5, Funny)
Or it will start ordering from it's own spam and get really confused.
Re:Skynet (Score:5, Funny)
Great, just what I need. A trojan that needs bigger Trojans than me.
Re:Skynet (Score:4, Funny)
-
For a mainframe version... (Score:5, Informative)
For a mainframe version of the story see _The Adolescence of P1_.
(I'd dig up an Amazon link but I'm busy right now.)
Re:For a mainframe version... (Score:5, Funny)
* 'The Phallus Palace: Female to Male Transsexuals'
* 'Clinical Neurology: A Modern Approach (Paper)'
* 'The World Almanac and Book of Facts 2004'
* 'When Girls Feel Fat: Helping Girls Through Adolescence'
* 'Principles of Frontal Lobe Function'
Whoever coded their search engine could use some advice from that last title.
Here's the correct link. [amazon.com]
Idea? (Score:5, Interesting)
What if anti-virus, firewalls, and other critical software could somehow run in read-only memory space, which would have a physical barrier so that no bugs in software could be exploited to alter this space?
What if we could "burn" memory space of a program to a CD rom so that a proper working, unaltered anti-virus and firewall could run without fear of being disabled?
Re:Idea? (Score:5, Insightful)
Re:Idea? (Score:4, Interesting)
I think macos X is a good example of an os that is pretty user friendly that doesn't encourage everyone to run as "admin". In fact there are no (by default) admin/root users, "admin" users are users that have sudo ability, so in a weird way its better than default redhat linux.
-bloo
Re:Idea? (Score:3, Informative)
So if Joe User gets infected and is running as administrator, the virus can un-write-protect memory and keep going.
This is a classic offense vs. defense escalation and is the type of problem Rootkits pose as well.
Re:Idea? (Score:3, Informative)
Re:Idea? (Score:3, Interesting)
So what data do you care about more - an OS you can reinstall in half an hour or five years worth of email, porn, mp3s and other miscellaneous documents ?
All the other accounts are safe and the system itself will not be compromised (barring exploitation of a vulnerability in the system which is a whole different ballgame than what we have here).
Most machines only have on user one them.
I'm TRULY not attempting to Troll (Score:4, Insightful)
It's as bad as spam! It's EVERYWHERE!!
I frequent a couple other message boards (damn, I almost said BBS'), and every few days, we get the same ol' thread...'VIRUS ALERT!!!!!!!'
We live in the information age. The information has been disseminated that Windows users are:
A) Prone to constant viral and security intrusions.
B) In desperate need to constantly update their AV software.
The SysAdmins who aren't keeping their servers locked down is another thing entirely...*grumble*
But really, ABC, NBC, CBS, all these guys have done several stories on system security...EVERYONE's got a nephew that 'knows a lot 'bout dem 'puters'...
I really don't understand why we're still being subjected to this crap. Virus news isn't news. It's spam.
(See! A whole post about viruses and I never mentioned the fact that I run OS X and Yellow Dog Linux exclusively!!! Not once have I mentioned that I've never had to worry about a virus at all!!!)
Yay me.
virus news = spam (Score:5, Insightful)
Obviously the "security-by-news-alert" method of keeping your systems secure is stupid. We must still update our AVs and Spy cleaners and run them regularly. If we do that, we'll get almost every virus and spyware and never have to worry.
But some of like to know what the virus writers are doing. Trends in the virus business, as they evolve.
Some of us may have firewalls that we might wish to alter based on major recent virus activity. I'm sure the Blaster variants caused several admins to alter the RPC port configuration of their firewalls.
Isn't it better to be proactive rather than reacting to a virus-based DOS?
I agree, of course, that people shouldn't email their buddies "OMG VIRUS ALERT!!!111one!!11" as we are able to keep up on virus news ourselves. We don't need these emails.
The value of Slashdot posting a breaking story about a virus is early-warning in the event that we're sitting around reading Slashdot instead of doing our jobs and monitoring the other virus news systems.
Re:virus news = spam (Score:3, Insightful)
But anyone who uses THIS SITE, as their 'early warning virus system', is already in serious trouble.
There's plenty other sites that specialize in early warning, and they do a far better job than
Specialized tools for specialized jobs.
Re:I'm TRULY not attempting to Troll (Score:4, Funny)
it's a slow news day, what do you expect?
Grr... (Score:5, Insightful)
I understand the average user can't use Registry Editor, but maybe provide a simple link or website to get a tool to remove the Phatbot thing a ma jig.
Happy St. Paddy's Day everyone, btw.
From the LURHQ alert (Score:5, Informative)
Manual Removal
Look for the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \Generic Service Processn Services\Generic Service Process
HKLM\Software\Microsoft\Windows\CurrentVersion\Ru
The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory.
Snort Signatures
Here are some Snort signatures to detect Phatbot on a network:
alert tcp any any -> any any (msg:"Agobot/Phatbot Infection Successful"; flow:established; content:"221 Goodbye, have a good infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; sid:1000075; rev:1;)
alert tcp any any -> any any (msg:"Phatbot P2P Control Connection"; flow:established; content:"Wonk-"; content:"|00|#waste|00|"; within:15; classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; sid:1000076; rev:1;)
paypal? (Score:5, Insightful)
aol, go for it... emails from the web are already public, go for it... paypal cookies? now that's just plain wrong, the feds are going to love that one.
Re:paypal? (Score:3, Insightful)
Re:paypal? (Score:5, Informative)
PayPal Warning [paypalwarning.com]
About PayPal [aboutpaypal.org]
Google [google.com]
That ougth to keep you busy for a few days
Re:paypal? (Score:3, Informative)
Description of trojan is slashdotted (Score:5, Funny)
-- PhoneBoy
anyone else think (Score:5, Funny)
Spammer-Sponsored (Score:5, Insightful)
Just take a look at the feature list, it probably has more bells and whistles than most of the software out there.
Is there a way to trace back the master of these trojans and do something about it? Surely these trojans need to do something for their masters at some stage, probably waiting for commands somewhere.
Re:Spammer-Sponsored (Score:5, Funny)
Re:Spammer-Sponsored (Score:3, Informative)
Still Countergrabbable (Score:5, Insightful)
Too bad it would be both grossly illegal and probably disruptive, because it would be a great favor to the rest of the net, to counter these botnets and squish-them into oblivion (at least this generation, until the attackers learn how to do authentication of commands correctly).
Re:Still Countergrabbable (Score:3, Interesting)
It's only a matter of time.
Related links and info (Score:5, Informative)
http://news.yahoo.com/fc?tmpl=fc&cid=34&in=tech& ca t=hackers_and_crackers
http://www.f-secure.com/v-descs/agobot_fo.shtml
Detailed Description
First of all, this new variant has 'Phatbot3' identifier and there are a few 'phat' string in its body. This may indicate that this version was not made by the original Agobot backdoor author, who calls himself TheAgo, but by a different person/group who got the source code of this backdoor.
The backdoor's file is a PE executable 115738 bytes long compressed with PE-Diminisher file compressor. The unpacked file's size is over 245 kilobytes.
Installation to system
The Agobot.FO backdoor copies itself as NVCHIP4.EXE file to Windows System folder and creates startup keys for this file in System Registry:
[HKLM\Software\Microsoft\Windows\Curren tVersion\Ru n]
"nVidia Chip4" = "nvchip4.exe"
[HKLM\Software\Microsoft\Windows\Cu rrentVersion\Ru nServices]
"nVidia Chip4" = "nvchip4.exe"
This allows the backdoor's file to start with every Windows session. On Windows NT-based systems the backdoor can start as a service.
Scanning for vulnerable computers
The backdoor can scan subnets for exploitable computers and send a list of their IPs to the bot operator. The scan is performed on ports 80, 135 and 445 for RPC/DCOM (MS03-026), RPC/Locator (MS03-001) and WebDAV (MS03-007) vulnerabilities. The backdoor can also scan for computers infected with MyDoom worm (port 3127), Bagle worm (port 2745) and also for computers where DameWare remote system management software is installed (port 6129).
Performing a DDoS attack
The backdoor can perform the following types of DDoS (Distributed Denial of Service) attacks:
* HTTP flood * SYN flood * UDP flood * ICMP flood
When performing a DDoS attack, the backdoor uses 33 unique client identifiers including Mozilla, Wget, Scooter, Webcrawler and Google bot.
The backdoor sends 256000 bytes of random data to the following websites and checks the response times:
www.schlund.net
www.utwente.nl
www.xo.net
www.stanford.edu
www.lib.nthu.edu.tw
www.st.lib.keio.ac.jp
Collecting e-mail addresses
The bot can harvest e-mail addresses. It has the functionality to read user's Address Book and send the list of e-mail addresses to the bot operator.
Obtainint Registry info
The backdoor has the functionality to obtain System Registry info from an infected computer. This is a new feature for Agobot backdoor. Information obtained from the Registry can give a hacker a full overview of an infected system.
Spreading to local network
Agobot backdoor can scan computers on local network and copy itself there. The scan is initiated by a remote hacker. When spreading to local network, Agobot.FO probes the following shares:
admin$ c$ d$ e$ print$ c
Agobot.FO tries to connect using the following account names:
(SEE LINKS AT TOP FOR INFORMATION)
When connecting, Agobot.FO uses the following passwords:
(SEE LINKS AT TOP FOR DETAILS)
If the worm succeeds connecting to the above listed shares, it copies itself to a remote share and attempts to start that file as a service. The alternative way of infecting a remote host is to create a scheduled task on a remote computer that will start the backdoor's file.
Teminating processes of security and anti-virus programs
Agobot.FO has a huge list of process file names hardcoded in its body. The backdoor tries to terminate processes that have the following names:
(NAMES REMOVED SO POST WOULD WORK, FOLLOW LINKS AT TOP)
This functionality allows the backdoor to successfully disable anti-virus and security software that can not detect this backdoor before it's file is started. In most cases special tools are required to clean a computer infected with this backdoor.
Additionally the
Lucky me (Score:5, Funny)
who knew that dial up internet was a form of virus protection? I dont feel so bad anymore!
The power of viruses (Score:5, Interesting)
No complaints for months. And then, I add a new account to the mail server and restart sendmail.
Within a few hours, I got complaints that the volume of email had at least tripled, and that *all* of the increase were viruses, being caught by McAffee! So bad it was difficult to simply empty out the inbox from all the popup notices of virus detection!
Turns out when I restarted sendmail, I didn't restart MailScanner, so it was not running, letting everything through.
Very sobering, to realize how bad viruses online have gotten...
Re:The power of viruses (Score:5, Funny)
Oh good...I'm not the only one that restarts sendmail when I'm drunk...
nowhere to run (Score:4, Interesting)
NANOG [merit.edu] this past week has had to deal with "h4r 3y3 j4m an 3fnet p4ck3tm0nk3y" bs. What I don't understand is how some people download and install something without checking exactly what it is. Look at the spyware situation: "Click here for a free weather clock" It should be obvious that there is no such thing as free. Everything has some form of price. What I find most alarming, is that most corporations - Symantec, Network Associates, and the major Windows based antivirus makers including Microsoft who has not got there act togeter - unleash errata of mass destruction. "Buy this patch/firewall/antivirus foo foo foo product to protect you now!" Why not release some Macromedia Flash like tutorial along with their products to educate users about the dangers of downloading unnecessary 'tools/products/virtuagirls/etc' and how to protect themselves from these thing... I'm willing to bet if some company did something like this, most of these annoyances would drop big time
Mirror (Score:5, Informative)
http://www.joestewart.org/phatbot.html [joestewart.org]
-Joe
Re:Mirror (Score:4, Informative)
http://www.d.umn.edu/~shar0213/gcache.php
http
http://gwebcache.h4
http://gwc.gwc.niet.net/gwc/gcac
http://www.rodage.net/gnetcache/gcache.php
http://www.blackfedora.com/gcache/perlgcache.cgi
http://g2wc.markushenn.de/gwcii.php
http://www.
http://www.edazzle.net/gerry/gerry2.asp
h
http://www.xolox.nl/gwebcache/default.asp
http
Look for hosts using port 4387, pretending to be GNUT clients.
-Joe
Interesting that (Score:4, Interesting)
Was I wrong to consider using
Good luck everyone out there who should be checking/cleaning your systems -
Stories rejected by slashdot (Score:4, Interesting)
I realized one day that we could essentially have a user-contributed, user-moderated article queue of sorts using the journaling system here. I've dedicated my journal [slashdot.org] to it. I haven't figured out how to draw larger traffic to it without making this a part-time job, but you're welcome to contribute to it and I welcome suggestions.
--LP
On the Positive Side (Score:4, Interesting)
How about a virus that educates users? (Score:4, Interesting)
Viruses spread due to stupidity, ignorance, and laziness on the part of users. A virus like this MIGHT help with the ignorance part.
Now please don't think I'm advising anyone to go out and write such a thing, I'm only saying that I think the idea would be interesting.
I think it would also be interesting to hunt down the creators of malicious viruses and have them drawn and quartered, preferably on live TV. Next their parents should be beat within an inch of their lives for not raising them right in the first place.
Lee
Re:How about a virus that educates users? (Score:3, Informative)
Interesting, yes. But, unfortunately, its delivery to the user wouldn't differ significantly from the endless popups proclaiming "Your PC is broadcasting its address!!!!" Very
Re:How about a virus that educates users? (Score:4, Funny)
I wrote a email "virus" that simply made everyone think their hard drive was being erased andthen emailed it to all my users here at work and waited for the calls.. even after the "scare" I sent a second "virus" that silently wrote the username of the person that opened it to a file on the server... guess what... the damned sheep still did everything as normal...
you cant, educate most people. once they have a "way" of doing something it's like pulling teeth to get them to change...
hell we had people bitch for 2 months about the change in the color of the office pencil supply.
Futurama (Score:3)
Anonymous Coward officials? (Score:3, Interesting)
Suspicious... (Score:4, Interesting)
If the US government is announcing this publically, and the virus has already infected "hundreds of thousands of computers already", wouldn't the anti-virus companies *know* that?!?
Re:Suspicious... (Score:5, Informative)
I consider the addition of the WASTE code and removal of the IRC code to be significant enough to call this by a new name. Not to mention all the other added features that are not part of the Agobot code.
-Joe
The good 'ol days (Score:4, Insightful)
Now its not your fault, and it hurts you as well as everyone else!
Nullsoft Waste code used? Open source scariness.. (Score:4, Interesting)
Here is a problem I had never thought about with open source initiatives. What happens when someone steals your source without obeying GPL or anything and turns it into a monster? It would have ben *MUCH* harder for the PhatBot authors to code their own Waste-like [slashdot.org] clustering P2P system. Perhaps they might not have even been able to do so. Instead they grab an open source app and use it to create something ilegal, and in this case even dangerous.
These are the same problems faced in the emulation field. Many open source emu programmers do not allow any game from the past 2-3 years to be played, mainly to appease the corporations that still make arcade titles (SNK etc). But people open up their source and release renegade versions of their own apps without their permission and in violation of GPL and everything, often packaging them with illegal arcade ROMs.
Re:Nullsoft Waste code used? Open source scariness (Score:3, Interesting)
The same thing you do when someone buys a hammer and then uses it to kill someone. You just deal with it.
Once you distribute something, be it a physical object like a hammer, or source code, you loose a certain amount of
Re:Nullsoft Waste code used? Open source scariness (Score:3, Funny)
That's what Dr. Frankenstein said when he took the corpses for his creature. But he showed them, didn't he! They all thought he was crazy! Bbbut whooss teH CRzy onE now, HAH? You fooLS, YOU ALL LAUGHED, BUT IL HAV THE LAAST LAUHG!
MWAHAHAHAHAHA!
Uh oh! (Score:3, Funny)
They use GPL'd code from WASTE but haven't released the whole source code! They're in a world of legal hurt now.
possible hoax? (Score:4, Interesting)
As many people have pointed out there is an utter lack of response by the top three anti-virus companies to this threat. I find this disturbing and also, unlikely. Why would the Department of Homeland Defense have better intelligence on a clearly US based threat (Phat is not an international phrase by any means) than the people who make their lively hood based on threat detection and elimination?
This has to me the markings of a hoax. The list of *features* as one poster put it is indeed staggering. That, coupled with the silence coming from Symantec, McAfee et al. makes it look fishy. A google search shows one recent post and a bunch of older hits (possibly the same as in the McAfee search ).
So that leaves me with 3 questions:
1 - Is it real
2 - How do we detect it
3 - How do we kill it.
--KS
Re:possible hoax? (Score:4, Informative)
It's not. I spent several hours analyzing it. You can connect to the Gnutella cache servers and see Phatbot clients registered using port 4387. You can portscan the infected hosts, find the mini-ftp server it runs and download the code yourself if you need tangible proof.
The list of *features* as one poster put it is indeed staggering.
Most of these features are part of Agobot. Yet no one disputes its existence.
That, coupled with the silence coming from Symantec, McAfee et al. makes it look fishy.
They're not silent - to them this is just another Agobot variant, one of dozens released in the last few months. And they are not making a big deal about it because it really isn't that much of a threat. If you're running Windows with the latest patches and aren't infected with MyDoom or a Dameware backdoor and aren't using weakly passworded shares, you have nothing to worry about from this trojan.
So that leaves me with 3 questions:
1 - Is it real
Yes.
2 - How do we detect it
With just about any AntiVirus solution.
3 - How do we kill it.
In terms of killing it from one machine: disinfect manually or use a tool from the AV companies. In terms of killing the entire network, you would need to reprogram the Gnutella cache servers it uses to detect and refuse connections from the Phatbots.
-Joe
The meaning of "Trojan" (Score:5, Insightful)
The article suggests that this is a "trojan" because it lets attackers stealthily take control of your computer. But that was not what was remarkable about the historical Trojan horse. What was remarkable about it is that it was presented as a gift. The distinguishing characteric of a trojan is that it has a friendly outward appearance but contains a deadly payload. That's certainly not the case with Phatbot.
Rather, I'd say that Phatbot is a virus, because a) it is malicious and b) it doesn't rely on deception to spread itself. This is, again, subtly different from a worm, which generally aren't malicious, just annoying.
Of course it's water under the bridge at this point.
Re:Happened to a friend (Score:3, Insightful)
Apparently, your name and his name is in the address book, or in an email of an infected computer's system. That system spoofs the From: address, and sends it To: someone else in there. Sometimes you will receive it from friends that do not have it, other times you'll get a kickback saying undeliverable due to a virus that you sent. But... you didn't send it. Instead, you were spoofed as the From: address and the To: was unreachable, thus bouncing back to y
Re:Happened to a friend (Score:3, Interesting)
then he noticed in outlook the "save password" button no longer worked
It might not be related to this problem, but using Outlook is probably the fastest way to get a virus short of deliberately installing one. The only exception to that is if you use Outlook in an extremely tight network where all the mail is examined before Outlook gets it's retarded little mitts on it.
So basically what we're saying is that outside of the context of a trusted corporate network where all mail is thoroughly
Re:Detection/Removal instructions? (Score:5, Informative)
"Manual Removal
Look for the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\
HKLM\Software\Microsoft\Windows\CurrentV
The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory."
Re:Detection/Removal instructions? (Score:3, Funny)
Here is a helpful site. [linux.org] It provides instructions on how to get rid of windows viruses forever. Even ones not yet invented.
Re:Jesus. (Score:4, Insightful)
Hmm... I suppose user idiocy is a flaw that Windows has that Linux doesn't.
Okay, I see your point.
Re:Jesus. (Score:4, Funny)
"Problem lies between Keyboard and Chair".
At work we say "It was a Layer 8 problem". You can say that in front of non-geeks without them catching on.
Re:Jesus. (Score:4, Insightful)
This security is no inherent quality of the software but just a consequence of very few people using the same version of linux. Linux security is essentially security by obscurity. By using software that nobody else uses you avoid being targeted by viruses and worms that depend on mainstream adoption for propagation. Just like in nature, monocultures are vulnerable to viruses. I'm not saying that linux is insecure, I'm just saying that many people confuse the lack of attacks on linux with its alledged security.
If you want security, install BSD. Even less people use it and many BSD users suffer from severe paranoia (resulting in increased awareness with respect to security issues) so you are unlikely to be ever affected by the latent security holes that are waiting to be discovered. Even MS uses BSD software to keep the scriptkiddies out
Ironically, Microsoft's biggest security problem is that people are buying and using their products. I'm sure that is something they don't want to fix. Upgrading is another issue, MS is actively pushing their customers to upgrade (though not necessarily to protect them
Re:Trojans and the like (Score:3, Informative)
Re:what else is new? (Score:5, Insightful)
The word 'only' is misplaced. The Internet is full of idiots. They're in the majority.
They get the shit kicked out of them every time they go online. They take their junky Gateways back to PC shops to 'wipe and reinstall' every six months. They lose files because 'I know I didn't download that file to my hard drive - I downloaded it to my desktop instead' and then they can't find it.
You tell them the simplest things to get them out of the most complex situations and they demand 'user friendly'. They want products that cure only the latest ill and demand at most one mouse click.
Wonder of wonders the world (the Internet) is as it is. And wonder of wonders is that it's taken the sophisticated malware engineers so long to get sophisticated.
There's a slaughter going on, and although MS are responsible with their crappy stuff, the users are also responsible - for using it. And I hope we've heard the last of that classic line 'it only affects Windows users', because it should be evident to even the most brain-dead MS fanatic at this point that the entire Internet is affected.
It's time to put up some housing ordinances so MS users aren't allowed to ruin the neighbourhood. High time and beyond.
Re:what else is new? (Score:4, Insightful)
I have a better suggestion. How about we give people a better education in school about computers, etc.? From what I've heard, they already are giving much more in-depth instruction at many public schools on computer use. This doesn't help out ignorant adults (esp. the ones without kids), but at least the next generation should generally be more competent.
It could be a class along side sex-ed called computer-ed. All they need to teach is: