Please create an account to participate in the Slashdot moderation system


Forgot your password?
Security Operating Systems Software Windows

Phatbot Author Arrested In Germany 190

Tacito writes "After arresting the author of Sasser, the German police claims having caught the author of Phatbot. To read the corresponding articles on Yahoo! News or Heise (use babelfish)." adds a link to an "awesome Google translation" of the Heise article.
This discussion has been archived. No new comments can be posted.

Phatbot Author Arrested In Germany

Comments Filter:
  • Germany is Busy! (Score:4, Insightful)

    by mfh ( 56 ) on Saturday May 08, 2004 @02:02PM (#9094497) Homepage Journal
    Germany is really cracking down today! Either that, or perhaps the Sasser writer gave up the Phatbot author? I'm guessing that one arrest lead to the other, considering Phatbot [] is a Sasser [] derivative.
    • Re:Germany is Busy! (Score:5, Informative)

      by Florian Weimer ( 88405 ) <> on Saturday May 08, 2004 @02:16PM (#9094586) Homepage
      No, Phatbot (or Agobot, which seems to be the more correct name) is NOT a Sasser derivative. Recent Agobot version were extended for attacking Microsoft Windows machines using the same LSASS defect, but this doesn't make Agobot make a derivative of Sasser.
    • by httptech ( 5553 ) on Saturday May 08, 2004 @02:19PM (#9094606) Homepage
      considering Phatbot is a Sasser derivative

      Who told you that? I've analyzed both, and there is no relation between them at all in terms of code. The source code to Phatbot is public, and the compiled binary is around 250-300K as opposed to Sasser's 15K. Maybe you're thinking about Phatbot being a derivative of Agobot.

      My writeups of both can be found here: [] []

      • or the riaa? anyways next time I pucblish a paper Ill make sure NOBODY is able to trace it back to me :)
      • by hanssprudel ( 323035 ) on Saturday May 08, 2004 @02:51PM (#9094791)

        From reading your description, it doesn't seem like Phatbot is a worm at all, but rather a trojan worse / remote administration tool. If all the guy did was write a trojan horse, and there is no evidence that he himself has been using it on other peoples machines, then he should not be under arrest. Source code is speech, right?

        Bets are, that on The New Slashdot (tm) - you know, the one where stories about DMCA attacks are full of attacks against the coders rather than the company (Apple!) - this story will be full of people commending a the arrest of this guy for nothing other than writing software...
        • Well, if all he did was write it, and someone else let it loose on the net, then perhaps he shouldn't be under arrest.

          On the other hand, I'm having a hard time imagining what benign uses this thing could be put to. With DVD/e-book decrypters/rippers you can claim fair use, with port scanners you can claim that you're testing security of your own network, but with a worm? It's designed solely to infiltrate a host and spread - I can't think of any benign uses, let alone significant ones...

          If you knowingly c
        • Well, if you had actually read the description, you wouldn't have missed:
          [...]as it spreads from system to system.

          Can scan for and use the following exploits to spread itself to new victims[...]

          It's quite obviously a worm.
    • I don't know about the connection;reading the articles on heise:

      (- AFAIK Phatbot uses Sasser backdoors as one of many spreading options and is not a real derivative)

      - according to German police the phatbot author was one of four people they were investigating because of hints they got from "US authorities"

      - the Sasser author was caught because of a phone call of (someone close to the author) to Microsoft:
      the caller was claiming to know the Sasser-author and offered some code snippets as "proof";
  • Hah (Score:5, Funny)

    by Bishop, Martin ( 695163 ) on Saturday May 08, 2004 @02:04PM (#9094509)
    In other news, German Authorities claim they have caught the moth that got caught in the Mark II. News at 11.
  • by Anonymous Coward on Saturday May 08, 2004 @02:04PM (#9094512)
    Police Sgt. Schultz said "I know NOTHING! NOTHING!!"
  • Blah blah (Score:5, Interesting)

    by Leffe ( 686621 ) on Saturday May 08, 2004 @02:08PM (#9094531)
    I must say that I find it very interesting that people are able to spread worms this fast nowadays. Back in the day it took weeks or months to see something, and most people had already patched the worms by then, but now it's crazy, a worm can propagate to the entire world in a day! Even faster than DNS :D Maybe something for the BIND [] developers to consider?
    • Yeah, I remember when we had to find a box, mail the deck of cards to the next guy, find an address of that guy at UICU to mail the last deck to....
    • Re:Blah blah (Score:4, Insightful)

      by Feanturi ( 99866 ) on Saturday May 08, 2004 @04:09PM (#9095271)
      I must say that I find it very interesting that people are able to spread worms this fast nowadays. Back in the day it took weeks or months to see something, and most people had already patched the worms by then, but now it's crazy, a worm can propagate to the entire world in a day!

      This should not be surprising. Back in the day, there were far fewer machines on the net, and therefore fewer opportunities for something to spread, particularly if it was attacking random IP's, most of which would have been unused. Now it's a different story. Pick a number, and there's a good chance you've got some kind of host there. A nice soft and juicy vulnerable host almost everywhere you stab. That was not the case back in the day.
      • Re:Blah blah (Score:2, Interesting)

        by _w00d_ ( 129045 )

        This should not be surprising. Back in the day, there were far fewer machines on the net, and therefore fewer opportunities for something to spread, particularly if it was attacking random IP's, most of which would have been unused. Now it's a different story. Pick a number, and there's a good chance you've got some kind of host there. A nice soft and juicy vulnerable host almost everywhere you stab. That was not the case back in the day.

        Not only that but the people on the net back in the day were more

      • by Prof. Pi ( 199260 ) on Saturday May 08, 2004 @07:09PM (#9096354)
        Back in the day, there were far fewer machines on the net, and therefore fewer opportunities for something to spread

        Back in the day, there were many more types of machines with many different software packages performing the same functions (such as email). Infections spread more rapidly in monocultures, in both biological and computer ecosystems.

    • Re:Blah blah (Score:3, Insightful)

      by Kjella ( 173770 )
      Maybe something for the BIND developers to consider?

      Umm... no. It's a lot easier to propagate if you need no hierarchy. Imagine trying to tell the whole Internet about a DNS change with no plan. How many DNS updates do you think your box would get? And the overhead in the PKI system you would need to have to ensure they're real?

    • Re:Blah blah (Score:3, Insightful)

      by Anonymous Coward
      a worm can propagate to the entire world in a day!
      Try 10 minutes. Google for "warhol worm". Be afraid, be very very afraid. If a worm like that had a destructive payload (not just wiping HDDs, but think flashing BIOS, overdriving monitors etc.), the material and immaterial damages would be counted in billions or trillions of dollars.

      Disconnect from the network now, before it's too late.

  • This info [] was mentioned in the referenced slashdot story. []
  • Freaky... (Score:5, Interesting)

    by robslimo ( 587196 ) on Saturday May 08, 2004 @02:09PM (#9094539) Homepage Journal
    I just heard this news on NPR and thought I'd submit it to /. but I was scooped. NPR said that he was a "student" and lived with his parents. They said he admitted to being the Sasser worm author but failed to mention the Phatbot connection.

    Here's [] an English language report that mentions a Microsoft connection.
    • Re:Freaky... (Score:5, Informative)

      by Vlad_the_Inhaler ( 32958 ) on Saturday May 08, 2004 @02:21PM (#9094625) Homepage
      According to the article, there *is* no connection between the two. Phatbot was developed from Agobot.

      US Authorities aparently provided the tip-offs in catching both authors.
    • by Anonymous Coward
      "...he was a "student" and lived with his parents."

      I bet the profilers never expected THAT kind of character would release a virus.

      On a different note: is anyone interested in joining the Angry Loner's Rifle Association? Our motto: "Be a quiet man, and keep to yourself".
  • say some sources (
    this is subject to a press conference to be held tomorrow.

    well that`s somehow impressive, which should not mean admirable ...
  • Now let's take them both out into the street and tar and feather them... :-)
  • Put the... (Score:4, Funny)

    by Phidoux ( 705500 ) on Saturday May 08, 2004 @02:12PM (#9094555) Homepage
    ... phatbot author in a phat jail cell behind some phatbars, and that's only because he doesn't know how to spell FAT!
  • Got Evil? (Score:3, Insightful)

    by grub ( 11606 ) <> on Saturday May 08, 2004 @02:14PM (#9094567) Homepage Journal

    I'm still waiting for the day that one of these things wipes out the infected host after X hours/days. Ebola spreads fast and kills the host, why not a virus/worm?

    I'll laugh when it happens.
    • Unless it's your *nix box that's been wiped out. Just because Windows is the most wide-spread os, doesn't mean it couldn't happen to yours. Will you be laughing then?
      • Re:Got Evil? (Score:2, Insightful)

        by grub ( 11606 )

        I never said it couldn't happen to me (in fact I'm writing this on my Win2K game box). Any system has holes but once wide spread carnage hits the Windows world only then will Ma & Pa Kettle give a serious look at other more robust systems with less holes. I don't support Windows for family & friends and rarely have to touch it at work so I really don't care. I think it's tantamount to having to smack a dog on the nose with a rolled up newspaper to train it not to keep shitting on the carpet.
      • Because it won't happen. I have a firewall. If it's a vulnerablity that makes it through my firewall, I won't be laughing. But if all you needed to do was turn on iptables with some basic rules (or install a program from someone that's done the hard work for you already), you deserve to get you're computer trashed.

        I want these people to suffer something a little more than some network outages. Until there's some actual data/hardware damage, they're gonna go right on not giving a damn. They'll run their
    • Re:Got Evil? (Score:2, Interesting)

      by ckuijjer ( 112385 )
      I always thought Ebola didn't spread really good because of it killing the host too quick. Maybe an analogy holds for computer viruses.
      • no no.... It doesn't spread really good because (as the title of your post indicates) it is Evil. What you outlined is why it does not spread WELL.
    • Happened to me a last month.... The critter that leveraged a weakness in a couple software firewalls would destroy random bits of disk. By the time I realized what had happened, my /WINNT/SYSTEM directory was pretty much hosed. Lets just say a reboot did not fix things.

      Agreed, however... Just a matter of time before someone sticks a destructive payload on a more common exploit.

    • Re:Got Evil? (Score:3, Interesting)

      by ites ( 600337 )
      There is an analysis of this by HeironymousCoward []. Basically a 'hot' virus like Ebola destroys its hosts too quickly for it to spread. So viruses tend to become 'cooler' over time. The loophole for computer viruses is that a wide-spread cool virus can become a vector for a new hot virus. So while one single virus is unlikely to do significant damage, a series of viruses could do very great damage. And you probably will not laugh when it happens.
      • Your analogy seems sound. Here is some more food for thought:

        Think about the human host and how Ebola spreads itself around through the cardiovascular system. However, in the computer world, when you think about how the cardiovascular system more resembles the central nervous system in terms of speed, wouldn't the entire world be considered one host?
    • See the Witty worm. It didn't target Windows, but basically infected its target, slammed out at 20K more nodes, then destroyed its host
    • I'm still waiting for the day that one of these things wipes out the infected host after X hours/days.

      Actually there was one like this recently, that attacked some Windows personal firewall (the name escapes me). It would try to spread itself for a short while (some hours), and then killed the host.

      Ebola spreads fast and kills the host, why not a virus/worm?

      Ebola also burns itself out pretty fast. Too fast and you limit how well it can spread. Probably you'd want to maximize the total number of machin
  • Phatbot capabilities (Score:5, Interesting)

    by FooBarWidget ( 556006 ) on Saturday May 08, 2004 @02:16PM (#9094584)
    Phatbot is insanely well-written. A while ago I read a web page about what Phatbot can do:
    - Exploits all kinds of vulnerabilities.
    - Sniffs network traffic for usernames and password.
    - Steal IRC operator passwords.
    - Can kill many other viruses and anti-virus software.
    - Can steal CD keys for popular games.
    - Can steal AOL passwords.
    - Can harvest emails for spam purposes.
    - And more.
    Whomever made Phatbot sure spent *a lot* of work into it.

    More details at: []
    Also contains instructions to manually remove it from an infected system.
  • by gizmonic ( 302697 ) * on Saturday May 08, 2004 @02:18PM (#9094601) Homepage
    If convicted, they should force him to work end user tech support during his jailtime. Of course, I'm sure some treaty out there would deem that cruel and unusual punishment and recommend execution as a more humane alternative. :)
  • by Anonymous Coward on Saturday May 08, 2004 @02:21PM (#9094620)
    so that they can find out what "exploiting a backdoor" is all about.
  • by azav ( 469988 ) on Saturday May 08, 2004 @02:22PM (#9094627) Homepage Journal ive/2004/05/08/international1226EDT0513.DTL

  • Sorry, no sympathy for this guy either...

    Previous Post []

  • by S3D ( 745318 ) on Saturday May 08, 2004 @02:27PM (#9094658)
    In google news: HANOVER, Germany (Reuters) - A tip from reward-seekers and information from Microsoft led to the arrest of an 18-year-old suspected of creating the "Sasser" computer worm, German police and the software giant said on Saturday. Spokesman Frank Federau for Lower Saxony police said police were certain they had the man behind one of the Internet's most costly outbreaks of sabotage. "We are absolutely certain that this really is the creator of the Internet worm because Microsoft experts were involved in the inquiry and confirmed our suspicions and because the suspect admitted to it," he said in an interview with Reuters Television. It was the lure of cash that proved the man's undoing. A group of individuals from Lower Saxony approached Microsoft (MSFT.O: Quote, Profile, Research) on Wednesday inquiring about reward money should they turn in the man. The U.S. software giant in the past has put bounties of up to $250,000 on the heads of other notorious virus writers. Microsoft general consul Brad Smith told reporters the company agreed to pay the informants if there is a conviction. "They did not stumble upon him through technical analysis. They were aware of who he was," Smith said, declining to elaborate on their relationship to the suspect and saying only the number of informants was less than five. The economic toll of Sasser may never be known, but it claimed some big scalps, including Germany's Deutsche Post (DPWGn.DE: Quote, Profile, Research) , Britain's coastguard stations and investment bank Goldman Sachs (GS.N: Quote, Profile, Research) . "COMPUTER FREAK" Federau said the man, who he described as a highly intelligent "computer freak" living with his parents, was arrested on Friday near the central German town of Rotenburg but was no longer in custody. Authorities and Microsoft said they suspect the man created all the versions of Sasser, adding he worked alone He is also believed to be a main person, if not the mastermind, behind the Netsky viruses that have been plaguing Internet users since February, Smith said. All the man's computers were confiscated by police, Federau said. Since appearing one week ago, Sasser has wreaked havoc on personal computers running on the ubiquitous Microsoft Windows 2000, NT and XP operating systems, but is expected to slow down as computer users download anti-virus patches. The computing underground responsible for hatching worms and viruses has proved a difficult ring to crack for law enforcement and security experts were surprised at the rapid arrest. (Additional reporting by Bernhard Warner in London and James Mackenzie in Hanover) © Reuters 2004. All Rights Reserved.
  • by Anonymous Coward on Saturday May 08, 2004 @02:27PM (#9094659)
    about this country falling behind when it comes to technology. Rejoice, it doesnt seem to be that bad after all.
  • by pipingguy ( 566974 ) on Saturday May 08, 2004 @02:27PM (#9094662)

    When asked for a comment, one German prosecution authority said:

    Ich bein ein kickinassenviruswriter.
  • Please note, I am merely an American German Student. Any native German speakers are welcome to correct me:

    Stuttgart (AP) - The presumed programming of the computer worm "Phatbot" was apprehended this weekend: as the state criminal police agency in Stuttgart and the responsible public prosecutor's office communicated on Saturday, an unemployed 21 year old was arrested near Lörrach. He admitted to having programmed, with other hackers, the Trojan "Agobot", which was later renamed to "Phatbot". There is currently no known direct connection between him and the "Sasser" programmer arrested in Niedersachsen.

    The authorities searched for evidence on Friday, through the apartment of the suspect, as well as five possible accomplices in Baden-Wuerttemberg, Niedersachen, Hamburg and Bavaria. Numerous documents as well as computers and storage media were confiscated, and would have to be examined further. References from US Authorities helped provide evidence for the arrest of the suspect.

    The 21 year-old had already aimed attacks at US and Brittish companies in 2003. The companies concerned were offline for several days and suffered damages in the millions. Also in Germany it was indicated that the suspect penetrated company computers. Aside from just the criminal consequences, substantial compesnation demands may be made.

    The trojan mentioned is transferred to unsuspecting computers in order to take control of them. The initial evidence of the authorities of Baden-Württemberg points to the 21 year-old using the "Sasser" in order to develop the much more dangerous worm "Agobot/Phatbot".
  • Could the authors of both worms be part of some German Cyber Terrorist group?

    It seems most worms originate from other countries besides the USA. Could the worms be part of some Cyber Terrorist attack? If so, who is funding the development of these worms?
    • by AllUsernamesAreGone ( 688381 ) on Saturday May 08, 2004 @02:45PM (#9094763)
      Amazing as it may seem, not everyone who is out to do damage is part of a terrorist group. No, seriously! Probably only 0.5% of your average doing-bad-things person is a member of a terrorist organisation. I was as shocked as you are, it's incredible! All these people running around causing trouble without having the decency to live in a country you can bomb. I've found that you can actually travel around huge areas of Europe without even running into a terrorist, even in France!&lt/sarcasm>

      Why exactly do they need to be funded? Ever thought that they might be doing it because they get some deranged kick out of it, or so thay can brag about it or simply because they're sodding mental?
      • North Korea, for example, spends $3 Billion USD a year to have viruses developed. I wonder how many other countries have such a program?

        Hmmm, commit an act of Cyber Terrorism like release a worm into the wild, and just because you do not live in the middle-east, you are automatically not a terrorist?

        In the USA we have our own terrorists, perhaps you forgot about Oklahoma City?

        Terrorism knows no countries or races or religions, it is an equal opportunity employer.

        Yeah just a bunch of kids having fun.

        • Sorry that should have been $3 Million USD.

          North Korea is suspected of training hackers [].

        • by Minna Kirai ( 624281 ) on Saturday May 08, 2004 @03:27PM (#9095033)

          Hmmm, commit an act of Cyber Terrorism like release a worm into the wild, and just because you do not live in the middle-east, you are automatically not a terrorist?

          Wrong! You're not a terrorist because releasing a worm isn't terrorism.

          Until the public starts to be actually terrified by computer worms, it's not terrorism. I thought that was obvious...

          In the USA we have our own terrorists, perhaps you forgot about Oklahoma City?

          Yes, and that was terrorism because, like many other terrorist actions, it featured sudden explosive death. No Windows Worm yet known can cause flaming bodyparts to rain from the sky.
          • Read the definition here. []

            The worm had the potential to take power grids, etc offline.

            The worm disrupted stock trading systems, organizations' Intranets, government systems, home users' systems, etc. Resulting in a denial of service in order to clean the worm off. Yes it did do damage, and while it did not blow anything up (thank goodness), it did instill a bit of terror into those who potentially could be infected.

            While there was no apparent violence, there was damage to systems and a loss of service

            • There's so much wrong with your post, I won't even bother to address it point-by-point. I will say that just because some bad action has the potential to cause problems for the authorities / corporations / individuals, and this kind of disorder causes you or your clueless friends to be terrified does not make it terrorism (though it may define you as hopelessly neurotic). This distinction (is it a crime or is it terrorism?) has been co-opted by the current American justice department so they can use the "st

            • Incompetent system administration has the potential to take grids offline, ruin databases, expose personal data, etc.

              Does that mean that incompetent system administration is terrorism?

              The key word here is intent.
              • it is that the system administrators did not do that sort of damage on purpose if it does indeed happen. The worm writers, on the other hand, knew what their worms would do and released them anyway. Unless, for some odd reason, the worms were not meant to be released and got released accidentally? I call that the "Morris Defense" after the Arpanet Worm.

                Sort of like the difference between manslaughter and muder. :)
            • abirdman is right... you are wrong in so many ways I can't list them all. Let's just do the most obvious:

              Read the definition here.

              Yes, why don't YOU go and read the definition of terrorism? Here, I'll copy it from that webpage to help you:
              • "The unlawful use of force or violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives."
              • "Premeditated politically motivated violence perpetrated aga
    • by Anonymous Coward
      They're members of the "Phatbin laden" terrorist group.
    • Well thank you for falling into the rhetoric supplied by your government. You make a fine American, never questioning, always assuming that the evils your told that are ever looming are responsible for everything bad that happens. 15 or so years ago, you would have been wondering if it was a communist plot to take down America.
      • Well, thank you for being a total cynic, probably either A) from a country that was stupid enough to follow the US blindly up until about 15 years ago, or B) a person from the other side of the Iron curtain with a lot of tension that is still being released.

        "your government"! haha. What country are you from?
  • Cuckoo's Egg (Score:2, Informative)

    by joel_archer ( 124897 )
    Clifford Stoll [] book [] "Cuckoo's Egg:Tracking a Spy Through the Maze of Computer Espionage" [] details his encounter with a german hacker in the 1980's. It was the book that inspired my interest and career in computers and eventually as a System Administrator. In 1990, Nova [] made a documentary about it called "The KGB, CIA, Computer and Me" [].

    What is so ironic is that at the time the FBI did not even consider hacking a crime because Berkley couldn't show a sufficient monetary loss. This is despite the fact that the
    • Re:Cuckoo's Egg (Score:3, Informative)

      by CAIMLAS ( 41445 )
      The Cuckoo's Egg is one of my favorite books as well. It inspired me to interest in computer security via scientific method, just as it did you.

      I'd just note a couple things (I re-read the book a couple weeks ago):

      it took Stoll the better part of a year to catch the hacker in his book. It was really quite an amazing find, too, considering the number of dead-ends and various connection hops that the hacker took to get to Stoll's Berkley machine.

      The actual hacker was not the one that was found dead, it

      • Re:Cuckoo's Egg (Score:3, Interesting)

        by joel_archer ( 124897 )
        It was that combination of scientific method and social engineering that made Stoll's aproach so effective. That and his persistance and ability to use very basic tools to accomplish the near impossible, all the while accumulating enough evidence to allow a successful prosecution.

        If you haven't seen this interview [] with Stoll, be sure to read it. It captures that quirky geekiness of his that makes Cuckoo's Egg such a great read.

  • ...the skinnybot slipped through the net.

  • by joel_archer ( 124897 ) on Saturday May 08, 2004 @03:37PM (#9095065)
    After posting this thread, I found a great interview with Cliff [].

    Some favorite excerpts:
    "The hacker. The speed of light. The beauty of constraints. What is about Clifford Stoll that arouses such a need for conversation? Cliff Stoll is a lunatic in the sanest sense of the word. He doesn't so much present an argument as digest it with his mouth open. It's not pretty but somehow it works."

    "The lab's computer chargeback system had blown up because it could not account for 75 cents of computer time. It took three years for Stoll to prove that a spy was using the computer as a launching pad through Internet to hack at hundreds of military, industrial, and academic computers in search of secrets for the KGB."

    "My friends accused me of being co-opted by the State. But I didn't exactly feel like a tool of the ruling class, unless imperialist running dog puppets breakfasted on stale granola. My guts told me that the CIA should know and I ought to tell them."

  • Robot Hoouuusssseeee!

    What can I say - I watch a lot of Futurama.
  • Double Standard? (Score:2, Interesting)

    by Dieppe ( 668614 )

    Isn't it ironic, don't ya think, that on one hand everyone is "Free Mitnick!" yet on the other hand everyone is "Tar and feather these German virus writers!"

    Don't get me wrong, I'm in the "Free Mitnick" crowd and firmly in the "string up virus writers and spammers by the gonads" camp... but why is this?

    Perhaps because Kevin was just another one of "us" who learned and didn't really seem to have done harm, yet those of us who have had to deal personally with the hassle of servers being taken down by a vi

"For a male and female to live continuously together is... biologically speaking, an extremely unnatural condition." -- Robert Briffault