Re: Phatbot

[James Moore <jhmfa () RIT EDU>]

LURHQ did a good analysis of it.
 
See 

<http://www.lurhq.com/phatbot.html> http://www.lurhq.com/phatbot.html <http://www.lurhq.com/phatbot.html >  

for their intelligence report.

 
Jim


  _____  

        From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Kathie Brinkman
        Sent: Thursday, March 18, 2004 9:00 PM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: [SECURITY] Phatbot
        
        
        ResNet and Educause Security listservs, 
        
        Please excuse the cross-post. 
        
        NAI states that Phatbot will be detected as polybot.
        
        http://www.washingtonpost.com/wp-dyn/articles/A444-2004Mar17.html follows:  
        
        Hackers Embrace P2P Concept 
        Experts Fear 'Phatbot' Trojan Could Lead to New Wave of Spam or Denial-of-Service Attacks 
        
        By Brian Krebs
        washingtonpost.com Staff Writer
        Wednesday, March 17, 2004; 6:23 AM 
        
        Computer security experts in the private sector and U.S. government are monitoring the emergence of a new, 
highly sophisticated hacker tool that uses the same peer-to-peer (P2P) networking abilities that power controversial 
file-sharing networks like Kazaa and BearShare.
        
        By some estimates, hundreds of thousands of computers running Microsoft's Windows operating system have already 
been infected worldwide. The tool, a program that security researchers have dubbed "Phatbot," allows its authors to 
gain control over computers and link them into P2P networks that can be used to send large amounts of spam e-mail 
messages or to flood Web sites with data in an attempt to knock them offline. 
        
        The new hacker threat caught the attention of cyber-security officials at the U.S. Department of Homeland 
Security, prompting the agency to send an alert last week to a select group of computer security experts. In the alert, 
the agency warned that Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus 
software.
        
        A copy of the DHS alert was made available to washingtonpost.com by two sources at different companies who 
asked that their identities not be used because they did not want to risk losing access to future government alerts. 
Officials at the department and US-CERT -- a government-funded cyber-security monitoring agency -- confirmed that the 
message was genuine.
        
        Phatbot is "a virtual Swiss Army knife of attack software," said Vincent Weafer, senior director of security 
response at Cupertino, Calif.-based Symantec Corp.
        
        Joe Stewart, a researcher at the Chicago-based security firm Lurhq, has catalogued Phatbot's many capabilities 
in an online posting. Those capabilities include: the "ability to polymorph on install in an attempt to evade antivirus 
signatures as it spreads from system to system"; "steal AOL account logins and passwords"; "harvest emails from the web 
for spam purposes" and "sniff [Internet] network traffic for Paypal cookies."
        
        Phatbot is a kind of "Trojan horse," a type of program named after the legendary stealth attack because it let 
hackers take quiet control of unsecured computers. Security firms have catalogued hundreds if not thousands of Trojan 
horse programs in recent years, but Phatbot has raised substantial concern because it represents a leap-forward in its 
sophistication and is proving much harder for law enforcement authorities and antivirus companies to eliminate.
        
        Like traditional Trojan horse programs, Phatbot infects a computer through one of several routes, such as 
through security flaws in Microsoft's Windows operating system or through "backdoors" installed on machines by the 
recent "Mydoom" and "Bagle" Internet worms. 
        
        But because Phatbot links infected computers into a larger network, hackers can issue orders to the infected 
machines through many routes, and cyber-security officials can only effectively shut down a Phatbot attack if they 
track down every infected computer.
        
        "The concern here is that the peer-to-peer like characteristics of these 'bot networks may make them more 
resilient and more difficult to shut down," said a cyber-security official at the Department of Homeland Security who 
asked not be identified because the agency is still considering whether to issue a more public alert about Phatbot.
        
        "With these P2P Trojan networks, even if you take down half of the affected machines, the rest of the network 
continues to work just fine," said Mikko Hypponen, director of F-Secure, an antivirus software company based in Finland.
        
        Most major antivirus products detect Phatbot, but as soon as the Trojan infects computers it disables many 
antivirus and firewall software tools. 
        
        Roger Lawson, director of computing and information technology at the University of Vermont in Burlington, said 
he quarantined more than 200 computers -- more than 5 percent of the machines on the school's network -- because of 
Phatbot infestations. None of the school's antivirus programs detected the Trojan, and attempts to delete it caused 
Phatbot to recreate and restart itself, he said.
        
        Phatbot's ability to disable computer security software means that the estimated number of infected computers 
could rise to as high as "several hundred thousand," said F-Secure's Hypponen.
        
        A few computer experts said the rate of infection is much higher. 
        
        Igor Ybema, a network administrator at the University of Twente in Enschede in The Netherlands, put the number 
between 1 million and 2 million computers. His conclusion was based on a Phatbot command that forces infected computers 
to test their Internet connection speed by sending a file to one of 22 specifically selected Web servers around the 
world -- one of them at Twente.
        
        He said Twente began monitoring traffic from computers running the tests in mid-February, about the time that 
rival hacker gangs began an online turf war that resulted in a volley of new worms like Bagle and "Netsky." By early 
last week, Ybema said he was tracking an average of 200,000 to 300,000 Internet addresses running the speed test every 
day. Ybema believes such traffic indicates that attackers who have previously relied on less advanced remote-access 
Trojans are now using Phatbot.
        
        The majority of the infections appeared to come from home user broadband connections and from colleges and 
universities in the United States and the Asia-Pacific region, he said.
        
        Earlier this month, computer network engineers at University of California, Santa Cruz monitored the same type 
of speed testing traffic as Twente's Ybema observed. Mark Boolootian, the network engineer who discovered the activity, 
said one reason infected computers may be conducting the speed tests is to give Phatbot authors an idea of which 
infected computers would be the fastest in sending out large amounts of spam or data aimed at overwhelming a major Web 
site.
        
        Security experts are divided on whether a full-force phatbot attack will result in ruin or simply a ruinous 
headache.
        
        "If there are indeed hundreds of thousands of computers infected with Phatbot, U.S. e-commerce is in serious 
threat of being massively attacked by whoever owns these networks," said Russ Cooper, a chief scientist at Herndon, 
Va.-based TruSecure Corp.
        
        There are several incidents in the past several years that show how hackers used multiple ensnared computers to 
cause damage. In February 2000, a Canadian juvenile commandeered high-speed computers at University of California, 
Santa Barbara to knock Amazon, eBay, CNN.com, and a host of other Web sites off-line for hours. In October 2002, 
hackers used an army of commandeered computers to assault the 13 root servers that serve as the roadmap for Internet 
traffic.
        
        But Lurhq's Stewart said his analysis of Phatbot indicates that the Trojan is designed to link computers into 
groups no larger than 50 computers, which would significantly limit the Trojan's effectiveness as a denial-of-service 
tool.
        
        As a result, he said, Phatbot-infected PCs will more likely be used as highly effective spamming machines.
        
        washingtonpost.com Staff Writer David McGuire contributed to this article. 
        
        ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be 
found at http://www.educause.edu/cg/. 


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.