Re: Phatbot

[Jeff Birch <JBirch () APU EDU>]

Another good web site.
http://www.lurhq.com/phatbot.html 
 
 
__________________________________________________________
Jeff 

        -----Original Message-----
        From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kathie Brinkman
        Sent: Thursday, March 18, 2004 6:00 PM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: [SECURITY] Phatbot
        
        
        ResNet and Educause Security listservs, 
        
        Please excuse the cross-post. 
        
        NAI states that Phatbot will be detected as polybot.
        
        
http://www.washingtonpost.com/wp-dyn/articles/A444-2004Mar17.html
follows:  
        
        Hackers Embrace P2P Concept 
        Experts Fear 'Phatbot' Trojan Could Lead to New Wave of Spam or
Denial-of-Service Attacks 
        
        By Brian Krebs
        washingtonpost.com Staff Writer
        Wednesday, March 17, 2004; 6:23 AM 
        
        Computer security experts in the private sector and U.S.
government are monitoring the emergence of a new, highly sophisticated
hacker tool that uses the same peer-to-peer (P2P) networking abilities
that power controversial file-sharing networks like Kazaa and BearShare.
        
        By some estimates, hundreds of thousands of computers running
Microsoft's Windows operating system have already been infected
worldwide. The tool, a program that security researchers have dubbed
"Phatbot," allows its authors to gain control over computers and link
them into P2P networks that can be used to send large amounts of spam
e-mail messages or to flood Web sites with data in an attempt to knock
them offline. 
        
        The new hacker threat caught the attention of cyber-security
officials at the U.S. Department of Homeland Security, prompting the
agency to send an alert last week to a select group of computer security
experts. In the alert, the agency warned that Phatbot snoops for
passwords on infected computers and tries to disable firewall and
antivirus software.
        
        A copy of the DHS alert was made available to washingtonpost.com
by two sources at different companies who asked that their identities
not be used because they did not want to risk losing access to future
government alerts. Officials at the department and US-CERT -- a
government-funded cyber-security monitoring agency -- confirmed that the
message was genuine.
        
        Phatbot is "a virtual Swiss Army knife of attack software," said
Vincent Weafer, senior director of security response at Cupertino,
Calif.-based Symantec Corp.
        
        Joe Stewart, a researcher at the Chicago-based security firm
Lurhq, has catalogued Phatbot's many capabilities in an online posting.
Those capabilities include: the "ability to polymorph on install in an
attempt to evade antivirus signatures as it spreads from system to
system"; "steal AOL account logins and passwords"; "harvest emails from
the web for spam purposes" and "sniff [Internet] network traffic for
Paypal cookies."
        
        Phatbot is a kind of "Trojan horse," a type of program named
after the legendary stealth attack because it let hackers take quiet
control of unsecured computers. Security firms have catalogued hundreds
if not thousands of Trojan horse programs in recent years, but Phatbot
has raised substantial concern because it represents a leap-forward in
its sophistication and is proving much harder for law enforcement
authorities and antivirus companies to eliminate.
        
        Like traditional Trojan horse programs, Phatbot infects a
computer through one of several routes, such as through security flaws
in Microsoft's Windows operating system or through "backdoors" installed
on machines by the recent "Mydoom" and "Bagle" Internet worms. 
        
        But because Phatbot links infected computers into a larger
network, hackers can issue orders to the infected machines through many
routes, and cyber-security officials can only effectively shut down a
Phatbot attack if they track down every infected computer.
        
        "The concern here is that the peer-to-peer like characteristics
of these 'bot networks may make them more resilient and more difficult
to shut down," said a cyber-security official at the Department of
Homeland Security who asked not be identified because the agency is
still considering whether to issue a more public alert about Phatbot.
        
        "With these P2P Trojan networks, even if you take down half of
the affected machines, the rest of the network continues to work just
fine," said Mikko Hypponen, director of F-Secure, an antivirus software
company based in Finland.
        
        Most major antivirus products detect Phatbot, but as soon as the
Trojan infects computers it disables many antivirus and firewall
software tools. 
        
        Roger Lawson, director of computing and information technology
at the University of Vermont in Burlington, said he quarantined more
than 200 computers -- more than 5 percent of the machines on the
school's network -- because of Phatbot infestations. None of the
school's antivirus programs detected the Trojan, and attempts to delete
it caused Phatbot to recreate and restart itself, he said.
        
        Phatbot's ability to disable computer security software means
that the estimated number of infected computers could rise to as high as
"several hundred thousand," said F-Secure's Hypponen.
        
        A few computer experts said the rate of infection is much
higher. 
        
        Igor Ybema, a network administrator at the University of Twente
in Enschede in The Netherlands, put the number between 1 million and 2
million computers. His conclusion was based on a Phatbot command that
forces infected computers to test their Internet connection speed by
sending a file to one of 22 specifically selected Web servers around the
world -- one of them at Twente.
        
        He said Twente began monitoring traffic from computers running
the tests in mid-February, about the time that rival hacker gangs began
an online turf war that resulted in a volley of new worms like Bagle and
"Netsky." By early last week, Ybema said he was tracking an average of
200,000 to 300,000 Internet addresses running the speed test every day.
Ybema believes such traffic indicates that attackers who have previously
relied on less advanced remote-access Trojans are now using Phatbot.
        
        The majority of the infections appeared to come from home user
broadband connections and from colleges and universities in the United
States and the Asia-Pacific region, he said.
        
        Earlier this month, computer network engineers at University of
California, Santa Cruz monitored the same type of speed testing traffic
as Twente's Ybema observed. Mark Boolootian, the network engineer who
discovered the activity, said one reason infected computers may be
conducting the speed tests is to give Phatbot authors an idea of which
infected computers would be the fastest in sending out large amounts of
spam or data aimed at overwhelming a major Web site.
        
        Security experts are divided on whether a full-force phatbot
attack will result in ruin or simply a ruinous headache.
        
        "If there are indeed hundreds of thousands of computers infected
with Phatbot, U.S. e-commerce is in serious threat of being massively
attacked by whoever owns these networks," said Russ Cooper, a chief
scientist at Herndon, Va.-based TruSecure Corp.
        
        There are several incidents in the past several years that show
how hackers used multiple ensnared computers to cause damage. In
February 2000, a Canadian juvenile commandeered high-speed computers at
University of California, Santa Barbara to knock Amazon, eBay, CNN.com,
and a host of other Web sites off-line for hours. In October 2002,
hackers used an army of commandeered computers to assault the 13 root
servers that serve as the roadmap for Internet traffic.
        
        But Lurhq's Stewart said his analysis of Phatbot indicates that
the Trojan is designed to link computers into groups no larger than 50
computers, which would significantly limit the Trojan's effectiveness as
a denial-of-service tool.
        
        As a result, he said, Phatbot-infected PCs will more likely be
used as highly effective spamming machines.
        
        washingtonpost.com Staff Writer David McGuire contributed to
this article. 
        
        ********** Participation and subscription information for this
EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/. 


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.