Slashdot Mirror
PhatBot Trojan Spreading Rapidly On Windows PCs
prostoalex writes "The Washington Post alerts Windows users about a new peer-to-peer backdoor client that is installed maliciously on broadband-connected computers around Asia and the United States. The client is then used for distributed DOS attacks and sending out large amounts of spam. Phatbot, according to government sources, is installed on hundreds of thousands machines already. Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software, albeit it is detectable by antivirus packages." An anonymous reader submits a link to this description of the beast.
# Has the ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system :)."
# Checks to see if it is allowed to send mail to AOL, for spamming purposes
# Can steal Windows Product Keys
# Can run an IDENT server on demand
# Starts an FTP server to deliver the trojan binary to exploited hosts - ends the FTP session with the message "221 Goodbye, have a good infection
# Can run a socks, HTTP or HTTPS proxy on demand
# Can start a redirection service for GRE or TCP protocols
# Can scan for and use the following exploits to spread itself to new victims: * DCOM * DCOM2 * MyDoom backdoor * DameWare * Locator Service * Shares with weak passwords * WebDav * WKS - Windows Workstation Service
# Attempts to kill instances of MSBlast, Welchia and Sobig.F
# Can sniff IRC network traffic looking for logins to other botnets and IRC operator passwords
# Can sniff FTP network traffic for usernames and passwords
# Can sniff HTTP network traffic for Paypal cookies
# Contains a list of nearly 600 processes to kill if found on an infected system.Some are antivirus software, others are competing viruses/trojans
# Tests the available bandwidth by posting large amounts of data to the following websites:
* www.st.lib.keio.ac.jp
* www.lib.nthu.edu.tw
* www.stanford.edu
* www.xo.net
* www.utwente.nl
* www.schlund.net
# Can steal AOL account logins and passwords
# Can steal CD Keys for several popular games
# Can harvest emails from the web for spam purposes
# Can harvest emails from the local system for spam purposes
A friend of mine recently sent me a funny email he had received, it indicated that Yahoo was bouncing back some emails to him because the receiver couldn't be found. Well, he didn't send any of these messages, but someone had spoofed there REAL NAME into the TO: field. His virus protection software was up-to-date, he didn't know what was going on, then he noticed in outlook the "save password" button no longer worked. Finally today, it's all starting to make sense. Don't know how he got the virus though, he's behind a firewall (NAT router), he doesn't go through much email. I have to guess it's all the porn he surfs.. Anyone else getting bounce backs?
Mod +5 Drunk
There's an inherent problem there. Anything you can do to make your program read-only, an administrator can undo.
So if Joe User gets infected and is running as administrator, the virus can un-write-protect memory and keep going.
This is a classic offense vs. defense escalation and is the type of problem Rootkits pose as well.
From the article:
R un \Generic Service Processe rsion\Run Services\Generic Service Process
"Manual Removal
Look for the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\
HKLM\Software\Microsoft\Windows\CurrentV
The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory."
google cash
This is also known as the "Agobot"
http://news.yahoo.com/fc?tmpl=fc&cid=34&in=tech& ca t=hackers_and_crackers
http://www.f-secure.com/v-descs/agobot_fo.shtml
Detailed Description
First of all, this new variant has 'Phatbot3' identifier and there are a few 'phat' string in its body. This may indicate that this version was not made by the original Agobot backdoor author, who calls himself TheAgo, but by a different person/group who got the source code of this backdoor.
The backdoor's file is a PE executable 115738 bytes long compressed with PE-Diminisher file compressor. The unpacked file's size is over 245 kilobytes.
Installation to system
The Agobot.FO backdoor copies itself as NVCHIP4.EXE file to Windows System folder and creates startup keys for this file in System Registry:
[HKLM\Software\Microsoft\Windows\Curren tVersion\Ru n]
"nVidia Chip4" = "nvchip4.exe"
[HKLM\Software\Microsoft\Windows\Cu rrentVersion\Ru nServices]
"nVidia Chip4" = "nvchip4.exe"
This allows the backdoor's file to start with every Windows session. On Windows NT-based systems the backdoor can start as a service.
Scanning for vulnerable computers
The backdoor can scan subnets for exploitable computers and send a list of their IPs to the bot operator. The scan is performed on ports 80, 135 and 445 for RPC/DCOM (MS03-026), RPC/Locator (MS03-001) and WebDAV (MS03-007) vulnerabilities. The backdoor can also scan for computers infected with MyDoom worm (port 3127), Bagle worm (port 2745) and also for computers where DameWare remote system management software is installed (port 6129).
Performing a DDoS attack
The backdoor can perform the following types of DDoS (Distributed Denial of Service) attacks:
* HTTP flood * SYN flood * UDP flood * ICMP flood
When performing a DDoS attack, the backdoor uses 33 unique client identifiers including Mozilla, Wget, Scooter, Webcrawler and Google bot.
The backdoor sends 256000 bytes of random data to the following websites and checks the response times:
www.schlund.net
www.utwente.nl
www.xo.net
www.stanford.edu
www.lib.nthu.edu.tw
www.st.lib.keio.ac.jp
Collecting e-mail addresses
The bot can harvest e-mail addresses. It has the functionality to read user's Address Book and send the list of e-mail addresses to the bot operator.
Obtainint Registry info
The backdoor has the functionality to obtain System Registry info from an infected computer. This is a new feature for Agobot backdoor. Information obtained from the Registry can give a hacker a full overview of an infected system.
Spreading to local network
Agobot backdoor can scan computers on local network and copy itself there. The scan is initiated by a remote hacker. When spreading to local network, Agobot.FO probes the following shares:
admin$ c$ d$ e$ print$ c
Agobot.FO tries to connect using the following account names:
(SEE LINKS AT TOP FOR INFORMATION)
When connecting, Agobot.FO uses the following passwords:
(SEE LINKS AT TOP FOR DETAILS)
If the worm succeeds connecting to the above listed shares, it copies itself to a remote share and attempts to start that file as a service. The alternative way of infecting a remote host is to create a scheduled task on a remote computer that will start the backdoor's file.
Teminating processes of security and anti-virus programs
Agobot.FO has a huge list of process file names hardcoded in its body. The backdoor tries to terminate processes that have the following names:
(NAMES REMOVED SO POST WOULD WORK, FOLLOW LINKS AT TOP)
This functionality allows the backdoor to successfully disable anti-virus and security software that can not detect this backdoor before it's file is started. In most cases special tools are required to clean a computer infected with this backdoor.
Additionally the
Mod +5 Drunk
Here's an alternate link I am looking for removal instructions. BRB.
Indefinitely Detained US Citizen
How long before someone bootstraps a distributed Artificial life simulator to their virus and then we all watch in amazement as the first AI evolves and owns all our computers. This could never happen though...right?
For a mainframe version of the story see _The Adolescence of P1_.
(I'd dig up an Amazon link but I'm busy right now.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
http://www.joestewart.org/phatbot.html
-Joe
The parent was concerned about trojans shutting down firewalls (and opening ports, etc). The router won't allow these types of things to happen. I'm not saying that an infection couldn't happen, but the activities and damage caused by the trojan will be curtailed.
http://ahmonra.port5.com/phatbot.html
I am Bennett Haselton! I am Bennett Haselton!
I've checked McAfee, Symantec, Sophos, and F-Secure.
F-Secure (an 'expert' in the article) has no listing for Phatbot.
Manual Removal
Look for the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \Generic Service Processn Services\Generic Service Process
HKLM\Software\Microsoft\Windows\CurrentVersion\Ru
The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory.
Snort Signatures
Here are some Snort signatures to detect Phatbot on a network:
alert tcp any any -> any any (msg:"Agobot/Phatbot Infection Successful"; flow:established; content:"221 Goodbye, have a good infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; sid:1000075; rev:1;)
alert tcp any any -> any any (msg:"Phatbot P2P Control Connection"; flow:established; content:"Wonk-"; content:"|00|#waste|00|"; within:15; classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; sid:1000076; rev:1;)
It's not a trojan - the article uses the wrong word. It's really a worm since it spreads through use of security exploits, not through user intervention.
-insert a witty something-
Funny, I've never had to restart the MTA when adding users. I'm using qmail now, but when I ran sendmail I didn't have to do it either. Me thinks you are trolling for karma.
Some AV companies consider this a variant of Agobot/Gaobot, since it shares a lot of the same code base. Which is funny, because when I analyzed Doomjuice and called it "MyDoom.C", they all said it was too different to be called a MyDoom variant (even though it was the same code with functionality removed).
I consider the addition of the WASTE code and removal of the IRC code to be significant enough to call this by a new name. Not to mention all the other added features that are not part of the Agobot code.
-Joe
Close as I can tell, the only useful information you can get from a paypal cookie is a user's email address. Paypal doesn't let you store your password in a cookie like some sites (*cough* slashdot). And the unique session ID is worthless unless you're using SSL on the same machine...
Hey freaks: now you're ju
How about a virus that does nothing but try to spread as far and wide as possible without doing anything malicious. Then, after a pre-determined ammount of time it would announce its presence to the luser and provide both instructions for its removal and common sense advice on how to avoid being infected by viri in the first place.
Interesting, yes. But, unfortunately, its delivery to the user wouldn't differ significantly from the endless popups proclaiming "Your PC is broadcasting its address!!!!" Very hard to tell the valid from the evil to the unwashed.
Later, one of the little kiddies will take it apart, insert some small malicious thing, and send it on its way again.
Shit, all the old good virii were like sub-800 bytes. A friend of mine still has the source to Monkey-B on a 5.25" floppy diskette. It isn't much, but it's a bastard.
Slashdot is proof that Sturgeon's Law applies to mankind.
Found a posting that could contain snippets of original DHS alert.r k,961481 4~mode=flat
From:http://www.dslreports.com/forum/rema
"Note from Microsoft concerning the second scan...
------------
Our Security team says:
The Dept of Homeland security has issued an alert on a new bot that maybe
related:
To NCC Telecom-ISAC members (Routine lists), Info NSIE Info N2 Below are details, received from a trusted source, regarding a new bot discovered this morning. We are listing first the important highlights from the analysis write-up, followed with a more detailed technical analysis. We would
appreciate any further information or feedback on this information.
Important highlights
* Kaspersky does NOT yet recognize this file as a trojan; it is unclear if
other AV software detects Phatbot. All attempts to kill the process will
respawn a new one.
All attempts to remove the malware have failed in our tests.
* Thus far, we've witnessed the following spreading mechanisms:
TCP 135 (Win9x Netbios)
TCP 139 (Win9x Netbios)
TCP 445 (Win2k Shares)
TCP 3127 (Mydoom)
TCP 6129 (Dameware)
* Based on strings output this bot appears to include the following:
- multiple DDOS capabilities
- multiple spying capabilities
- disables at least some Anti-Virus, Anti-trojan, and Personal Firewall
software
* The bot appears to offer relay capability by listening on:
TCP 63808 (Socks)
TCP 63809 (HTTP)
TCP 65506 (SSL)
Infected hosts should have these ports open, along with TCP 4387.
* How to spot Phatbot:
- Watch for ingress or egress active opens (SYN packets) to TCP 4387.
- Watch for ingress or egress active opens (SYN packets) to TCP 4387, TCP
63808, TCP 63809, and TCP 65506. This
*may* indicate the presence of the bot.
Detailed Analysis
Unfortunately, it appears as if peer-to-peer communication is making its way
further into bots. The latest bit of malware we received, code named
"phatbot," has some interesting characteristics we'd like to pass along to
you. Unfortunately we've not been able to get to the bottom of everything
yet, but thought a little bit of information would be better than nothing!
This bot appears to be a derivative of the infamous Agobot. There is a fair
bit of shared code, at the very least.
This malware affects windows machines and installs as
%SystemRoot%\system32\srvhost.exe, e.g. c:\windows\system32\srvhost.exe. The
malware runs as "%SystemRoot%\system32\srvhost.exe -service". The malware is
PE encrypted with PE-Crypt.Wonk. Kaspersky does NOT yet recognize this file
as a trojan; it is unclear if other AV software detects Phatbot. All
attempts to kill the process will respawn a new one. All attempts to remove
the malware have failed in our tests.
It is unclear how many hosts are infected or how large the P2P botnet has
become.
Thus far, we've witnessed the following spreading mechanisms:
TCP 135 (Win9x Netbios)
TCP 139 (Win9x Netbios)
TCP 445 (Win2k Shares)
TCP 3127 (Mydoom)
TCP 6129 (Dameware)
The scanning is not launched at startup. The scans appear to be sequential,
e.g. the infected host scans TCP 135, 139, 445, 3127, and 6129 on each
scanned IP. This may be a means by which to detect the scan and sploit
activities of Phatbot.
Based on strings output this bot appears to include the following:
- multiple DDOS capabilities
- multiple spying capabilities
- disables at least some Anti-Virus, Anti-trojan, and Personal Firewall
software
"
PayPal Sucks
;)
PayPal Warning
About PayPal
Google
That ougth to keep you busy for a few days
That would appear to be the case:
The author(s) of Phatbot chose to abandon Agobot's IRC and P2P implementations altogether and replaced them with code from WASTE, a project created by AOL's Nullsoft division (and subsequently canceled by AOL).
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
Actually, if you run a program like PView, that tells you a listing of all running processes, and the location of the file, you'll be able to see which are valid and virus versions.
The whole point of the story is that what makes this special is that it doesn't use irc, it uses peer-to-peer based on nullsofts WASTE. The trojans register their location on various gnutella cacheing servers. There is a master password used to contol the trojan bots that is compared to one contained md5'ed in the trojan code. To take control of the network of trojans you need to use a WASTE client to find the nearest infected machine and enter the password to issue commands.
"Taligent is still pure vapor. Maybe they'll be the last who jumps up on Openstep... "
It's not. I spent several hours analyzing it. You can connect to the Gnutella cache servers and see Phatbot clients registered using port 4387. You can portscan the infected hosts, find the mini-ftp server it runs and download the code yourself if you need tangible proof.
The list of *features* as one poster put it is indeed staggering.
Most of these features are part of Agobot. Yet no one disputes its existence.
That, coupled with the silence coming from Symantec, McAfee et al. makes it look fishy.
They're not silent - to them this is just another Agobot variant, one of dozens released in the last few months. And they are not making a big deal about it because it really isn't that much of a threat. If you're running Windows with the latest patches and aren't infected with MyDoom or a Dameware backdoor and aren't using weakly passworded shares, you have nothing to worry about from this trojan.
So that leaves me with 3 questions:
1 - Is it real
Yes.
2 - How do we detect it
With just about any AntiVirus solution.
3 - How do we kill it.
In terms of killing it from one machine: disinfect manually or use a tool from the AV companies. In terms of killing the entire network, you would need to reprogram the Gnutella cache servers it uses to detect and refuse connections from the Phatbots.
-Joe
Rather, I'd say that Phatbot is a virus, because a) it is malicious and b) it doesn't rely on deception to spread itself. This is, again, subtly different from a worm, which generally aren't malicious, just annoying.
While we're nit-picking definitions, I'd like to point out that this is a worm, not a virus. If it needs human help to spread (between machines), it's a virus. If it spreads itself, it's a worm.
Here's a more academic definition.