Slashdot Mirror

← Back to Stories (view on slashdot.org)

PhatBot Trojan Spreading Rapidly On Windows PCs

Posted by timothy on from the what-and-lose-all-my-pigeons dept.

prostoalex writes "The Washington Post alerts Windows users about a new peer-to-peer backdoor client that is installed maliciously on broadband-connected computers around Asia and the United States. The client is then used for distributed DOS attacks and sending out large amounts of spam. Phatbot, according to government sources, is installed on hundreds of thousands machines already. Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software, albeit it is detectable by antivirus packages." An anonymous reader submits a link to this description of the beast.

12 of 645 comments (clear)

  1. nice features list by Anonymous Coward · · Score: 5, Informative

    # Has the ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system
    # Checks to see if it is allowed to send mail to AOL, for spamming purposes
    # Can steal Windows Product Keys
    # Can run an IDENT server on demand
    # Starts an FTP server to deliver the trojan binary to exploited hosts - ends the FTP session with the message "221 Goodbye, have a good infection :)."
    # Can run a socks, HTTP or HTTPS proxy on demand
    # Can start a redirection service for GRE or TCP protocols
    # Can scan for and use the following exploits to spread itself to new victims: * DCOM * DCOM2 * MyDoom backdoor * DameWare * Locator Service * Shares with weak passwords * WebDav * WKS - Windows Workstation Service
    # Attempts to kill instances of MSBlast, Welchia and Sobig.F
    # Can sniff IRC network traffic looking for logins to other botnets and IRC operator passwords
    # Can sniff FTP network traffic for usernames and passwords
    # Can sniff HTTP network traffic for Paypal cookies
    # Contains a list of nearly 600 processes to kill if found on an infected system.Some are antivirus software, others are competing viruses/trojans
    # Tests the available bandwidth by posting large amounts of data to the following websites:
    * www.st.lib.keio.ac.jp
    * www.lib.nthu.edu.tw
    * www.stanford.edu
    * www.xo.net
    * www.utwente.nl
    * www.schlund.net
    # Can steal AOL account logins and passwords
    # Can steal CD Keys for several popular games
    # Can harvest emails from the web for spam purposes
    # Can harvest emails from the local system for spam purposes

    1. Re:nice features list by Platinum+Dragon · · Score: 4, Informative

      *nods*

      Checking out the vulnerabilities used by Phatbot, I'm guessing most, if not all, of these holes were patched long ago. Short of forcing regular patching and upgrades, I guess there's not much that can be done to get around this. I get a shocking number of people through the store who never, ever use Windows Update.

      One part bad security model, one part careless users. Really, if there was an announced problem with your car that might lead to a thief getting in and driving off with it, wouldn't you get it fixed? Would you leave your door unlocked because it makes entering your car easier when you're in a rush?

      Computers have been sold as appliances, when they should be sold as flexible tools that aren't difficult to use, but take a minor bit of effort to maintain. I bet I could make big bucks just going to people's homes and carrying out basic upgrading and patching activities. $50/hr for running Windows Update, Ad-Aware and AVG, here I come...

      --

      Someday, you're going to die. Get over it.
    2. Re:nice features list by KevCo · · Score: 5, Informative
      I can't imagine how many other programs require admin access to run

      I'm currently working at a company that is migrating to WinXP in a very locked down environment. Everyone is a user and software restriction policies only allow files to be executed from specific locations. Users have no write access to C: at all... all user profiles and data are on D: (which is not allowed to execute anything).

      My job is to make the apps work. It's horrible. We have to give write access to the app's dir in Program Files to probably 40% of the apps. Some apps require write access to the root of C:\. Many want to create/modify files in Windows and System32. Far too many insist on writing to HKLM and even HKCR.

      We repackage all the apps as MSIs and include the needed permissions changes in the installer. By the time the apps are loaded, most machines security have been drastically compromised.

    3. Re:nice features list by WhiteKnight07 · · Score: 4, Informative

      Win2k has this feature as well. Hold shift while clicking the right mouse button on any program in the start menu or on the desktop and "Run as..." will be an option in the resulting menu. Enter the desired user name and password and your set.

      --


      We're going to make information free Mr. Anderson, whether you like it, or not.
    4. Re:nice features list by HSpirit · · Score: 4, Informative

      I've been in regular contact with an antivirus vendor's support people over 2 weeks trying to explain to them that it is NOT acceptable for users to have Power User privileges in order for their AV definitions to auto-update... It's like talking to a brick wall, here's an example of their 'support' verbatim:

      You may need to change the permissions on your c drive or the vet folder to everyone

      Double click on My Computer
      Right click on C drive

      Left click on properties
      Left click on Sharing
      left click on permissions
      Choose everyone a click ok
      Then click o.k

      Then perform an autodownload

      Double click on My Computer
      Double left click on the Vet
      Right click on C drive

      Left click on properties
      Left click on Sharing
      Then click on share this folder left click on permissions
      Choose everyone a click ok
      Then click o.k

      This should allow you to perform an autodownload.

      You may have to do the same on the c:\temp or c:\windows\temp
      folder or c:\document and settingsyour username\temp

      Sorry? Do you mean give everyone full control to my system drive, as well as your AV definitions, configuration files and executable code? You've got to be kidding!

      And surely you'd think that AV vendors would understand better than most the need for their software to operate under the principle of least privilege.

      Give me a Mac (or other *nix) box anyday is what I say...

  2. Re:Detection/Removal instructions? by pwroberts · · Score: 5, Informative

    From the article:

    "Manual Removal
    Look for the following registry keys:

    HKLM\Software\Microsoft\Windows\CurrentVersion\R un \Generic Service Process
    HKLM\Software\Microsoft\Windows\CurrentVe rsion\Run Services\Generic Service Process

    The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory."

  3. Related links and info by DR+SoB · · Score: 5, Informative

    This is also known as the "Agobot"

    http://news.yahoo.com/fc?tmpl=fc&cid=34&in=tech& ca t=hackers_and_crackers

    http://www.f-secure.com/v-descs/agobot_fo.shtml

    Detailed Description

    First of all, this new variant has 'Phatbot3' identifier and there are a few 'phat' string in its body. This may indicate that this version was not made by the original Agobot backdoor author, who calls himself TheAgo, but by a different person/group who got the source code of this backdoor.

    The backdoor's file is a PE executable 115738 bytes long compressed with PE-Diminisher file compressor. The unpacked file's size is over 245 kilobytes.

    Installation to system

    The Agobot.FO backdoor copies itself as NVCHIP4.EXE file to Windows System folder and creates startup keys for this file in System Registry:
    [HKLM\Software\Microsoft\Windows\Curren tVersion\Ru n]
    "nVidia Chip4" = "nvchip4.exe"
    [HKLM\Software\Microsoft\Windows\Cu rrentVersion\Ru nServices]
    "nVidia Chip4" = "nvchip4.exe"

    This allows the backdoor's file to start with every Windows session. On Windows NT-based systems the backdoor can start as a service.
    Scanning for vulnerable computers

    The backdoor can scan subnets for exploitable computers and send a list of their IPs to the bot operator. The scan is performed on ports 80, 135 and 445 for RPC/DCOM (MS03-026), RPC/Locator (MS03-001) and WebDAV (MS03-007) vulnerabilities. The backdoor can also scan for computers infected with MyDoom worm (port 3127), Bagle worm (port 2745) and also for computers where DameWare remote system management software is installed (port 6129).

    Performing a DDoS attack
    The backdoor can perform the following types of DDoS (Distributed Denial of Service) attacks:
    * HTTP flood * SYN flood * UDP flood * ICMP flood
    When performing a DDoS attack, the backdoor uses 33 unique client identifiers including Mozilla, Wget, Scooter, Webcrawler and Google bot.

    The backdoor sends 256000 bytes of random data to the following websites and checks the response times:
    www.schlund.net
    www.utwente.nl
    www.xo.net
    www.stanford.edu
    www.lib.nthu.edu.tw
    www.st.lib.keio.ac.jp

    Collecting e-mail addresses
    The bot can harvest e-mail addresses. It has the functionality to read user's Address Book and send the list of e-mail addresses to the bot operator.

    Obtainint Registry info
    The backdoor has the functionality to obtain System Registry info from an infected computer. This is a new feature for Agobot backdoor. Information obtained from the Registry can give a hacker a full overview of an infected system.

    Spreading to local network
    Agobot backdoor can scan computers on local network and copy itself there. The scan is initiated by a remote hacker. When spreading to local network, Agobot.FO probes the following shares:
    admin$ c$ d$ e$ print$ c

    Agobot.FO tries to connect using the following account names:
    (SEE LINKS AT TOP FOR INFORMATION)

    When connecting, Agobot.FO uses the following passwords:
    (SEE LINKS AT TOP FOR DETAILS)

    If the worm succeeds connecting to the above listed shares, it copies itself to a remote share and attempts to start that file as a service. The alternative way of infecting a remote host is to create a scheduled task on a remote computer that will start the backdoor's file.

    Teminating processes of security and anti-virus programs
    Agobot.FO has a huge list of process file names hardcoded in its body. The backdoor tries to terminate processes that have the following names:
    (NAMES REMOVED SO POST WOULD WORK, FOLLOW LINKS AT TOP)

    This functionality allows the backdoor to successfully disable anti-virus and security software that can not detect this backdoor before it's file is started. In most cases special tools are required to clean a computer infected with this backdoor.

    Additionally the

    --
    Mod +5 Drunk
  4. For a mainframe version... by Ungrounded+Lightning · · Score: 4, Informative

    How long before someone bootstraps a distributed Artificial life simulator to their virus and then we all watch in amazement as the first AI evolves and owns all our computers. This could never happen though...right?

    For a mainframe version of the story see _The Adolescence of P1_.

    (I'd dig up an Amazon link but I'm busy right now.)

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  5. Mirror by httptech · · Score: 4, Informative
    Here's a mirror of my analysis:

    http://www.joestewart.org/phatbot.html

    -Joe

  6. From the LURHQ alert by burgburgburg · · Score: 4, Informative
    Google cache:

    Manual Removal
    Look for the following registry keys:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run \Generic Service Process
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\Generic Service Process

    The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory.

    Snort Signatures
    Here are some Snort signatures to detect Phatbot on a network:

    alert tcp any any -> any any (msg:"Agobot/Phatbot Infection Successful"; flow:established; content:"221 Goodbye, have a good infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; sid:1000075; rev:1;)

    alert tcp any any -> any any (msg:"Phatbot P2P Control Connection"; flow:established; content:"Wonk-"; content:"|00|#waste|00|"; within:15; classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; sid:1000076; rev:1;)

  7. Re:Suspicious... by httptech · · Score: 4, Informative

    Some AV companies consider this a variant of Agobot/Gaobot, since it shares a lot of the same code base. Which is funny, because when I analyzed Doomjuice and called it "MyDoom.C", they all said it was too different to be called a MyDoom variant (even though it was the same code with functionality removed).

    I consider the addition of the WASTE code and removal of the IRC code to be significant enough to call this by a new name. Not to mention all the other added features that are not part of the Agobot code.

    -Joe

  8. Re:paypal? by justMichael · · Score: 4, Informative

    PayPal Sucks
    PayPal Warning
    About PayPal
    Google

    That ougth to keep you busy for a few days ;)