Slashdot Mirror


PhatBot Trojan Spreading Rapidly On Windows PCs

prostoalex writes "The Washington Post alerts Windows users about a new peer-to-peer backdoor client that is installed maliciously on broadband-connected computers around Asia and the United States. The client is then used for distributed DOS attacks and sending out large amounts of spam. Phatbot, according to government sources, is installed on hundreds of thousands machines already. Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software, albeit it is detectable by antivirus packages." An anonymous reader submits a link to this description of the beast.

17 of 645 comments (clear)

  1. I'm TRULY not attempting to Troll by slycer9 · · Score: 4, Insightful

    But I'm getting so tired of these virus 'alerts' constantly bombarding me day in and day out!

    It's as bad as spam! It's EVERYWHERE!!

    I frequent a couple other message boards (damn, I almost said BBS'), and every few days, we get the same ol' thread...'VIRUS ALERT!!!!!!!'

    We live in the information age. The information has been disseminated that Windows users are:

    A) Prone to constant viral and security intrusions.
    B) In desperate need to constantly update their AV software.

    The SysAdmins who aren't keeping their servers locked down is another thing entirely...*grumble*

    But really, ABC, NBC, CBS, all these guys have done several stories on system security...EVERYONE's got a nephew that 'knows a lot 'bout dem 'puters'...

    I really don't understand why we're still being subjected to this crap. Virus news isn't news. It's spam.

    (See! A whole post about viruses and I never mentioned the fact that I run OS X and Yellow Dog Linux exclusively!!! Not once have I mentioned that I've never had to worry about a virus at all!!!)

    Yay me.

    --
    Don't park drunk, accidents cause people.
  2. Grr... by MalaclypseTheYounger · · Score: 5, Insightful

    Just once, JUST ONCE, I'd like our knee-jerking media to actually provide details to the public on how to combat a virus, or trojan horse, or whatever, in the text of their article. I understand the unwashed masses read Yahoo News and Washington Post, but maybe if we started to inform the public on how to find out if you're infected, and how to remove the offending virus, more people would actually check to see if they are infected, and might re-think their surfing & downloading habits.

    I understand the average user can't use Registry Editor, but maybe provide a simple link or website to get a tool to remove the Phatbot thing a ma jig. /end rant

    Happy St. Paddy's Day everyone, btw.

    --
    Check out the best P2P sharing website: MEDIACHEST.COM
  3. paypal? by 2MuchC0ffeeMan · · Score: 5, Insightful

    Joe Stewart, a researcher at the Chicago-based security firm Lurhq, has catalogued Phatbot's many capabilities in an online posting. Those capabilities include: the "ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system"; "steal AOL account logins and passwords"; "harvest emails from the web for spam purposes" and "sniff [Internet] network traffic for Paypal cookies."

    aol, go for it... emails from the web are already public, go for it... paypal cookies? now that's just plain wrong, the feds are going to love that one.

    --
    Runnin' On Empty .... I'm Still Alive
  4. Spammer-Sponsored by fembots · · Score: 5, Insightful

    It's hard to believe these kind of trojans are not in any way related to spammers.

    Just take a look at the feature list, it probably has more bells and whistles than most of the software out there.

    Is there a way to trace back the master of these trojans and do something about it? Surely these trojans need to do something for their masters at some stage, probably waiting for commands somewhere.

  5. Re:Idea? by hawkbug · · Score: 4, Insightful

    Sadly, what you're suggesting is what TCPA or whatever the hell the trust computing platform is all about. I'm against the whole movement, because I think we need more secure OS software to begin with, not "trusted memory space" to protect us.

  6. Still Countergrabbable by nweaver · · Score: 4, Insightful

    The authors are getting better at designing control networks, but all it will take is one grayhat with an infected node to watch a command being executed and use that information to take out the entire botnet.

    Too bad it would be both grossly illegal and probably disruptive, because it would be a great favor to the rest of the net, to counter these botnets and squish-them into oblivion (at least this generation, until the attackers learn how to do authentication of commands correctly).

    --
    Test your net with Netalyzr
  7. Re:nice features list by Platinum+Dragon · · Score: 5, Insightful

    Granted, I don't think it would spread very well.

    Just code it to kill the connection after, say, fifty successful infections.

    You know what the real innovation would be, though? Writing an OS so that one process can't stomp on other processes it doesn't have permission to. It would also be nice to write something where worms couldn't just land on the system as executable files by default and scripts that do things like install other programs and do stuff without the user's knowledge can't be automatically run by a freaking e-mail program. Gee, too bad there's nothing around like that...

    --

    Someday, you're going to die. Get over it.
  8. virus news = spam by erikdotla · · Score: 4, Insightful

    I see where you're coming from here. However, there's other considerations. Some of us must operate Windows boxes, so we must deal with it.

    Obviously the "security-by-news-alert" method of keeping your systems secure is stupid. We must still update our AVs and Spy cleaners and run them regularly. If we do that, we'll get almost every virus and spyware and never have to worry.

    But some of like to know what the virus writers are doing. Trends in the virus business, as they evolve.

    Some of us may have firewalls that we might wish to alter based on major recent virus activity. I'm sure the Blaster variants caused several admins to alter the RPC port configuration of their firewalls.

    Isn't it better to be proactive rather than reacting to a virus-based DOS?

    I agree, of course, that people shouldn't email their buddies "OMG VIRUS ALERT!!!111one!!11" as we are able to keep up on virus news ourselves. We don't need these emails.

    The value of Slashdot posting a breaking story about a virus is early-warning in the event that we're sitting around reading Slashdot instead of doing our jobs and monitoring the other virus news systems. :)

    --
    # Erik
  9. Re:nice features list by Joe+U · · Score: 5, Insightful

    Writing an OS so that one process can't stomp on other processes it doesn't have permission to.

    I agree 100%. The windows developer community needs to totally and outright kill 95/98/Me support, and start using the built in security in 2000/XP.

    Having absolutely everything running as an administrator is a huge mistake.

  10. The good 'ol days by Ibanez · · Score: 4, Insightful

    What the hell happened to them? You know, when you used to download a program off of FTP or Firstclass, forgot to scan it for viruses, installed it, had your harddrive wiped clean. And then you had to reinstall from your backup floppies, and had no one to blame but your own stupid self?

    Now its not your fault, and it hurts you as well as everyone else!

  11. Re:what else is new? by rixstep · · Score: 4, Insightful

    hey really only seem to hurt people who are already pretty ignorant

    The word 'only' is misplaced. The Internet is full of idiots. They're in the majority.

    They get the shit kicked out of them every time they go online. They take their junky Gateways back to PC shops to 'wipe and reinstall' every six months. They lose files because 'I know I didn't download that file to my hard drive - I downloaded it to my desktop instead' and then they can't find it.

    You tell them the simplest things to get them out of the most complex situations and they demand 'user friendly'. They want products that cure only the latest ill and demand at most one mouse click.

    Wonder of wonders the world (the Internet) is as it is. And wonder of wonders is that it's taken the sophisticated malware engineers so long to get sophisticated.

    There's a slaughter going on, and although MS are responsible with their crappy stuff, the users are also responsible - for using it. And I hope we've heard the last of that classic line 'it only affects Windows users', because it should be evident to even the most brain-dead MS fanatic at this point that the entire Internet is affected.

    It's time to put up some housing ordinances so MS users aren't allowed to ruin the neighbourhood. High time and beyond.

  12. Re:nice features list by Platinum+Dragon · · Score: 4, Insightful

    I know you're a troll, but you have no idea how many:

    a) people who still run Win98/ME, with their total lack of a permissions model, come into the store, and
    b) how many people give their XP accounts administrator-level powers just to "make things easier". Shit, the TRON 2.0 demo required administrator privileges to run! We (ie, me and the other employees) have no idea why, it was the most fucking crackheaded thing I've seen since Windows ME, but there it was. I can't imagine how many other programs require admin access to run. And geeks wonder why people have no concept of why it's dangerous to run as root/admin...

    --

    Someday, you're going to die. Get over it.
  13. Re:nice features list by red+floyd · · Score: 4, Insightful

    Plus...

    <RANT type="favorite">
    Then there's programs that, because of sloppy/lazy coding, insist on being run as Admin on NT/2K/XP. Two that come to mind immediately are Mavis Beacon Teaches Typing 15 and The Sims.

    There is absolutely NO REASON WHATSOEVER for a typing tutor to require Admin, nor should there really be any for the Sims. AFAICT, they both write to the installation directory and HKLM instead of the user's "Application Data" and HKCU.

    </RANT>

    --
    The only reason we have the rights we have is that people just like us died to gain those rights. -- Cheerio Boy
  14. Re:nice features list by Lumpy · · Score: 4, Insightful

    Having absolutely everything running as an administrator is a huge mistake.

    I so agree, so can ypu PLEASE tell corperate america IT managers this?

    Here I am IT professional in one of the worlds LARGEST telecommunications companies and EVERYONE's W2K domain profile is set to put them as administrator rights... repeated calls to the NOC about the security hole are unanswered, and my attempts to fix it locally get me reprimanded for messing with domain security settings.

    It's fine to have the ability to lock it down, but it's worthless when the people in charge of it are too stupid or spineless to use it.

    --
    Do not look at laser with remaining good eye.
  15. Re:nice features list by yeggman · · Score: 5, Insightful

    Really, if there was an announced problem with your car that might lead to a thief getting in and driving off with it, wouldn't you get it fixed?
    Not if he always brought it back in the morning ;)
    That's why people don't give a crap, cuz the machine still kinda runs. Most people probably chuck it up to: "God this old machine dosen't run like it use to could! I should have never upgraded to IE6."

  16. Re:nice features list by Platinum+Dragon · · Score: 5, Insightful

    So the problem is partly a company that trained users to live as all-powerful administrator, then wonders why people keep running as admin even when user accounts are introduced.

    The other part of the problem is a company that trained programmers to assume the same thing, and write their programs accordingly. Now that the new versions of the company's primary OS implement some security, the programmers that were used to having complete power are running into justifiable roadblocks.

    Nice security culture Microsoft created. The Unix folks learned the folly of getting lax on security long, long ago, thanks to stuff like the Morris worm. How many Morris worms will it take for the Windows world to do the necessary overhaul, on the OS (partly already done, from what I gather), programs, and attitudes of users along with programemrs?

    --

    Someday, you're going to die. Get over it.
  17. The meaning of "Trojan" by groomed · · Score: 4, Insightful

    Well, I suppose it's a lost cause (as with the "hacker" term), but I it can't hurt to point out that it really doesn't make much sense to call this program a "trojan".

    The article suggests that this is a "trojan" because it lets attackers stealthily take control of your computer. But that was not what was remarkable about the historical Trojan horse. What was remarkable about it is that it was presented as a gift. The distinguishing characteric of a trojan is that it has a friendly outward appearance but contains a deadly payload. That's certainly not the case with Phatbot.

    Rather, I'd say that Phatbot is a virus, because a) it is malicious and b) it doesn't rely on deception to spread itself. This is, again, subtly different from a worm, which generally aren't malicious, just annoying.

    Of course it's water under the bridge at this point.