Slashdot Mirror
PhatBot Trojan Spreading Rapidly On Windows PCs
prostoalex writes "The Washington Post alerts Windows users about a new peer-to-peer backdoor client that is installed maliciously on broadband-connected computers around Asia and the United States. The client is then used for distributed DOS attacks and sending out large amounts of spam. Phatbot, according to government sources, is installed on hundreds of thousands machines already. Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software, albeit it is detectable by antivirus packages." An anonymous reader submits a link to this description of the beast.
... or does this sound dirty to you too??
a new peer-to-peer backdoor client that is installed maliciously
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
Since when did Snoop Dogg start writing code? Shizzle, dawg, dis virizzle be PHAT!
# Has the ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system :)."
# Checks to see if it is allowed to send mail to AOL, for spamming purposes
# Can steal Windows Product Keys
# Can run an IDENT server on demand
# Starts an FTP server to deliver the trojan binary to exploited hosts - ends the FTP session with the message "221 Goodbye, have a good infection
# Can run a socks, HTTP or HTTPS proxy on demand
# Can start a redirection service for GRE or TCP protocols
# Can scan for and use the following exploits to spread itself to new victims: * DCOM * DCOM2 * MyDoom backdoor * DameWare * Locator Service * Shares with weak passwords * WebDav * WKS - Windows Workstation Service
# Attempts to kill instances of MSBlast, Welchia and Sobig.F
# Can sniff IRC network traffic looking for logins to other botnets and IRC operator passwords
# Can sniff FTP network traffic for usernames and passwords
# Can sniff HTTP network traffic for Paypal cookies
# Contains a list of nearly 600 processes to kill if found on an infected system.Some are antivirus software, others are competing viruses/trojans
# Tests the available bandwidth by posting large amounts of data to the following websites:
* www.st.lib.keio.ac.jp
* www.lib.nthu.edu.tw
* www.stanford.edu
* www.xo.net
* www.utwente.nl
* www.schlund.net
# Can steal AOL account logins and passwords
# Can steal CD Keys for several popular games
# Can harvest emails from the web for spam purposes
# Can harvest emails from the local system for spam purposes
How long before someone bootstraps a distributed Artificial life simulator to their virus and then we all watch in amazement as the first AI evolves and owns all our computers. This could never happen though...right?
Slashrank
When a virus attempts to disable anti-virus and firewalls, there needs to be a better way to keep those programs operational and "clean". What if a virus altered your norton or mcafee to make it appear as though it is working(and not finding any viruses) when in fact it is not working at all?
What if anti-virus, firewalls, and other critical software could somehow run in read-only memory space, which would have a physical barrier so that no bugs in software could be exploited to alter this space?
What if we could "burn" memory space of a program to a CD rom so that a proper working, unaltered anti-virus and firewall could run without fear of being disabled?
But I'm getting so tired of these virus 'alerts' constantly bombarding me day in and day out!
It's as bad as spam! It's EVERYWHERE!!
I frequent a couple other message boards (damn, I almost said BBS'), and every few days, we get the same ol' thread...'VIRUS ALERT!!!!!!!'
We live in the information age. The information has been disseminated that Windows users are:
A) Prone to constant viral and security intrusions.
B) In desperate need to constantly update their AV software.
The SysAdmins who aren't keeping their servers locked down is another thing entirely...*grumble*
But really, ABC, NBC, CBS, all these guys have done several stories on system security...EVERYONE's got a nephew that 'knows a lot 'bout dem 'puters'...
I really don't understand why we're still being subjected to this crap. Virus news isn't news. It's spam.
(See! A whole post about viruses and I never mentioned the fact that I run OS X and Yellow Dog Linux exclusively!!! Not once have I mentioned that I've never had to worry about a virus at all!!!)
Yay me.
Don't park drunk, accidents cause people.
Just once, JUST ONCE, I'd like our knee-jerking media to actually provide details to the public on how to combat a virus, or trojan horse, or whatever, in the text of their article. I understand the unwashed masses read Yahoo News and Washington Post, but maybe if we started to inform the public on how to find out if you're infected, and how to remove the offending virus, more people would actually check to see if they are infected, and might re-think their surfing & downloading habits.
/end rant
I understand the average user can't use Registry Editor, but maybe provide a simple link or website to get a tool to remove the Phatbot thing a ma jig.
Happy St. Paddy's Day everyone, btw.
Check out the best P2P sharing website: MEDIACHEST.COM
Joe Stewart, a researcher at the Chicago-based security firm Lurhq, has catalogued Phatbot's many capabilities in an online posting. Those capabilities include: the "ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system"; "steal AOL account logins and passwords"; "harvest emails from the web for spam purposes" and "sniff [Internet] network traffic for Paypal cookies."
aol, go for it... emails from the web are already public, go for it... paypal cookies? now that's just plain wrong, the feds are going to love that one.
Runnin' On Empty
I can't find out how the gory details of backdooring a computer. Oh well, I guess I'll have to settle for the more traditional form of pr0n.
-- PhoneBoy
The views expressed herein are not necessarily those of anyone, including the poster.
PhatBot Trojan would be a good name for a hip-hop group?
It's hard to believe these kind of trojans are not in any way related to spammers.
Just take a look at the feature list, it probably has more bells and whistles than most of the software out there.
Is there a way to trace back the master of these trojans and do something about it? Surely these trojans need to do something for their masters at some stage, probably waiting for commands somewhere.
Rock that crushes, Paper & Scissors that don't matter.
The authors are getting better at designing control networks, but all it will take is one grayhat with an infected node to watch a command being executed and use that information to take out the entire botnet.
Too bad it would be both grossly illegal and probably disruptive, because it would be a great favor to the rest of the net, to counter these botnets and squish-them into oblivion (at least this generation, until the attackers learn how to do authentication of commands correctly).
Test your net with Netalyzr
From the article:
R un \Generic Service Processe rsion\Run Services\Generic Service Process
"Manual Removal
Look for the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\
HKLM\Software\Microsoft\Windows\CurrentV
The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory."
1) Extract Windows product keys
2) ???^H^H^H Email software keys to software@bsa.net and tell them that you think your employer is not running legitimate software. Include a paypal link for the reward
3) Profit
This bot looks NASTY.
-B
This is also known as the "Agobot"
http://news.yahoo.com/fc?tmpl=fc&cid=34&in=tech& ca t=hackers_and_crackers
http://www.f-secure.com/v-descs/agobot_fo.shtml
Detailed Description
First of all, this new variant has 'Phatbot3' identifier and there are a few 'phat' string in its body. This may indicate that this version was not made by the original Agobot backdoor author, who calls himself TheAgo, but by a different person/group who got the source code of this backdoor.
The backdoor's file is a PE executable 115738 bytes long compressed with PE-Diminisher file compressor. The unpacked file's size is over 245 kilobytes.
Installation to system
The Agobot.FO backdoor copies itself as NVCHIP4.EXE file to Windows System folder and creates startup keys for this file in System Registry:
[HKLM\Software\Microsoft\Windows\Curren tVersion\Ru n]
"nVidia Chip4" = "nvchip4.exe"
[HKLM\Software\Microsoft\Windows\Cu rrentVersion\Ru nServices]
"nVidia Chip4" = "nvchip4.exe"
This allows the backdoor's file to start with every Windows session. On Windows NT-based systems the backdoor can start as a service.
Scanning for vulnerable computers
The backdoor can scan subnets for exploitable computers and send a list of their IPs to the bot operator. The scan is performed on ports 80, 135 and 445 for RPC/DCOM (MS03-026), RPC/Locator (MS03-001) and WebDAV (MS03-007) vulnerabilities. The backdoor can also scan for computers infected with MyDoom worm (port 3127), Bagle worm (port 2745) and also for computers where DameWare remote system management software is installed (port 6129).
Performing a DDoS attack
The backdoor can perform the following types of DDoS (Distributed Denial of Service) attacks:
* HTTP flood * SYN flood * UDP flood * ICMP flood
When performing a DDoS attack, the backdoor uses 33 unique client identifiers including Mozilla, Wget, Scooter, Webcrawler and Google bot.
The backdoor sends 256000 bytes of random data to the following websites and checks the response times:
www.schlund.net
www.utwente.nl
www.xo.net
www.stanford.edu
www.lib.nthu.edu.tw
www.st.lib.keio.ac.jp
Collecting e-mail addresses
The bot can harvest e-mail addresses. It has the functionality to read user's Address Book and send the list of e-mail addresses to the bot operator.
Obtainint Registry info
The backdoor has the functionality to obtain System Registry info from an infected computer. This is a new feature for Agobot backdoor. Information obtained from the Registry can give a hacker a full overview of an infected system.
Spreading to local network
Agobot backdoor can scan computers on local network and copy itself there. The scan is initiated by a remote hacker. When spreading to local network, Agobot.FO probes the following shares:
admin$ c$ d$ e$ print$ c
Agobot.FO tries to connect using the following account names:
(SEE LINKS AT TOP FOR INFORMATION)
When connecting, Agobot.FO uses the following passwords:
(SEE LINKS AT TOP FOR DETAILS)
If the worm succeeds connecting to the above listed shares, it copies itself to a remote share and attempts to start that file as a service. The alternative way of infecting a remote host is to create a scheduled task on a remote computer that will start the backdoor's file.
Teminating processes of security and anti-virus programs
Agobot.FO has a huge list of process file names hardcoded in its body. The backdoor tries to terminate processes that have the following names:
(NAMES REMOVED SO POST WOULD WORK, FOLLOW LINKS AT TOP)
This functionality allows the backdoor to successfully disable anti-virus and security software that can not detect this backdoor before it's file is started. In most cases special tools are required to clean a computer infected with this backdoor.
Additionally the
Mod +5 Drunk
is installed maliciously on broadband-connected computers...
who knew that dial up internet was a form of virus protection? I dont feel so bad anymore!
WoW: Scheod 70 orc warlock on Shadowmoon
I see where you're coming from here. However, there's other considerations. Some of us must operate Windows boxes, so we must deal with it.
:)
Obviously the "security-by-news-alert" method of keeping your systems secure is stupid. We must still update our AVs and Spy cleaners and run them regularly. If we do that, we'll get almost every virus and spyware and never have to worry.
But some of like to know what the virus writers are doing. Trends in the virus business, as they evolve.
Some of us may have firewalls that we might wish to alter based on major recent virus activity. I'm sure the Blaster variants caused several admins to alter the RPC port configuration of their firewalls.
Isn't it better to be proactive rather than reacting to a virus-based DOS?
I agree, of course, that people shouldn't email their buddies "OMG VIRUS ALERT!!!111one!!11" as we are able to keep up on virus news ourselves. We don't need these emails.
The value of Slashdot posting a breaking story about a virus is early-warning in the event that we're sitting around reading Slashdot instead of doing our jobs and monitoring the other virus news systems.
# Erik
I have a client who sends out an aviation newsletter, with a list size in the tens of thousands. They have their own dedicated mail server, running RH Linux that I set up for them. Email is virus filtered with MailScanner and f-prot.
No complaints for months. And then, I add a new account to the mail server and restart sendmail.
Within a few hours, I got complaints that the volume of email had at least tripled, and that *all* of the increase were viruses, being caught by McAffee! So bad it was difficult to simply empty out the inbox from all the popup notices of virus detection!
Turns out when I restarted sendmail, I didn't restart MailScanner, so it was not running, letting everything through.
Very sobering, to realize how bad viruses online have gotten...
I have no problem with your religion until you decide it's reason to deprive others of the truth.
How long before someone bootstraps a distributed Artificial life simulator to their virus and then we all watch in amazement as the first AI evolves and owns all our computers. This could never happen though...right?
For a mainframe version of the story see _The Adolescence of P1_.
(I'd dig up an Amazon link but I'm busy right now.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
http://www.joestewart.org/phatbot.html
-Joe
I find it interesting that I submitted this story shortly after 0900 EST in an effort to get the word out to /. readers, but it was rejected.
/. as an effective way to communicate issues like this to the technical community, or am I just bitching because my story was rejected?
Was I wrong to consider using
Good luck everyone out there who should be checking/cleaning your systems -
If the Government becomes a lawbreaker, it breeds contempt for law;
A quick search on McAfee and Symantec websites yielded no result for "phatbot" on Symantec, and a 18 months old virus on McAfee...
If the US government is announcing this publically, and the virus has already infected "hundreds of thousands of computers already", wouldn't the anti-virus companies *know* that?!?
After 3 days without programming, life becomes meaningless
- The Tao of Programming
What the hell happened to them? You know, when you used to download a program off of FTP or Firstclass, forgot to scan it for viruses, installed it, had your harddrive wiped clean. And then you had to reinstall from your backup floppies, and had no one to blame but your own stupid self?
Now its not your fault, and it hurts you as well as everyone else!
Manual Removal
Look for the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \Generic Service Processn Services\Generic Service Process
HKLM\Software\Microsoft\Windows\CurrentVersion\Ru
The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory.
Snort Signatures
Here are some Snort signatures to detect Phatbot on a network:
alert tcp any any -> any any (msg:"Agobot/Phatbot Infection Successful"; flow:established; content:"221 Goodbye, have a good infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; sid:1000075; rev:1;)
alert tcp any any -> any any (msg:"Phatbot P2P Control Connection"; flow:established; content:"Wonk-"; content:"|00|#waste|00|"; within:15; classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html; sid:1000076; rev:1;)
Here is a problem I had never thought about with open source initiatives. What happens when someone steals your source without obeying GPL or anything and turns it into a monster? It would have ben *MUCH* harder for the PhatBot authors to code their own Waste-like clustering P2P system. Perhaps they might not have even been able to do so. Instead they grab an open source app and use it to create something ilegal, and in this case even dangerous.
These are the same problems faced in the emulation field. Many open source emu programmers do not allow any game from the past 2-3 years to be played, mainly to appease the corporations that still make arcade titles (SNK etc). But people open up their source and release renegade versions of their own apps without their permission and in violation of GPL and everything, often packaging them with illegal arcade ROMs.
hey really only seem to hurt people who are already pretty ignorant
The word 'only' is misplaced. The Internet is full of idiots. They're in the majority.
They get the shit kicked out of them every time they go online. They take their junky Gateways back to PC shops to 'wipe and reinstall' every six months. They lose files because 'I know I didn't download that file to my hard drive - I downloaded it to my desktop instead' and then they can't find it.
You tell them the simplest things to get them out of the most complex situations and they demand 'user friendly'. They want products that cure only the latest ill and demand at most one mouse click.
Wonder of wonders the world (the Internet) is as it is. And wonder of wonders is that it's taken the sophisticated malware engineers so long to get sophisticated.
There's a slaughter going on, and although MS are responsible with their crappy stuff, the users are also responsible - for using it. And I hope we've heard the last of that classic line 'it only affects Windows users', because it should be evident to even the most brain-dead MS fanatic at this point that the entire Internet is affected.
It's time to put up some housing ordinances so MS users aren't allowed to ruin the neighbourhood. High time and beyond.
"Problem lies between Keyboard and Chair".
At work we say "It was a Layer 8 problem". You can say that in front of non-geeks without them catching on.
Trolling is a art,
Hi Everyone
As many people have pointed out there is an utter lack of response by the top three anti-virus companies to this threat. I find this disturbing and also, unlikely. Why would the Department of Homeland Defense have better intelligence on a clearly US based threat (Phat is not an international phrase by any means) than the people who make their lively hood based on threat detection and elimination?
This has to me the markings of a hoax. The list of *features* as one poster put it is indeed staggering. That, coupled with the silence coming from Symantec, McAfee et al. makes it look fishy. A google search shows one recent post and a bunch of older hits (possibly the same as in the McAfee search ).
So that leaves me with 3 questions:
1 - Is it real
2 - How do we detect it
3 - How do we kill it.
--KS
Well, I suppose it's a lost cause (as with the "hacker" term), but I it can't hurt to point out that it really doesn't make much sense to call this program a "trojan".
The article suggests that this is a "trojan" because it lets attackers stealthily take control of your computer. But that was not what was remarkable about the historical Trojan horse. What was remarkable about it is that it was presented as a gift. The distinguishing characteric of a trojan is that it has a friendly outward appearance but contains a deadly payload. That's certainly not the case with Phatbot.
Rather, I'd say that Phatbot is a virus, because a) it is malicious and b) it doesn't rely on deception to spread itself. This is, again, subtly different from a worm, which generally aren't malicious, just annoying.
Of course it's water under the bridge at this point.
I've never had a story accepted either, and on a number of occassions I've submitted stories hours, days or weeks before the topic appeared on Slashdot. It's pretty common; I wouldn't make anything out of it. It's quite possible that someone submitted the story before you did even earlier in the morning and the editors put that one in the queue to go up at 2:43PM. They pre-scheduled the various stories that go up hours (and sometimes even days?) in advance. Or perhaps they decided it was a worthy story after they saw the 27th submission of it.
I realized one day that we could essentially have a user-contributed, user-moderated article queue of sorts using the journaling system here. I've dedicated my journal to it. I haven't figured out how to draw larger traffic to it without making this a part-time job, but you're welcome to contribute to it and I welcome suggestions.
--LP
Have it grep the HD for pr0n keywords, and mail the results to Outlook's Adressbook. After that, nobody would think little of viruses ever again...
(here in double-moral country, that is)