PhatBot Trojan Spreading Rapidly On Windows PCs

prostoalex writes "The Washington Post alerts Windows users about a new peer-to-peer backdoor client that is installed maliciously on broadband-connected computers around Asia and the United States. The client is then used for distributed DOS attacks and sending out large amounts of spam. Phatbot, according to government sources, is installed on hundreds of thousands machines already. Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software, albeit it is detectable by antivirus packages." An anonymous reader submits a link to this description of the beast.

nice features list

# Has the ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system
# Checks to see if it is allowed to send mail to AOL, for spamming purposes
# Can steal Windows Product Keys
# Can run an IDENT server on demand
# Starts an FTP server to deliver the trojan binary to exploited hosts - ends the FTP session with the message "221 Goodbye, have a good infection :)."
# Can run a socks, HTTP or HTTPS proxy on demand
# Can start a redirection service for GRE or TCP protocols
# Can scan for and use the following exploits to spread itself to new victims: * DCOM * DCOM2 * MyDoom backdoor * DameWare * Locator Service * Shares with weak passwords * WebDav * WKS - Windows Workstation Service
# Attempts to kill instances of MSBlast, Welchia and Sobig.F
# Can sniff IRC network traffic looking for logins to other botnets and IRC operator passwords
# Can sniff FTP network traffic for usernames and passwords
# Can sniff HTTP network traffic for Paypal cookies
# Contains a list of nearly 600 processes to kill if found on an infected system.Some are antivirus software, others are competing viruses/trojans
# Tests the available bandwidth by posting large amounts of data to the following websites:
* www.st.lib.keio.ac.jp
* www.lib.nthu.edu.tw
* www.stanford.edu
* www.xo.net
* www.utwente.nl
* www.schlund.net
# Can steal AOL account logins and passwords
# Can steal CD Keys for several popular games
# Can harvest emails from the web for spam purposes
# Can harvest emails from the local system for spam purposes

Re:nice features list

[Joe+U]

I would really like to see a worm/virus/trojan that makes the user's hard drive rip itself out of the computer, beat the user with a bat and run screaming down the hall.

Can someone code that feature?

Seriously, I would love to see one of these programs that just turns the victims internet connection OFF. Granted, I don't think it would spread very well.

Re:nice features list

[EndlessNameless]

:::# Checks to see if it is allowed to send mail to AOL, for spamming purposes:::

Best. Feature. Ever.

Re:nice features list

[bfg9000]

If only Microsoft gave us this much cool stuff with their godforsaken updates. I just KNOW Longhorn is gonna be WinXP with DRM (YAY!), just like XP was Win2000 with Prettiness Plus(TM), just like 2000 was WinNT with a blue default background, just like NT was Win98 with less games, just like 98 was Win95 with double the base install size, just like 95 was Win3.1 with less speed and stability, just like Win3.1 was DOS with a mouse.

What better resume than a good virus or trojan?

Re:nice features list

[Platinum+Dragon]

Granted, I don't think it would spread very well.

Just code it to kill the connection after, say, fifty successful infections.

You know what the real innovation would be, though? Writing an OS so that one process can't stomp on other processes it doesn't have permission to. It would also be nice to write something where worms couldn't just land on the system as executable files by default and scripts that do things like install other programs and do stuff without the user's knowledge can't be automatically run by a freaking e-mail program. Gee, too bad there's nothing around like that...

Re:nice features list

[Joe+U]

Writing an OS so that one process can't stomp on other processes it doesn't have permission to.

I agree 100%. The windows developer community needs to totally and outright kill 95/98/Me support, and start using the built in security in 2000/XP.

Having absolutely everything running as an administrator is a huge mistake.

Re:nice features list

[KevCo]

I can't imagine how many other programs require admin access to run

I'm currently working at a company that is migrating to WinXP in a very locked down environment. Everyone is a user and software restriction policies only allow files to be executed from specific locations. Users have no write access to C: at all... all user profiles and data are on D: (which is not allowed to execute anything).

My job is to make the apps work. It's horrible. We have to give write access to the app's dir in Program Files to probably 40% of the apps. Some apps require write access to the root of C:\. Many want to create/modify files in Windows and System32. Far too many insist on writing to HKLM and even HKCR.

We repackage all the apps as MSIs and include the needed permissions changes in the installer. By the time the apps are loaded, most machines security have been drastically compromised.

Re:nice features list

[yeggman]

Really, if there was an announced problem with your car that might lead to a thief getting in and driving off with it, wouldn't you get it fixed?
Not if he always brought it back in the morning ;)
That's why people don't give a crap, cuz the machine still kinda runs. Most people probably chuck it up to: "God this old machine dosen't run like it use to could! I should have never upgraded to IE6."

Re:nice features list

[Platinum+Dragon]

So the problem is partly a company that trained users to live as all-powerful administrator, then wonders why people keep running as admin even when user accounts are introduced.

The other part of the problem is a company that trained programmers to assume the same thing, and write their programs accordingly. Now that the new versions of the company's primary OS implement some security, the programmers that were used to having complete power are running into justifiable roadblocks.

Nice security culture Microsoft created. The Unix folks learned the folly of getting lax on security long, long ago, thanks to stuff like the Morris worm. How many Morris worms will it take for the Windows world to do the necessary overhaul, on the OS (partly already done, from what I gather), programs, and attitudes of users along with programemrs?

Skynet

[3cents]

How long before someone bootstraps a distributed Artificial life simulator to their virus and then we all watch in amazement as the first AI evolves and owns all our computers. This could never happen though...right?

Slashrank

Idea?

When a virus attempts to disable anti-virus and firewalls, there needs to be a better way to keep those programs operational and "clean". What if a virus altered your norton or mcafee to make it appear as though it is working(and not finding any viruses) when in fact it is not working at all?

What if anti-virus, firewalls, and other critical software could somehow run in read-only memory space, which would have a physical barrier so that no bugs in software could be exploited to alter this space?

What if we could "burn" memory space of a program to a CD rom so that a proper working, unaltered anti-virus and firewall could run without fear of being disabled?

Grr...

[MalaclypseTheYounger]

Just once, JUST ONCE, I'd like our knee-jerking media to actually provide details to the public on how to combat a virus, or trojan horse, or whatever, in the text of their article. I understand the unwashed masses read Yahoo News and Washington Post, but maybe if we started to inform the public on how to find out if you're infected, and how to remove the offending virus, more people would actually check to see if they are infected, and might re-think their surfing & downloading habits.

I understand the average user can't use Registry Editor, but maybe provide a simple link or website to get a tool to remove the Phatbot thing a ma jig. /end rant

Happy St. Paddy's Day everyone, btw.

paypal?

[2MuchC0ffeeMan]

Joe Stewart, a researcher at the Chicago-based security firm Lurhq, has catalogued Phatbot's many capabilities in an online posting. Those capabilities include: the "ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system"; "steal AOL account logins and passwords"; "harvest emails from the web for spam purposes" and "sniff [Internet] network traffic for Paypal cookies."

aol, go for it... emails from the web are already public, go for it... paypal cookies? now that's just plain wrong, the feds are going to love that one.

anyone else think

[Savatte]

PhatBot Trojan would be a good name for a hip-hop group?

Spammer-Sponsored

[fembots]

It's hard to believe these kind of trojans are not in any way related to spammers.

Just take a look at the feature list, it probably has more bells and whistles than most of the software out there.

Is there a way to trace back the master of these trojans and do something about it? Surely these trojans need to do something for their masters at some stage, probably waiting for commands somewhere.

Re:Detection/Removal instructions?

[pwroberts]

From the article:

"Manual Removal
Look for the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\R un \Generic Service Process
HKLM\Software\Microsoft\Windows\CurrentVe rsion\Run Services\Generic Service Process

The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory."

Want to statr the revolution in a hurry?

[beacher]

1) Extract Windows product keys
2) ???^H^H^H Email software keys to software@bsa.net and tell them that you think your employer is not running legitimate software. Include a paypal link for the reward
3) Profit

This bot looks NASTY.
-B

Related links and info

[DR+SoB]

This is also known as the "Agobot"

http://news.yahoo.com/fc?tmpl=fc&cid=34&in=tech& ca t=hackers_and_crackers

http://www.f-secure.com/v-descs/agobot_fo.shtml

Detailed Description

First of all, this new variant has 'Phatbot3' identifier and there are a few 'phat' string in its body. This may indicate that this version was not made by the original Agobot backdoor author, who calls himself TheAgo, but by a different person/group who got the source code of this backdoor.

The backdoor's file is a PE executable 115738 bytes long compressed with PE-Diminisher file compressor. The unpacked file's size is over 245 kilobytes.

Installation to system

The Agobot.FO backdoor copies itself as NVCHIP4.EXE file to Windows System folder and creates startup keys for this file in System Registry:
[HKLM\Software\Microsoft\Windows\Curren tVersion\Ru n]
"nVidia Chip4" = "nvchip4.exe"
[HKLM\Software\Microsoft\Windows\Cu rrentVersion\Ru nServices]
"nVidia Chip4" = "nvchip4.exe"

This allows the backdoor's file to start with every Windows session. On Windows NT-based systems the backdoor can start as a service.
Scanning for vulnerable computers

The backdoor can scan subnets for exploitable computers and send a list of their IPs to the bot operator. The scan is performed on ports 80, 135 and 445 for RPC/DCOM (MS03-026), RPC/Locator (MS03-001) and WebDAV (MS03-007) vulnerabilities. The backdoor can also scan for computers infected with MyDoom worm (port 3127), Bagle worm (port 2745) and also for computers where DameWare remote system management software is installed (port 6129).

Performing a DDoS attack
The backdoor can perform the following types of DDoS (Distributed Denial of Service) attacks:
* HTTP flood * SYN flood * UDP flood * ICMP flood
When performing a DDoS attack, the backdoor uses 33 unique client identifiers including Mozilla, Wget, Scooter, Webcrawler and Google bot.

The backdoor sends 256000 bytes of random data to the following websites and checks the response times:
www.schlund.net
www.utwente.nl
www.xo.net
www.stanford.edu
www.lib.nthu.edu.tw
www.st.lib.keio.ac.jp

Collecting e-mail addresses
The bot can harvest e-mail addresses. It has the functionality to read user's Address Book and send the list of e-mail addresses to the bot operator.

Obtainint Registry info
The backdoor has the functionality to obtain System Registry info from an infected computer. This is a new feature for Agobot backdoor. Information obtained from the Registry can give a hacker a full overview of an infected system.

Spreading to local network
Agobot backdoor can scan computers on local network and copy itself there. The scan is initiated by a remote hacker. When spreading to local network, Agobot.FO probes the following shares:
admin$ c$ d$ e$ print$ c

Agobot.FO tries to connect using the following account names:
(SEE LINKS AT TOP FOR INFORMATION)

When connecting, Agobot.FO uses the following passwords:
(SEE LINKS AT TOP FOR DETAILS)

If the worm succeeds connecting to the above listed shares, it copies itself to a remote share and attempts to start that file as a service. The alternative way of infecting a remote host is to create a scheduled task on a remote computer that will start the backdoor's file.

Teminating processes of security and anti-virus programs
Agobot.FO has a huge list of process file names hardcoded in its body. The backdoor tries to terminate processes that have the following names:
(NAMES REMOVED SO POST WOULD WORK, FOLLOW LINKS AT TOP)

This functionality allows the backdoor to successfully disable anti-virus and security software that can not detect this backdoor before it's file is started. In most cases special tools are required to clean a computer infected with this backdoor.

Additionally the

Lucky me

[mixtape5]

is installed maliciously on broadband-connected computers...
who knew that dial up internet was a form of virus protection? I dont feel so bad anymore!

Re:Is it just me...

[CreatureComfort]

The Register just had a story about how a lot of the new virii are as small as 12kb, and how you could almost silk screen the code for one onto an XL T-shirt.

I would love to have a pair of boxers with this code printed on them, and in large letters overlaying the code, "Let's install my peer-to-peer backdoor client."

Re:Is it just me...

[nlindstrom]

I remember Monkey-B. I once went on a field service call to a large business in downtown Los Angeles, and discovered that most of their PCs were infected with it. "Most of their PCs" being defined as around 100 boxes.

I informed their IT person that Monkey-B encrypts the files on the disk, so before we went willy-nilly removing the virus, we needed to backup the user data. They told me I was full of crap, and proceeded to clean the PCs themselves. Big mistake!

Oddly enough, their VP later complained to the service company I worked for that I had not done my job, since his IT people were fuck-heads. He didn't exactly state it this way, of course, but that was the gist of the statement. When I started to explain what had happened to my boss, I only got as far as "...and I discovered that most of their PCs were infected with Monkey-B."

He started laughing, and finished my sentence for me with "and their stupid IT people went around removing it, right? Idiots!"

even better

Have it grep the HD for pr0n keywords, and mail the results to Outlook's Adressbook. After that, nobody would think little of viruses ever again...
(here in double-moral country, that is)