Results 1 to 5 of 5

Thread: Phatbot [P2P]

  1. #1
    Senior Member
    Join Date
    Nov 2001

    Phatbot [P2P]

    Computer security experts in the private sector and U.S. government are monitoring the emergence of a new, highly sophisticated hacker tool that uses the same peer-to-peer (P2P) networking abilities that power controversial file-sharing networks like Kazaa and BearShare.

    By some estimates, hundreds of thousands of computers running Microsoft's Windows operating system have already been infected worldwide. The tool, a program that security researchers have dubbed "Phatbot," allows its authors to gain control over computers and link them into P2P networks that can be used to send large amounts of spam e-mail messages or to flood Web sites with data in an attempt to knock them offline.

    The new hacker threat caught the attention of cyber-security officials at the U.S. Department of Homeland Security, prompting the agency to send an alert last week to a select group of computer security experts. In the alert, the agency warned that Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software.

    A copy of the DHS alert was made available to by two sources at different companies who asked that their identities not be used because they did not want to risk losing access to future government alerts. Officials at the department and US-CERT -- a government-funded cyber-security monitoring agency -- confirmed that the message was genuine.

    Phatbot is "a virtual Swiss Army knife of attack software," said Vincent Weafer, senior director of security response at Cupertino, Calif.-based Symantec Corp.

    Joe Stewart, a researcher at the Chicago-based security firm Lurhq, has catalogued Phatbot's many capabilities in an online posting. Those capabilities include: the "ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system"; "steal AOL account logins and passwords"; "harvest emails from the web for spam purposes" and "sniff [Internet] network traffic for Paypal cookies."

    Phatbot is a kind of "Trojan horse," a type of program named after the legendary stealth attack because it let hackers take quiet control of unsecured computers. Security firms have catalogued hundreds if not thousands of Trojan horse programs in recent years, but Phatbot has raised substantial concern because it represents a leap-forward in its sophistication and is proving much harder for law enforcement authorities and antivirus companies to eliminate.

    Like traditional Trojan horse programs, Phatbot infects a computer through one of several routes, such as through security flaws in Microsoft's Windows operating system or through "backdoors" installed on machines by the recent "Mydoom" and "Bagle" Internet worms.

    But because Phatbot links infected computers into a larger network, hackers can issue orders to the infected machines through many routes, and cyber-security officials can only effectively shut down a Phatbot attack if they track down every infected computer.

    "The concern here is that the peer-to-peer like characteristics of these 'bot networks may make them more resilient and more difficult to shut down," said a cyber-security official at the Department of Homeland Security who asked not be identified because the agency is still considering whether to issue a more public alert about Phatbot.

    "With these P2P Trojan networks, even if you take down half of the affected machines, the rest of the network continues to work just fine," said Mikko Hypponen, director of F-Secure, an antivirus software company based in Finland.

    Most major antivirus products detect Phatbot, but as soon as the Trojan infects computers it disables many antivirus and firewall software tools.

    Roger Lawson, director of computing and information technology at the University of Vermont in Burlington, said he quarantined more than 200 computers -- more than 5 percent of the machines on the school's network -- because of Phatbot infestations. None of the school's antivirus programs detected the Trojan, and attempts to delete it caused Phatbot to recreate and restart itself, he said.

    Phatbot's ability to disable computer security software means that the estimated number of infected computers could rise to as high as "several hundred thousand," said F-Secure's Hypponen.

    A few computer experts said the rate of infection is much higher.

    Igor Ybema, a network administrator at the University of Twente in Enschede in The Netherlands, put the number between 1 million and 2 million computers. His conclusion was based on a Phatbot command that forces infected computers to test their Internet connection speed by sending a file to one of 22 specifically selected Web servers around the world -- one of them at Twente.

    He said Twente began monitoring traffic from computers running the tests in mid-February, about the time that rival hacker gangs began an online turf war that resulted in a volley of new worms like Bagle and "Netsky." By early last week, Ybema said he was tracking an average of 200,000 to 300,000 Internet addresses running the speed test every day. Ybema believes such traffic indicates that attackers who have previously relied on less advanced remote-access Trojans are now using Phatbot.

    The majority of the infections appeared to come from home user broadband connections and from colleges and universities in the United States and the Asia-Pacific region, he said.

    Earlier this month, computer network engineers at University of California, Santa Cruz monitored the same type of speed testing traffic as Twente's Ybema observed. Mark Boolootian, the network engineer who discovered the activity, said one reason infected computers may be conducting the speed tests is to give Phatbot authors an idea of which infected computers would be the fastest in sending out large amounts of spam or data aimed at overwhelming a major Web site.


    anynody seen it yet or know more about it?

    found this on it:

    pretty sophiscated piece of work
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Warned my users and pointed them to for the proposed fix.... not much more I can do..... I block the activity at the firewall and sniff for it with Snort.... There are a couple of rules... I'll post them if somone wants them.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Jun 2003
    I was scanned >100 times between friday and monday by this phatbot thing, some moron obviously couldn't figure out how to use it properly and used all his bots to scan me, had me a little confused as to wtf was happening until i saw the list of vulns it scans for and figured it out.
    Do unto others as you would have them do unto you.
    The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
    -- true colors revealed, a brown shirt and jackboots

  4. #4
    Senior Member cwk9's Avatar
    Join Date
    Feb 2002
    So is this to dethrone sub7 as de facto script kiddie tool?
    Its not software piracy. I’m just making multiple off site backups.

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    For you Snort Users:

    alert tcp any any -> any any (msg:"Agobot/Phatbot Infection Successful"; flow:established; content:"221 Goodbye, have a good infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity; reference:url,; sid:1000075; rev:1;)

    alert tcp any any -> any any (msg:"Phatbot P2P Control Connection"; flow:established; content:"Wonk-"; content:"|00|#waste|00|"; within:15; classtype:trojan-activity; reference:url,;
    sid:1000076; rev:1;)

    I would suggest this is best used on the internal sensors.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts