Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PhatBot Trojan Spreading Rapidly On Windows PCs

timothy posted more than 10 years ago | from the what-and-lose-all-my-pigeons dept.

Security 645

prostoalex writes "The Washington Post alerts Windows users about a new peer-to-peer backdoor client that is installed maliciously on broadband-connected computers around Asia and the United States. The client is then used for distributed DOS attacks and sending out large amounts of spam. Phatbot, according to government sources, is installed on hundreds of thousands machines already. Phatbot snoops for passwords on infected computers and tries to disable firewall and antivirus software, albeit it is detectable by antivirus packages." An anonymous reader submits a link to this description of the beast.

Sorry! There are no comments related to the filter you selected.

GNAA FP (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8591169)

Suck it motherfuckers!

And you laughed at us white patriots... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8591319)

"Wed Mar 17 2004 14:49:40 ET // America in 2050: Whites will be down to half the population /// By 2050 minority groups will make up 49.9 percent of the U.S. population, it will be reported Thursday. Asians and Hispanics will see the most dramatic increases between now and midcentury, cenusus sources explain, ahead of a news release... Filed By Matt Drudge..."

It's sad to see the greatest race and civilization that ever walked on earth to go down the drain because of nation full of race-traitors.

In other news... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8591382)

By 2050, every white person in America will have a personal servent.

Re:In other news... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8591423)

At the rate this world is going, by 2050, the US will be one giant bread line.

Re:And you laughed at us white patriots... (-1, Offtopic)

zaqattack911 (532040) | more than 10 years ago | (#8591410)

Uuhh... I think you're on the wrong website.

AMIGO.

Is it just me... (4, Funny)

FortKnox (169099) | more than 10 years ago | (#8591171)

... or does this sound dirty to you too??

a new peer-to-peer backdoor client that is installed maliciously

fucking idiot (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8591196)

it is just you. stupid fucker.

Re:Is it just me... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8591204)

Peer-to-peer would be like ass-to-mouth in those Rocco Siffredi movies.

Re:Is it just me... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8591277)

Holy shit! My ears are ringing from watching a Taylor Rain video. I guess all that screaming is what she's gotta do to make up for her small tits. Not that I'm complaining, for she has one of the nicest snatches in the industry.

Re:Is it just me... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8591223)

fag...

Re:Is it just me... (3, Interesting)

somethinghollow (530478) | more than 10 years ago | (#8591250)

Dirty as in dirty trick?

I wouldn't put it past the RIAA after Berman pushed for the we-can-hack-you-if-we-suspect-you-have-copyrighted -material-on-your-machine bill a few (?) years back.

But how often are backdoors installed for nobel intents?

Re:Is it just me... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8591254)

fortknox, you're a fucking jerkoff.

Re:Is it just me... (2, Funny)

CoolHnd30 (89871) | more than 10 years ago | (#8591389)

a new peer-to-peer backdoor client that is installed maliciously

If you wanna look at it like that, they should call it "the Kobe", instead of PhatBot.

Re:Is it just me... (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8591394)

I don't know who's stupider... you or the fucking retard mods who modded your post funny.

But I'm thinkin you, because if you hadn't posted such an unoriginal and unfunny response, you wouldn't have duped the idiot fucking mods into boosting your karma.

Fucking tool.

1st p0st!!! (-1, Flamebait)

wrax (570032) | more than 10 years ago | (#8591172)

1st p0st baby!!!!

First (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8591182)

Yay, First first post ever!!!

Virizzle (4, Funny)

DomCurtis187 (718788) | more than 10 years ago | (#8591186)

Since when did Snoop Dogg start writing code? Shizzle, dawg, dis virizzle be PHAT!

Re:Virizzle (0)

Anonymous Coward | more than 10 years ago | (#8591384)

virizzlii?

nice features list (5, Informative)

Anonymous Coward | more than 10 years ago | (#8591198)

# Has the ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system
# Checks to see if it is allowed to send mail to AOL, for spamming purposes
# Can steal Windows Product Keys
# Can run an IDENT server on demand
# Starts an FTP server to deliver the trojan binary to exploited hosts - ends the FTP session with the message "221 Goodbye, have a good infection :)."
# Can run a socks, HTTP or HTTPS proxy on demand
# Can start a redirection service for GRE or TCP protocols
# Can scan for and use the following exploits to spread itself to new victims: * DCOM * DCOM2 * MyDoom backdoor * DameWare * Locator Service * Shares with weak passwords * WebDav * WKS - Windows Workstation Service
# Attempts to kill instances of MSBlast, Welchia and Sobig.F
# Can sniff IRC network traffic looking for logins to other botnets and IRC operator passwords
# Can sniff FTP network traffic for usernames and passwords
# Can sniff HTTP network traffic for Paypal cookies
# Contains a list of nearly 600 processes to kill if found on an infected system.Some are antivirus software, others are competing viruses/trojans
# Tests the available bandwidth by posting large amounts of data to the following websites:
* www.st.lib.keio.ac.jp
* www.lib.nthu.edu.tw
* www.stanford.edu
* www.xo.net
* www.utwente.nl
* www.schlund.net
# Can steal AOL account logins and passwords
# Can steal CD Keys for several popular games
# Can harvest emails from the web for spam purposes
# Can harvest emails from the local system for spam purposes

Re:nice features list (5, Funny)

Joe U (443617) | more than 10 years ago | (#8591270)

I would really like to see a worm/virus/trojan that makes the user's hard drive rip itself out of the computer, beat the user with a bat and run screaming down the hall.

Can someone code that feature?

Seriously, I would love to see one of these programs that just turns the victims internet connection OFF. Granted, I don't think it would spread very well.

Re:nice features list (1)

Wexton (748563) | more than 10 years ago | (#8591292)

well it could spread, you would just have to make it spread then turn the internet off

Re:nice features list (5, Insightful)

Platinum Dragon (34829) | more than 10 years ago | (#8591358)

Granted, I don't think it would spread very well.

Just code it to kill the connection after, say, fifty successful infections.

You know what the real innovation would be, though? Writing an OS so that one process can't stomp on other processes it doesn't have permission to. It would also be nice to write something where worms couldn't just land on the system as executable files by default and scripts that do things like install other programs and do stuff without the user's knowledge can't be automatically run by a freaking e-mail program. Gee, too bad there's nothing around like that...

Re:nice features list (5, Insightful)

Joe U (443617) | more than 10 years ago | (#8591419)

Writing an OS so that one process can't stomp on other processes it doesn't have permission to.

I agree 100%. The windows developer community needs to totally and outright kill 95/98/Me support, and start using the built in security in 2000/XP.

Having absolutely everything running as an administrator is a huge mistake.

Re:nice features list (5, Funny)

EndlessNameless (673105) | more than 10 years ago | (#8591279)

:::# Checks to see if it is allowed to send mail to AOL, for spamming purposes:::

Best. Feature. Ever.

Re:nice features list (0)

Anonymous Coward | more than 10 years ago | (#8591287)

He said:
Can ...blah blah blah

And this, joey, is where dos attacks and xdcc bots come from.

Re:nice features list (0)

Anonymous Coward | more than 10 years ago | (#8591289)

now what exactly is "informative" about this copied list of features?!

Re:nice features list (5, Funny)

bfg9000 (726447) | more than 10 years ago | (#8591325)

If only Microsoft gave us this much cool stuff with their godforsaken updates. I just KNOW Longhorn is gonna be WinXP with DRM (YAY!), just like XP was Win2000 with Prettiness Plus(TM), just like 2000 was WinNT with a blue default background, just like NT was Win98 with less games, just like 98 was Win95 with double the base install size, just like 95 was Win3.1 with less speed and stability, just like Win3.1 was DOS with a mouse.

What better resume than a good virus or trojan?

Want to statr the revolution in a hurry? (5, Funny)

beacher (82033) | more than 10 years ago | (#8591333)

1) Extract Windows product keys
2) ???^H^H^H Email software keys to software@bsa.net and tell them that you think your employer is not running legitimate software. Include a paypal link for the reward
3) Profit

This bot looks NASTY.
-B

Stop the article craflooding! (-1)

Muda69 (718162) | more than 10 years ago | (#8591206)

Jesus! Look at the # of stories posted in the past 90-minutes:

Posted by timothy on Wednesday March 17, @11:43AM

Posted by simoniker on Wednesday March 17, @11:41AM

Posted by Cliff on Wednesday March 17, @11:26AM

Posted by timothy on Wednesday March 17, @11:16AM

Posted by timothy on Wednesday March 17, @11:09AM

Posted by timothy on Wednesday March 17, @11:00AM

Posted by Cliff on Wednesday March 17, @10:30AM

Posted by timothy on Wednesday March 17, @10:13AM

Is VA now paying the /. editors by the story? Or are the editors responding the recent GNAA crapfloods by spamming new stories so fast the trolling community has to struggle to keep up?

MY PHAT COCK IS SPREADING CUM RAPIDLY ON MY WINDOW (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8591207)

Legal action (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8591208)

There should be a law against stupid people running crap they get from Kazaa.

Skynet (5, Funny)

3cents (741537) | more than 10 years ago | (#8591213)

How long before someone bootstraps a distributed Artificial life simulator to their virus and then we all watch in amazement as the first AI evolves and owns all our computers. This could never happen though...right?

Slashrank [slashrank.org]

Re:Skynet (1)

VTBassMatt (761333) | more than 10 years ago | (#8591249)

"On July 9th, 1997, Skynet became self-aware..."

OMGLOLWTF?!?!?! YUPO MAD3 TEH SKYN#T JOKE +5FUNAY (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8591256)

Re:Skynet (4, Funny)

NaugaHunter (639364) | more than 10 years ago | (#8591371)

Yeah, but running only on poorly setup windows boxes would probably depress it pretty quick. We can only hope it would go full cycle of sentience-self actualization-massive disillusionment-depression-suicide before reaching anything useful.

Or it will start ordering from it's own spam and get really confused.

For a mainframe version... (4, Informative)

Ungrounded Lightning (62228) | more than 10 years ago | (#8591418)

How long before someone bootstraps a distributed Artificial life simulator to their virus and then we all watch in amazement as the first AI evolves and owns all our computers. This could never happen though...right?

For a mainframe version of the story see _The Adolescence of P1_.

(I'd dig up an Amazon link but I'm busy right now.)

what else is new? (2, Troll)

abscondment (672321) | more than 10 years ago | (#8591218)

...nothing.

windows users shouldn't be surprised at new viruses; it's not like they're getting worse, or like users are getting any smarter. generally speaking, if you're not an idiot, you won't get a virus. if you're not an idiot and you do, you can get rid of it easily--they really only seem to hurt people who are already pretty ignorant.

Idea? (5, Interesting)

Anonymous Coward | more than 10 years ago | (#8591220)

When a virus attempts to disable anti-virus and firewalls, there needs to be a better way to keep those programs operational and "clean". What if a virus altered your norton or mcafee to make it appear as though it is working(and not finding any viruses) when in fact it is not working at all?

What if anti-virus, firewalls, and other critical software could somehow run in read-only memory space, which would have a physical barrier so that no bugs in software could be exploited to alter this space?

What if we could "burn" memory space of a program to a CD rom so that a proper working, unaltered anti-virus and firewall could run without fear of being disabled?

Re:Idea? (2, Interesting)

Lattitude (123015) | more than 10 years ago | (#8591281)

This why I am so happy about my Linksys router.

Re:Idea? (1)

Frennzy (730093) | more than 10 years ago | (#8591357)

And what is your linksys doing to protect you from this?

It's a trojan...a NAT/PAT device can't protect you from that.

Re:Idea? (4, Insightful)

hawkbug (94280) | more than 10 years ago | (#8591285)

Sadly, what you're suggesting is what TCPA or whatever the hell the trust computing platform is all about. I'm against the whole movement, because I think we need more secure OS software to begin with, not "trusted memory space" to protect us.

Re:Idea? (3, Interesting)

bloosqr (33593) | more than 10 years ago | (#8591387)

I don't see why actually. The problem seems to me to be the whole issue of windows users running as "admin" or "root" If people ran in user-space (or to be fair to users, if windows was set up to run easily and normally as a user rather than admin ) then no virus could easily affect any anti-virus software running as (if you are anal retentive about these things as unix tends to be not as root but as the "antivirus" user)

I think macos X is a good example of an os that is pretty user friendly that doesn't encourage everyone to run as "admin". In fact there are no (by default) admin/root users, "admin" users are users that have sudo ability, so in a weird way its better than default redhat linux.

-bloo

Re:Idea? (2, Informative)

Nevo (690791) | more than 10 years ago | (#8591303)

There's an inherent problem there. Anything you can do to make your program read-only, an administrator can undo.

So if Joe User gets infected and is running as administrator, the virus can un-write-protect memory and keep going.

This is a classic offense vs. defense escalation and is the type of problem Rootkits pose as well.

Re:Idea? (2, Interesting)

Demandred (13894) | more than 10 years ago | (#8591309)

Check out last year's SOSP proceedings [rochester.edu] for research on OS and hardware support for protected memory spaces.

Re:Idea? (1)

larkost (79011) | more than 10 years ago | (#8591313)

Sadly the only way of implementing this with any confidence is a "trusted computing platform" sort of approach. I much prefer having a better security model inherent in the OS, but eventually it will have to go down that road. I personally don't trust Microsoft to do this correctly (either from a security or a anti-trust standpoint).

Not the only way (1)

Theatetus (521747) | more than 10 years ago | (#8591427)

Sadly the only way of implementing this with any confidence is a "trusted computing platform" sort of approach.

Well I don't know about that being the only way. When you install the security software, you do some sort of checksum on the executable file. This checksum gets put on some sort of write-once medium (PROM, etc.) and validated when the software is loaded into memory. Now, admittedly there could be malicious alteration of the validation process, but for that matter the same thing applies to trusted computing.

Re:Idea? (1)

sTalking_Goat (670565) | more than 10 years ago | (#8591344)

What if we could "burn" memory space of a program to a CD rom so that a proper working, unaltered anti-virus and firewall could run without fear of being disabled?

How do you do that? If antivirus can burn itself (or a checskum of its unaltered self into ROm then couldn't the virus do the same?

The only solution I see is having the Anti-virus hardwired (ala Palladium) into the sytem and manufacturing. But then you have to worry about the virus changing definitions which need to be constantly updated. Right now its a foot race. The virus is releaed and virus companies scrabble to cook up a fix and distribute it. Unfortunately each new worm that comes out seems to be edging them out more and more.

Re:Idea? (1)

Quasar1999 (520073) | more than 10 years ago | (#8591364)

LMAO... you gotta be joking... if this were possible, do you think it wouldn't be in use by copy protection mechanisms and anti-piracy code in todays software? On a PC there is NO WAY to load something into memory and then make it truely read only. The fact that it was loaded at some point means it Absolutely has to be writable at some point... the trick is to get the PC into a state where it thinks it is still writable... protection circumvented.

Otherwise if they burned the program/data into ROM, then new exploits could not be patched without a physical upgrade to the PC... not good for antivirus companies, who have to update their info practically hourly...

Re:Idea? (1)

FrozedSolid (201777) | more than 10 years ago | (#8591406)

If you're referring to this virus, it polymorphs, meaning it changes it's basic makeup to evade being detected. AFAIK, it doesn't actually touch the virus scanner, it attempts to avoid it.

MPAA & RIAA (1)

myownkidney (761203) | more than 10 years ago | (#8591224)

will be after phatbot, now that Kazaa is being counter-sued [mithuro.com] .

I'm TRULY not attempting to Troll (4, Insightful)

slycer9 (264565) | more than 10 years ago | (#8591225)

But I'm getting so tired of these virus 'alerts' constantly bombarding me day in and day out!

It's as bad as spam! It's EVERYWHERE!!

I frequent a couple other message boards (damn, I almost said BBS'), and every few days, we get the same ol' thread...'VIRUS ALERT!!!!!!!'

We live in the information age. The information has been disseminated that Windows users are:

A) Prone to constant viral and security intrusions.
B) In desperate need to constantly update their AV software.

The SysAdmins who aren't keeping their servers locked down is another thing entirely...*grumble*

But really, ABC, NBC, CBS, all these guys have done several stories on system security...EVERYONE's got a nephew that 'knows a lot 'bout dem 'puters'...

I really don't understand why we're still being subjected to this crap. Virus news isn't news. It's spam.

(See! A whole post about viruses and I never mentioned the fact that I run OS X and Yellow Dog Linux exclusively!!! Not once have I mentioned that I've never had to worry about a virus at all!!!)

Yay me.

virus news = spam (4, Insightful)

erikdotla (609033) | more than 10 years ago | (#8591359)

I see where you're coming from here. However, there's other considerations. Some of us must operate Windows boxes, so we must deal with it.

Obviously the "security-by-news-alert" method of keeping your systems secure is stupid. We must still update our AVs and Spy cleaners and run them regularly. If we do that, we'll get almost every virus and spyware and never have to worry.

But some of like to know what the virus writers are doing. Trends in the virus business, as they evolve.

Some of us may have firewalls that we might wish to alter based on major recent virus activity. I'm sure the Blaster variants caused several admins to alter the RPC port configuration of their firewalls.

Isn't it better to be proactive rather than reacting to a virus-based DOS?

I agree, of course, that people shouldn't email their buddies "OMG VIRUS ALERT!!!111one!!11" as we are able to keep up on virus news ourselves. We don't need these emails.

The value of Slashdot posting a breaking story about a virus is early-warning in the event that we're sitting around reading Slashdot instead of doing our jobs and monitoring the other virus news systems. :)

Re:virus news = spam (2, Insightful)

slycer9 (264565) | more than 10 years ago | (#8591392)

You make a lot of good points, and I generally agree with what you've said...however...and no disrespect intended to /.

But anyone who uses THIS SITE, as their 'early warning virus system', is already in serious trouble.

There's plenty other sites that specialize in early warning, and they do a far better job than /. does, although /. reports the news far better than they do.

Specialized tools for specialized jobs.

Re:I'm TRULY not attempting to Troll (3, Funny)

2MuchC0ffeeMan (201987) | more than 10 years ago | (#8591367)

Nobody cares about the baghdad blast, or the crappy election that is going nowhere

it's a slow news day, what do you expect?

Re:I'm TRULY not attempting to Troll (1)

philthedrill (690129) | more than 10 years ago | (#8591412)

I really don't understand why we're still being subjected to this crap. Virus news isn't news. It's spam.

I understand where you're coming from, especially since the /. crowd is more tech-savvy. However, I think more information is better than less... and you could just skip this story, couldn't you? I would draw the line when friends start e-mailing you or posting virus alerts to listservs.

Grr... (5, Insightful)

MalaclypseTheYounger (726934) | more than 10 years ago | (#8591226)

Just once, JUST ONCE, I'd like our knee-jerking media to actually provide details to the public on how to combat a virus, or trojan horse, or whatever, in the text of their article. I understand the unwashed masses read Yahoo News and Washington Post, but maybe if we started to inform the public on how to find out if you're infected, and how to remove the offending virus, more people would actually check to see if they are infected, and might re-think their surfing & downloading habits.

I understand the average user can't use Registry Editor, but maybe provide a simple link or website to get a tool to remove the Phatbot thing a ma jig. /end rant

Happy St. Paddy's Day everyone, btw.

paypal? (5, Insightful)

2MuchC0ffeeMan (201987) | more than 10 years ago | (#8591229)

Joe Stewart, a researcher at the Chicago-based security firm Lurhq, has catalogued Phatbot's many capabilities in an online posting. Those capabilities include: the "ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system"; "steal AOL account logins and passwords"; "harvest emails from the web for spam purposes" and "sniff [Internet] network traffic for Paypal cookies."

aol, go for it... emails from the web are already public, go for it... paypal cookies? now that's just plain wrong, the feds are going to love that one.

Re:paypal? (2, Insightful)

NineNine (235196) | more than 10 years ago | (#8591401)

Anyone using Paypal deserves what they get. They're a fake bank, operating under the pretense that they are a bank. They have a terrible business history, to boot. Why anyone in their right mind would use them is beyond me.

Jesus. (-1, Troll)

James A. J. Joyce (759969) | more than 10 years ago | (#8591233)

Some of the Microsoft apologists here on Slashdot flame anybody who criticises Microsoft every time a new story about a flaw in Windows or Internet Explorer or Outlook is found, saying that Linux suffers from security flaws too.

I think this really settles the issue.

Re:Jesus. (3, Insightful)

rritterson (588983) | more than 10 years ago | (#8591315)

No it doesn't. WTH are you talking about? All it merely does it combine attacks against all known security flaws into a single package. It is also a trojan horse meaning that it uses user idiocy to get itself installed.

Hmm... I suppose user idiocy is a flaw that Windows has that Linux doesn't.

Okay, I see your point.

Re:Jesus. (1)

Unkle (586324) | more than 10 years ago | (#8591413)

I'm sorry, but my favorite resolution to an issue our testing department reports is "Problem lies between Keyboard and Chair".

Another one of my favorite sayings that has come out of our testing department is "You just can't fix stupid".

Re:Jesus. (0)

Anonymous Coward | more than 10 years ago | (#8591324)

Eh, not sure what the point of your post was. But this is NOT a windows EXPLOIT at ALL.

It spreads through peer to peer apps, does not use windows expliots. This virus has nothing to do with windows security at all, but the retardedness of its users.

Re:Jesus. (0)

Anonymous Coward | more than 10 years ago | (#8591328)

Yes, because as we all know, Slashdot is such a hotbed of pro-Windows zealotry.

Idiot.

Re:Jesus. (0)

Anonymous Coward | more than 10 years ago | (#8591361)

And as you've so obviously thoroughly RTFA's you will no doubt be able to tell us all what new flaw(s) this exploits?

Windows ... (-1, Flamebait)

jeff13 (255285) | more than 10 years ago | (#8591238)

... IS a virus.

Note to everyone - Buy a Mac or load that PC up with Linux. Hey, can't one get the MacOSX onto an Intel chip? Was just thinking... why not?

Re:Windows ... (1)

pjt33 (739471) | more than 10 years ago | (#8591284)

Cause Apple want to keep things simple for their maintenance programmers. If it only runs on Apple hardware, they don't have many setups to test against.

Description of trojan is slashdotted (4, Funny)

phoneboy (11009) | more than 10 years ago | (#8591243)

I can't find out how the gory details of backdooring a computer. Oh well, I guess I'll have to settle for the more traditional form of pr0n.

-- PhoneBoy

Re:Description of trojan is slashdotted (0)

Anonymous Coward | more than 10 years ago | (#8591268)

Here is VERY good description.

Link [216.239.51.104]

Happened to a friend (2, Informative)

DR SoB (749180) | more than 10 years ago | (#8591259)

A friend of mine recently sent me a funny email he had received, it indicated that Yahoo was bouncing back some emails to him because the receiver couldn't be found. Well, he didn't send any of these messages, but someone had spoofed there REAL NAME into the TO: field. His virus protection software was up-to-date, he didn't know what was going on, then he noticed in outlook the "save password" button no longer worked. Finally today, it's all starting to make sense. Don't know how he got the virus though, he's behind a firewall (NAT router), he doesn't go through much email. I have to guess it's all the porn he surfs.. Anyone else getting bounce backs?

Re:Happened to a friend (3, Insightful)

schatten (163083) | more than 10 years ago | (#8591294)

Did you just start receiving emails last week?

Apparently, your name and his name is in the address book, or in an email of an infected computer's system. That system spoofs the From: address, and sends it To: someone else in there. Sometimes you will receive it from friends that do not have it, other times you'll get a kickback saying undeliverable due to a virus that you sent. But... you didn't send it. Instead, you were spoofed as the From: address and the To: was unreachable, thus bouncing back to you.

Hope this helps.

Re:Happened to a friend (1)

hargettp (74445) | more than 10 years ago | (#8591296)

The bounce backs themselves are probably not legit; I've been seeing a few bounce backs, but my best interpretation of them is that they are spoofed. Just another tactic to get you to read and possibly interact with the e-mail (e.g., click on a link, reply, etc.)

Re:Happened to a friend (1, Troll)

slycer9 (264565) | more than 10 years ago | (#8591363)

o.O

Explain exactly how being behind a NAT prevents you from getting a virus.

For that matter...explain how you get a virus by surfing pron.

Bouncebacks? Most of us have other ways of monitoring our systems for viruses. Like...Running OS X, or Linux...oh I dunno...running regular scans with AV software maybe?

While you're explaining things...try explaning the difference between 'there' and 'their' chief.

Re:Happened to a friend (1)

cabra771 (197990) | more than 10 years ago | (#8591381)

I don't think this has anything to do with Outlook. I'm getting return to sender mails to my Yahoo account, too, but I don't have Outlook constantly running or even hooked up to my yahoo address. I think this is just another way to fool the user into clicking on the attachment to see what they apparently sent to the email address that "couldn't be found" Just another trick from those pesky little kiddies out there. I mean, they most likely got your email address off the 'net somewhere and are just spoofing your address on their end. It doesn't mean you have a virus. It just looks that way.

anyone else think (5, Funny)

Savatte (111615) | more than 10 years ago | (#8591263)

PhatBot Trojan would be a good name for a hip-hop group?

Re:anyone else think (1)

IdleTime (561841) | more than 10 years ago | (#8591346)

Sounds like a condom to me :)

Greets to the DOI!!! (2, Funny)

Jim Ethanol (613572) | more than 10 years ago | (#8591265)

### fictional code comment snipet ### "The PhatBot team would like to shout a big thanks to the US Department of Infrastructure for their help in beta testing PhatBot!"

Detection/Removal instructions? (0, Redundant)

rritterson (588983) | more than 10 years ago | (#8591274)

I'm too lazy to go find them myself- so:

Has anyone come across a removal tool and/or removal instructions? They would be helpful for future reference.

Re:Detection/Removal instructions? (5, Informative)

pwroberts (600985) | more than 10 years ago | (#8591314)

From the article:

"Manual Removal
Look for the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\R un \Generic Service Process
HKLM\Software\Microsoft\Windows\CurrentVe rsion\Run Services\Generic Service Process

The associated binary may be srvhost.exe, svrhost.exe or a variation of the same. Kill the associated process in the Task Manager, then remove the "Generic Service Process" registry key. Remove the executable from the Windows system directory."

Re:Detection/Removal instructions? (0)

Anonymous Coward | more than 10 years ago | (#8591378)

+5 Informative :-P

Re:Detection/Removal instructions? (3, Funny)

Neil Blender (555885) | more than 10 years ago | (#8591320)

Has anyone come across a removal tool and/or removal instructions? They would be helpful for future reference.

Here is a helpful site. [linux.org] It provides instructions on how to get rid of windows viruses forever. Even ones not yet invented.

Re:Detection/Removal instructions? (1)

AHumbleOpinion (546848) | more than 10 years ago | (#8591380)

Since it "Attempts to kill instances of MSBlast, Welchia and Sobig.F" just wait for the next revision of any of these and they will probably return the favor.

Spammer-Sponsored (5, Insightful)

fembots (753724) | more than 10 years ago | (#8591276)

It's hard to believe these kind of trojans are not in any way related to spammers.

Just take a look at the feature list, it probably has more bells and whistles than most of the software out there.

Is there a way to trace back the master of these trojans and do something about it? Surely these trojans need to do something for their masters at some stage, probably waiting for commands somewhere.

Re:Spammer-Sponsored (1)

Tuxedo Jack (648130) | more than 10 years ago | (#8591373)

I'll lay odds that it'll connect to an IRC network, wait for commands, and then vegetate.

This was probably written in retaliation for Foonet getting shut down.

Re:Spammer-Sponsored (4, Funny)

arbitrary nickname (325162) | more than 10 years ago | (#8591408)

But with all those features, how big is it? if Microsoft wrote something with all those features it'd probably come on 4 CDs.....

Still Countergrabbable (4, Insightful)

nweaver (113078) | more than 10 years ago | (#8591302)

The authors are getting better at designing control networks, but all it will take is one grayhat with an infected node to watch a command being executed and use that information to take out the entire botnet.

Too bad it would be both grossly illegal and probably disruptive, because it would be a great favor to the rest of the net, to counter these botnets and squish-them into oblivion (at least this generation, until the attackers learn how to do authentication of commands correctly).

google cash of description (2, Informative)

adamshelley (441935) | more than 10 years ago | (#8591316)

google cash [google.ca]

Backport (-1, Flamebait)

0x54524F4C4C (712971) | more than 10 years ago | (#8591323)


Now wait until the Linux developers steal and port this code as they did with SCO Unix.

Related links and info (5, Informative)

DR SoB (749180) | more than 10 years ago | (#8591334)

This is also known as the "Agobot"

http://news.yahoo.com/fc?tmpl=fc&cid=34&in=tech& ca t=hackers_and_crackers

http://www.f-secure.com/v-descs/agobot_fo.shtml

Detailed Description

First of all, this new variant has 'Phatbot3' identifier and there are a few 'phat' string in its body. This may indicate that this version was not made by the original Agobot backdoor author, who calls himself TheAgo, but by a different person/group who got the source code of this backdoor.

The backdoor's file is a PE executable 115738 bytes long compressed with PE-Diminisher file compressor. The unpacked file's size is over 245 kilobytes.

Installation to system

The Agobot.FO backdoor copies itself as NVCHIP4.EXE file to Windows System folder and creates startup keys for this file in System Registry:
[HKLM\Software\Microsoft\Windows\Curren tVersion\Ru n]
"nVidia Chip4" = "nvchip4.exe"
[HKLM\Software\Microsoft\Windows\Cu rrentVersion\Ru nServices]
"nVidia Chip4" = "nvchip4.exe"

This allows the backdoor's file to start with every Windows session. On Windows NT-based systems the backdoor can start as a service.
Scanning for vulnerable computers

The backdoor can scan subnets for exploitable computers and send a list of their IPs to the bot operator. The scan is performed on ports 80, 135 and 445 for RPC/DCOM (MS03-026), RPC/Locator (MS03-001) and WebDAV (MS03-007) vulnerabilities. The backdoor can also scan for computers infected with MyDoom worm (port 3127), Bagle worm (port 2745) and also for computers where DameWare remote system management software is installed (port 6129).

Performing a DDoS attack
The backdoor can perform the following types of DDoS (Distributed Denial of Service) attacks:
* HTTP flood * SYN flood * UDP flood * ICMP flood
When performing a DDoS attack, the backdoor uses 33 unique client identifiers including Mozilla, Wget, Scooter, Webcrawler and Google bot.

The backdoor sends 256000 bytes of random data to the following websites and checks the response times:
www.schlund.net
www.utwente.nl
www.xo.net
www.stanford.edu
www.lib.nthu.edu.tw
www.st.lib.keio.ac.jp

Collecting e-mail addresses
The bot can harvest e-mail addresses. It has the functionality to read user's Address Book and send the list of e-mail addresses to the bot operator.

Obtainint Registry info
The backdoor has the functionality to obtain System Registry info from an infected computer. This is a new feature for Agobot backdoor. Information obtained from the Registry can give a hacker a full overview of an infected system.

Spreading to local network
Agobot backdoor can scan computers on local network and copy itself there. The scan is initiated by a remote hacker. When spreading to local network, Agobot.FO probes the following shares:
admin$ c$ d$ e$ print$ c

Agobot.FO tries to connect using the following account names:
(SEE LINKS AT TOP FOR INFORMATION)

When connecting, Agobot.FO uses the following passwords:
(SEE LINKS AT TOP FOR DETAILS)

If the worm succeeds connecting to the above listed shares, it copies itself to a remote share and attempts to start that file as a service. The alternative way of infecting a remote host is to create a scheduled task on a remote computer that will start the backdoor's file.

Teminating processes of security and anti-virus programs
Agobot.FO has a huge list of process file names hardcoded in its body. The backdoor tries to terminate processes that have the following names:
(NAMES REMOVED SO POST WOULD WORK, FOLLOW LINKS AT TOP)

This functionality allows the backdoor to successfully disable anti-virus and security software that can not detect this backdoor before it's file is started. In most cases special tools are required to clean a computer infected with this backdoor.

Additionally the backdoor tries to terminate processes that belong to different malware:
msblast.exe penis32.exe mspatch.exe winppr32.exe dllhost.exe tftpd.exe

Stealing CD keys and Product IDs

Agobot.FO has the functionality to steal CD keys from the following games:
Unreal Tournament 2003
The Gladiators
Soldiers Of Anarchy
Shogun Total War: Warlord Edition
Need For Speed: Underground
Need For Speed: Hot Pursuit 2
NHL 2003
NHL 2002
Nascar Racing 2003
Nascar Racing 2002
Medal of Honor Allied Assault: Spearhead
Medal of Honor Allied Assault: Breakthrough
Medal of Honor Allied Assault
James Bond 007: Nightfire
Industry Giant 2
IGI2: Covert Strike
Hidden And Dangerous 2
Half-Life
Gunman Chronicles
Global Operations
Freedom Force
FIFA 2003
FIFA 2002
Counter-Strike
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert2
Command and Conquer: Generals: Zero Hour
Command and Conquer: Generals
Black and White
Battlefield 1942: The Road To Rome
Battlefield 1942: Secret Weapons Of WWII
Battlefield 1942

This variant of Agobot also has the functionality to steal Windows Product ID.

Finally... (0)

Mr. Certainly (762748) | more than 10 years ago | (#8591345)

Finally, a good method to keep people from breaking copyright laws. Infect and trojan those who break the law, impact the rest of the economy, and you'll ruffle enough feathers to bring down the whole house of cards. Now the average business will begin to see that breaking copyright law on computers is more than just a localized problem within the "Media" of movies and music. Kudos to whoever created this Trojan.

Lucky me (5, Funny)

mixtape5 (762922) | more than 10 years ago | (#8591352)

is installed maliciously on broadband-connected computers...
who knew that dial up internet was a form of virus protection? I dont feel so bad anymore!


Spamers spaming the spamers? (1)

Auroness (761613) | more than 10 years ago | (#8591354)

The majority of the infections appeared to come from home user broadband connections and from colleges and universities in the United States and the Asia-Pacific region, he said. ... As a result, he said, Phatbot-infected PCs will more likely be used as highly effective spamming machines.

Okay, so that guy who likes to get spam [slashdot.org] is responsible for spreading even more spam. I'm sure he is happy, but the rest of us wish he would really stop it already!!

I can here the laughing now (-1, Flamebait)

Stevyn (691306) | more than 10 years ago | (#8591374)

Thousands of Gentoo users sitting in their mother's basements are laughing histerically now. They're imagining all those "stupid M$ winbloze users" scratching their heads asking why their 'puter isn't working. Ironically, they had to read this article on their mom's wintel machine because they're still compiling last night's release and their computer is unusable at the moment.

Lurhq slashdotted (2, Informative)

myownkidney (761203) | more than 10 years ago | (#8591376)

Here's an alternate link [mithuro.com] I am looking for removal instructions. BRB.

Trojans and the like (1)

g0bshiTe (596213) | more than 10 years ago | (#8591383)

Well anti-virus and firewalls be damned. It ain't called a trojan for nothing.

Why run these apps if you continue to download questionable material?
That defeats the purpose.
The thought runs through your head "oh I have anitvirus or I am running ZoneAlarm nothing can get to me".

Well news flash REGARDLESS THE OS, AND HARDWARE/SOFTWARE FIREWALLS just by being able to get your pr0n on at 2AM is all the chance an attacker needs.

  • Unplug
lighten up and spend time with your family. Life is too short to worry about infection of an inanimate object.

If they want to hack my home pc great, if they can.

They want to destroy my computer so I have to reinstall, fine with me. I have all the disks.

I say this, I will live in fear of no man, nor group. *Save the Bush Administration*

The power of viruses (4, Interesting)

mcrbids (148650) | more than 10 years ago | (#8591386)

I have a client who sends out an aviation newsletter, with a list size in the tens of thousands. They have their own dedicated mail server, running RH Linux that I set up for them. Email is virus filtered with MailScanner and f-prot.

No complaints for months. And then, I add a new account to the mail server and restart sendmail.

Within a few hours, I got complaints that the volume of email had at least tripled, and that *all* of the increase were viruses, being caught by McAffee! So bad it was difficult to simply empty out the inbox from all the popup notices of virus detection!

Turns out when I restarted sendmail, I didn't restart MailScanner, so it was not running, letting everything through.

Very sobering, to realize how bad viruses online have gotten...

between 1 million and 2 million computers... (2, Funny)

Unnngh! (731758) | more than 10 years ago | (#8591390)

...giving the RIAA another 1 to 2 million people to sue for--something...it is P2P after all;)

If you see a process sucking tons of memory/cpu... (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8591395)

...you've probably just started a copy of winword.exe and having nothing to worry about.

[shIt (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8591411)

are thereQ? Let's then disappeared

Albeit is misused here (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8591420)

It should clearly be "although." Drives me crazy when people use the wrong word because they're trying to seem smart. Christ.

nowhere to run (3, Interesting)

segment (695309) | more than 10 years ago | (#8591424)


NANOG [merit.edu] this past week has had to deal with "h4r 3y3 j4m an 3fnet p4ck3tm0nk3y" bs. What I don't understand is how some people download and install something without checking exactly what it is. Look at the spyware situation: "Click here for a free weather clock" It should be obvious that there is no such thing as free. Everything has some form of price. What I find most alarming, is that most corporations - Symantec, Network Associates, and the major Windows based antivirus makers including Microsoft who has not got there act togeter - unleash errata of mass destruction. "Buy this patch/firewall/antivirus foo foo foo product to protect you now!" Why not release some Macromedia Flash like tutorial along with their products to educate users about the dangers of downloading unnecessary 'tools/products/virtuagirls/etc' and how to protect themselves from these thing... I'm willing to bet if some company did something like this, most of these annoyances would drop big time
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?